EAR/ITAR Compliance Strategies. Network Performance Inc

EAR/ITAR Compliance Strategies Network Performance Inc

Agenda 1. Overview of EAR/ITAR requirements 2. Impacts on computer systems and security 3. Data access policies and restrictions 4. Data Marking/classification 5. Data encryption approaches 6. ITAR Compliance & Logging applications 7. Securing key components(ad, folders, wireless, mobile devices, email, media) 8. Data discard/destruction

We help our clients succeed by ensuring High performance communications Business continuity Privacy & Security Comprehensive & Flexible support

NPI at a Glance Founded in 1988, based in South Burlington, Vermont Customers throughout the Northeast Focused on computer network services and security Developers of SpamRejector service Staff certified by many leading IT manufacturers

Design Services Information Technology Planning IT Budgeting Techniques Network Designs Proposal Development Information Technology Staff Recruiting Project Planning

Connectivity Services Internet Connectivity Virtual Private Networks Remote Access Wide Area Networking Application Delivery Services Traffic Shaping and Monitoring Wireless Networking Convergence Services

Voice Services VoIP Readiness Assessments Bandwidth Analysis & Shaping Infrastructure Tuning QOS configuration ShoreTel VoIP system install & support Computer Telephone Integration

Network Services Network Review Server Installation Network Documentation & IP Addressing Switch & Router Installation Active Directory Development Wire Certification Backup & Storage Systems Messaging Systems Network Management Systems

Security Security reviews Firewall security Virus protection Intrusion detection & content filtering Spam filtering Forensics Managed security services Authentication

EAR/ITAR Services Active Directory hardening Improved user authentication IT physical security enhancements Password policy setting Monitoring and testing security Developing security policies Data encryption installation and configuration EAR/ITAR application installation

Support Services Network Administration Service Network Health Checks Remote Support and Expedited Response Pre-Purchased Time Time & Materials Fixed Priced Projects Network Assurance Plan A Fixed Priced contract covering key network elements server, router, switch, firewall Canopy

Canopy A fixed priced comprehensive outsourcing contract covering all IT services 24/7 remote network monitoring Patch management of servers and workstations Critical updates of servers, workstations, routers and switches Software distribution to servers and workstations Data backups of servers and workstations Updates for anti-virus protection of servers & workstations Same-day emergency service for repairs on servers, workstations, routers, and switches Remote diagnostics and repairs (eliminates travel costs) Regular trend analyses meetings

EAR/ITAR Regulations Overview

Relationship between EAR & ITAR Regulations ITAR Military (Dept of State) EAR Dual Use Products Commercial, could be Military (Dept of Commerce) Standard Requirements Required for ALL International Transactions (Multiple Gov t agencies; Example: Denied Party Screening)

Goals Scope Export Control Law To prevent terrorism To curtail export of technologies that assist the military potential of adversaries To comply with trade agreements and prevent development of nuclear, chemical and biological weapons Covers commercial & dual use items on the Commerce Control List ( CCL ) Hardware Software Technology Applies to All items that are physically present in the US U.S.-origin items wherever located Certain foreign-manufactured items containing U.S. components

Reasons Certain Exports are Controlled National Security (NS) Foreign Policy (FP) Proliferation (MT, NP, CB) Short Supply (SS) Anti-Terrorism (AT) Crime Control (CC) High Performance Computer (XP) Regional Stability (RS) UN Sanctions (UN)

Key EAR Definitions Import Transfer inganything to a FOREIGN PERSON by any means, anywhere, anytime, or the knowledge that what you are transferring to a U.S. PERSON, will be further transferred to a FOREIGN PERSON. Technical Data -May take forms such as blueprints, plans, diagrams, models, formulae, tables, engineering designs and specifications, manuals and instructions written or recorded on other media or devices such as disk, tape, or read-only memories. Controlled Technology -specific information required for the development, production, or use of a product which is itself controlled. The information takes the form of technical data or technical assistance.

Penalties for EAR Violations Civil fines up to $250,000 or twice the value of the transaction at issue, whichever is greater Civil penalties can accrue without knowledge of the violation Criminal penalties of up to $1 million Prison sentences up to twenty years Criminal charges cover persons who willfully commit, attempt to commit, conspire to commit, or aid or abet in the commission of a violation

International Traffic in Arms Regulations(ITAR) Overview Deals with the export and temporary import of defense articles and defense services (including controlled technical data) Applies to brokering activities by either U.S. or foreign entities and payments of commissions by or on behalf of U.S. entities

U.S. Person Key ITAR Definitions A U.S. Citizen, by birth or naturalization A lawful permanent resident, Green Card holder A protected individual, by asylum or as a refugee Any business or organization incorporated in the U.S. or any U.S. government entity (federal, state or local) A non-u.s. Person (or Foreign National) is an individual, business or organization which cannot prove its status in one of the above categories with appropriate documentation Exporting Sending or taking a defense article out of the United States Transferring control or ownership to a foreign person of an item covered by the USML, whether in the United States or abroad Disclosing (oral or visual) or transferring technical data to a foreign person, whether in the United States or abroad

Key ITAR Definitions(continued) Defense Article Any item or technical data designated in the USML, or An item specifically designed, developed, configured, adapted, or modified for a military application, and No predominant civil applications or performance equivalent Technical Data Information required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles This includes information in the form of blueprints, drawings, photographs, plans, instructions, or documentation Software directly related to defense articles

Penalties for ITAR Violations Criminal fines for corporations or individuals of up to $1 million per violation and/or imprisonment of up to ten years for willful violations Civil penalties for corporations or individuals of up to $500,000 per violation relating to unauthorized exports of defense articles or defense services Debarment from export of defense articles or defense services

Recent Violations and Penalties ITT: $100 Million Fine for exporting Night Vision Goggles without an Export License Hughes Network Systems: $5 Million Fine and 1 year debarment for unauthorized export of technical data, defense services, and defense articles to foreign employees Large U.S. Sporting Goods Store -$750,000 negotiated down from $15M 23 23

Comparing EAR/ITAR Regulations ITAR Arms Export Control Act EAR Export Administration Act U.S. Department of State Directorate of Defense Trade Controls (DDTC) International Traffic in Arms Regulations (ITAR) 22 CFR 120-130 United States Munitions List (USML) U.S. Department of Commerce Bureau of Industry and Security (BIS) Export Administration Regulations (EAR) 15 CFR 730-774 Commerce Control List (CCL) Defense Articles Dual Use and Commercial 24 24

Bottom Line Engaging in international trade is a privilege, not a right. Compliance is essential to good business Compliance is part of a company Code of Conduct and required by your Export Import Compliance Policy Anyone involved in an international transaction is required to understand the requirements of U.S. export control laws/regulations Failure to comply can result in disciplinary action 25

Impact of EAR/ITAR on Computer Systems

Information Protection Threats Internal threats are just as prevalent as external threats Accidental Intentional Targeted Loss due to carelessness System disposal or repurposing without data wipe System physically lost in transit Data intentionally compromised Foreigner access to unauthorized data Offline attack on lost/stolen laptop Thief steals asset based on value of data Theft of branch office server (high value and volume of data) Theft of executive or engineers laptop Direct attacks with specialized hardware

The Growing Threats to EAR/ITAR Data Business is increasingly mobile Laptops rapidly replacing desktops Laptops expected to grow to 68% of all computers by 2011 16,000 laptops lost or stolen per week in airports! Cheap storage continues to expand Standard laptop drives > 100GB 2GB USB drives cost < $20 More mobile data, more data to lose Users retain everything by default Mobility increases risk of theft

Branch Office Challenges Theft of server and/or its hard drives Re-provision or decommission of server or its hard drives Data theft via disk cloning by maintenance and outsourcing technicians Securing configured machines when shipping Physical security may be lax

Potential Consequences of a Data Breach Mobile data is vulnerable 56% of breaches due to lost laptop, removable media, or backup media Prevention is cost-effective Following a breach, encryption is most frequently deployed technology

Information Loss is Costly Information loss whether via theft or accidental leakage is costly on several levels Financial Legal & Regulatory Compliance Image & Credibility The U.S. Dept of Justice estimates that intellectual property theft cost enterprises over $250 billion Loss of revenue, market capitalization, and competitive advantage Increasing regulation: EAR/ITAR, SOX, HIPAA, GLBA Bringing a company into compliance can be complex and expensive Non-compliance can lead to significant legal fees, fines and/or settlements Leaked executive e-mails e can be embarrassing Unintended forwarding of sensitive information can adversely impact the company s s image and/or credibility

EAR/ITAR Data Security Recommendations Build and Maintain a Secure Network Protect Sensitive Data Install and maintain a firewall configuration to protect data. No use of vendor-supplied defaults for passwords and other security parameters Protect stored data Encrypt transmission of sensitive data across public networks Maintain a Vulnerability Management Program Use and regularly update anti-malware software Develop and maintain secure systems and applications Implement Strong Access Control Measures Restrict access to EAR/ITAR data by user Assign a unique ID to each person with computer access Restrict physical access to EAR/ITAR data Regularly Monitor and Test Networks Track and monitor all access to network resources and sensitive data Regularly test security systems and processes. Maintain an Information Security Policy Maintain a policy that addresses information security

Common EAR/ITAR Myths #1: Breaches only happen to big firms Fact: Smaller firms are highly vulnerable and a frequent target because of their large numbers. They are also an easy target as they are typically the least technically sophisticated. #2: EAR/ITAR compliant firms cannot be breached. Fact: EAR/ITAR compliance is not a guarantee. Any firm can be breached at any time as security is a moving target #3: Written policies, user training and physical controls aren t important. Fact: Regulations cover not only data security but also the physical and written security policies. #4: Compliance is too expensive. Fact: Non-compliance can be very expensive if not catastrophic. Non-compliance can result in very high costs and lost business. #5: Compliance is getting easier. Fact: For small firms protecting sensitive data and maintaining a secure environment remains a complex endeavor.

Data Access Policies and Restrictions

Develop a Technology Control Plan (TCP) Based on best practices, contains required elements from ITAR/EAR regulations. Key Elements: 1. Commodity Jurisdiction & Classification 2. Physical Security Plan 3. Information Security Plan 4. Personnel Screening/ Training 35

TCP Element #1 Commodity Jurisdiction & Classification Proper classification is essential. Theconsequences of classification under EAR and ITAR are very different. Most manufacturers canmake their own jurisdictional determinations when using an ITAR lawyer/consultant. If you can t classify the item, draft and submit a Commodity Jurisdiction request.

TCP Element #2 Physical Security Plan Minimum One lock principle, sometimes more Use NISPOM & NIST as a guide Map out both restricted and closed areas Use key controls Enforce visitor logs Provide escorts for visitors 37

TCP Element #3 Information Security Plan Allow folder, firewall, backup access to US persons only Enforce strict password policies Clean papers off desks, centralize storage, lock storage containers Provide security marking throughout Develop and publish data discard/destruction policy/procedures. Follow NISPOM/NIST. Enforce a secure email/mail policy Use secure web sites (https://) and SSL (Secure Sockets Layer) Use PGP to encrypt controlled files 38

TCP Element #4 Personnel Screening and Training Train all personnel with access to controlled items. Screen for nationality and restricted party lists Require all to attend export training A formal security training should happen at least once yearly. Required attendees include: clerks working with sensitive data managers with access to backend servers engineers involved with sensitive data cleaning staff with access to managers offices management

Policy Example Physical Controls Shred, incinerate, or pulp hardcopy materials so that sensitive data cannot be reconstructed. What does this mean? -Do you have notes with sensitive data? -Do you shred reports when no longer needed? -Do I have to use a third party shredding company? -No, self certified shredding -What other physical media has sensitive data? -Is your managers office locked at all times? -Are reports stored in a locked cabinet?

Data Marking/Classification

Data Marking & Classification Step 1: Commodity Jurisdiction Sent to Department of State to determine which regulations to use Submit only when determination is difficult, use in house & 3 rd party consultants Step 2: Classification Use U.S. Munitions list to determine the classification(which regulations apply) Determine any further requirements and restrictions. Step 3: Register with the Directorate of Defense Trade Controls

Data Marking & Classification Step 4: Determining Intent How will item be used? Sold Sent & returned(for repair) Use as a component to build another item Item used to aid in a service performed by a foreign person Step 5: Review of Exemptions or Application for a License or Agreement Determine if an exemption is available If exemption is not applicable, determine what type of license is needed

Data Encryption Techniques

What should be encrypted? All sensitive data Hidden data old files, temp files, browser cache, deleted file remnants Encrypt all laptops, thumb drives and mobile devices Encrypt desktops with sensitive data Wireless communications Data transmitted over the Internet Email Any device at risk of theft, exposure or eavesdropping 45

Encryption Technology Requirements Ability to do Whole Disk and Full Disk encryption Pre-boot/Pre-OS encryption File/folder encryption Strong encryption (AES 256) Both Windows & Mac OS X support Strong centralized management (configuration, keys, data recovery) Easy to install/uninstall Ease of use with minimal performance impact USB device support Excellent manufacturer support Recoverable keys, even when on the road Ability to easily integrate into existing architecture Throttled background encryption processing Fault Tolerance to abnormal shutdown Support for Suspend and Hibernation states

Local Data Protection Approaches File Encryption Laptops Desktops Full Disk Encryption Laptops Desktops Encryption of Removable Media USB-enabled Devices Flash Drives, ipods, Bluetooth Devices, Thumb Drives, Hard Disks CD/DVD Writers Password and PIN Controls Blackberry Other PDA Devices Standards and data classification guidelines, Usage and Protection, Access Control and Encryption

Using Encryption to Protect Mobile Data Full disk encryption Encrypts all data on the drive Prevents access by unauthorized users Transparent to the user & applications Can eliminate breach disclosure requirements Removable media encryption Encrypts all data on easily lost devices Extends protection to data leaving laptop Best practice: Central policy management Enforces consistent data protection Removes user from the decision process Reports on state of protection for auditors

Complete EAR/ITAR Data Protection & Security The goal is to secure data, wherever it goes Comprehensive strategy based on multiple technologies Encryption & key management play critical roles protecting data throughout enterprise and beyond

Best Encryption Architecture Client Software Management Server Enterprise Directory Whole Disk Encryption Protect data without requiring user action Authenticate using Windows login Encrypt removable media automatically Augment security with two-factor authentication Easy, automatic operation Central Management Server Configure policy enforcement centrally Control enabled/visible client functionality Track and report on disk encryption usage Authorize help desk to access encrypted data Enforced security policies Microsoft Active Directory Integrate with existing enterprise directory Automate enrollment using LDAP groups Assign encryption policy automatically Update encryption policy dynamically Accelerated deployment

Whole Disk Encryption Features Comprehensive full disk encryption Transparently defends all data on system Extends protection to removable drives Requires no change to the user experience Flexible strong authentication options Single sign-on using Windows login Optional two-factor authentication Authenticated, assured corporate access Painless lost passphrase recovery process Authenticated IT maintenance access Server management tools Enforces consistent application of policy Monitors deployment of encryption Locks down features available to the user

Encryption Technology Features Rapid Deployment Process Automate the installation process Streamline the configuration process Accelerate deployment schedule Defend more data in less time Enhanced Status Reporting Track failed login attempts Monitor removable media usage Audit deployment of disk encryption Report on policy compliance Expanded Client Controls Lock down which features are enabled Hide undesirable functionality from user Eliminate potential help desk questions Enforce encryption usage policy Increased Authentication Options RSA SID800 support, plus many more TPM-based two-factor authentication Authenticated IT help desk access option Meet corporate authentication standards

Encrypting Network Shared Files Network file encryption Defends data at the source Prevents access by unauthorized users Transparent to the user & applications Eliminates breach disclosure requirements Scalable, flexible, client-based protection Scales without requiring hardware No changes to infrastructure Extends protection to backups Best practice: central policy management Enforces consistent data protection Removes user from the decision process Reports on state of protection for auditors

Email Encryption Technology Email encryption Transparent user interface Prevents data leakage Protects data in motion Protecting all data, including attachments Automatically & transparently encrypts all attachments Prevents access by unauthorized users Eliminates breach disclosure requirements Best practice: central policy management Enforces consistent data protection Removes user from the decision process Long-term access to data Reporting and logging for compliance

Encryption Implementation Concerns You might lock yourself out forever! Key Management & Distribution Password/Passphrase Protection Offline encrypt/decryption Speed issues Export issues Lack of a centralize key management and recovery processes Establishing clear data encryption and key management goals, criteria and policies Establish a communications plan for systematic and smooth deployment

ITAR Compliance & Logging Applications

EAR/ITAR Compliance Application Examples Product Cost Comments Code green $10,000 for 50 users Scans for traffic. Somewhat difficult to deploy EMC Documentum $45,000 for 100 users More for big firms. Expensive Fidelis Security $25,000 Focused on stopping traffic related to content use. Expensive GTB Inspector $50 per person Focused on data leakage not rights management. NextLabs Enterprise $6,500, $250 for policy enforcers Both DLP & DRM. Somewhat complicated to manage. Safenet HASP $5,000 Not practical for outside users/management

EAR/ITAR Rights Management Secures content with strong encryption Protection cannot be removed Controls and audits data access Users work normally using their existing applications Defines authorized uses through workflows, directory groups, and user

Where Rights Management Fits In Granularity of Controls Usage Access Enterprise Content Management Full Disk Encryption Network Security Tools Firewalls, VPNs, ACLs Enterprise Rights Management Encryption Products Content Filtering and Monitoring Secure Transport/Delivery SSL Data at Rest Data in Motion Data in Use

LOB App ECM System File server How ERM Works ERM Server 1 Content encrypted and usage rights applied Connection required for offline renewal 2 Read Only 3 Read & Print Read, Edit, Print, & Offline enabled with expiration Content protected at rest or in transit Content protected in use

ERM System Considerations User adoption is the most important factor Expect resistance if difficult to use Protection goals must be enforced automatically Users must be aware protection is in effect Users want to work normally

Securing Key IT Components

Physical Access Compliance Employee Photo ID Badges Temporary Badges Visitor Badges Control with Receptionist Visitor Register Locked doors

Portable Computer Device Considerations Restrict access as much as possible Limit sensitive data storage Force encryption Limit wireless communications to known good networks Automatic backup Train users about theft/confiscation issues 64

Policy Example - Passwords Goal: Ensure proper user authentication and password management for users and administrators on all system components. Required: Recommended: - Reset after 90 days, minimum of 7 characters - Must be complex (numeric and alphabetic) - 4 password history - Lock accounts after 6 invalid attempts, unlock in 30 minutes - No written passwords or storing in office area - No sharing passwords(including an auditor if they asked) - No use of dictionary words

Discarding/Destruction of Data

Where Deleted Data May Reside Unallocated Space: Space where files may be written by the operating system. File Slack: Space between the end of the file and the end of the cluster. Volume Slack: Space between the end of the partition and the end of the drive.

One Data Destruction Study Purchased 236 used hard drives on ebay. Only 19% had been wiped/scrubbed so data recovery was impossible. Most drives only formatted, FDisked or nothing. Seven had significant sensitive data

Not Just Hard Drives Cell phones PDAs Thumb drives Floppy disks CDs/DVDs

What Doesn t Work o Deleting the file. o Formatting the drive. o FDISKing the drive. o Installing a new operating system. What DOES Work o Certain wiping programs o Hardware devices o Physical destruction

DOD Sanitization Standards Department of Defense 5220.22-M, National Industrial Security Program Operating Manual(NISPOM) A 100 page document with 2 paragraphs on data sanitization. Often cited as the standard for data sanitization. Does NOT specify any particular method of sanitization

National Institute of Standards and Technology (NIST) Guidelines for Media Sanitization NIST publication 800-88 Designed to assist organizations and system owners in making practical sanitization decisions based on the level of confidentiality of their information. http://csrc.nist.gov/publications/nistpubs/800-88/nistsp800-88_rev1.pdf

Sanitization Methods Disposal -Discarding media without any other sanitization considerations. Clearing -Overwriting every byte on the drive once with a neutral character. Must not allow information to be retrieved by data, disk, or file recovery utilities. Destroying Disintegration. Incineration. Pulverization. Melting.

Option #1 Disposal Not recommended Highly likely data can be retrieved A breach of EAR/ITAR regulations

Option #2 Clearing (Overwriting) Use either Pseudorandom method US DoD 5220.22-M method Requires 35 writes of data to destroy

Option #3 Destruction Options Disintegration. Incineration. Pulverization. Melting. Internal or External Get certificate of destruction

Additional Resources

5 Most Common First-time EAR/ITAR Mistakes 1. Classification Thinking products are dual use instead of ITAR 2. IT Access Poor controls on widely used technical data 3. Personnel/employee training Lack of fundamental knowledge 4. Personnel/defense services Lack of controls on people providing defense services 5.License/technical assistance agreements Not getting them signed, lack of understanding of provisos and communicating with foreign licensees. Poor record keeping.

A Prioritized Approach to ERP/ITAR Compliance 1. Remove sensitive data - if you don t need it, don t store it 2. Protect the perimeter, internal & wireless networks 3. Secure the applications 4. Monitor & control access by limiting who is accessing the sensitive data 5. Protect stored data. If you must store it, apply controls 6. Focus on policies, process and procedures

Additional Tips for EAR/ITAR Improvement Encrypt all offsite media(backuptapes and USB devices) Examine applications for vulnerabilities Check logs for sensitive data and remove it Look for sensitive data in unencrypted files and databases Verify strength of identity management and authentication Segment data by using network addresses or VLANs Check monitoring and intrusion detection system (IDS) Check that PC drives don t store sensitive data on them Keep your PCs current with the latest patches and updates Make sure your PCs are configured securely Choose strong passwords and keep them safe Check paper reports to remove data that is no longer needed Use certificates between web, application and DB servers Document the flow of sensitive data

Contact Information TeamITAR JohnBurton -jburton@npi.netx 211 www.npi.net 800-639-6091 802-859-0808 Q & A