Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How to handle a zero-day attack – from lawyers

David Taber | April 11, 2016
We all know about zero-day attacks. But what about when the zero-day attack is in the form of a subpoena or other legal notice regarding the data in your CRM system? Don’t panic.

Actually, what you will need is almost never all in the backups…and even if it is, the first thing for you to do is find the snapshots of the entire system data and metadata for the relevant time periods, and get those snapshots onto write-once media.  Yes, really.  You want to have a copy that can’t be messed with.  If you can’t find the backup files for the relevant period, create write-once media copies of the closest versions before and after the time period.  The next thing you do is create another full data and metadata snapshot of the current production system (hopefully, into a sandbox) and sequester that snapshot so that only a couple of people can log in to it. 

Once that’s done, schedule a meeting with your attorneys to understand the nature of information they need to discover in the CRM and the kind of analysis they want done.  In that meeting, you should brief them on the basics of the CRM system:  what data is in there, what data is missing, what basic system terms mean (like, “what’s a lead vs a contact?”), and how meaningful the data is (or, more likely, isn’t).  

You should also brief them on who had administrative access during the relevant time period and what your users’ data access privileges are (and what that implies about possible data manipulation).  Discuss with them who should/should not have access to the snapshots and analytics.  Discuss with them who should be actually doing the analysis (most likely, an outside expert). 

Catalog your backups and archives

Typically, companies don’t know what backups, archives, and audit trails they have for their CRM system.  Because CRM data changes so rapidly, the systems are weak about handling history (e.g., “can you show me what these records looked like 17 months ago?”).  So, here’s what you’re looking for: 

  • The user login history table
  • The administrative change log history table
  • The change audit trails for each relevant object
  • The historical snapshots of all data in the system
  • The historical snapshots of all metadata
  • If your CRM administrators use a configuration control or ticketing system, the data from that system.  If they use paper, the log books for the relevant period.
  • If you have an ILP/DLP product monitoring Salesforce data, the report-run and data-download logs from that product. 

Unfortunately, most companies don’t regularly capture the data above, or they throw it out after a year or so.  This is dumb city, as most suits come years after that (I’m working on one right now that is regarding data from 10 years ago). 

If you simply don’t have this data and use Salesforce, the company may be able to reconstruct much of the information from their internal archives.  However, this is not a standard service – it’s a consulting project, and can be an extremely expensive one.  If you’re missing the historical info, you’d better just hope that opposing council hasn’t read this article … because they can compel you to spend mightily on a data reconstruction project. 

 

Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.