[ale] PI license required for IT security? [WAS: cabling and GA]

[Greg Freemyer]

On Tue, Mar 30, 2010 at 6:54 PM, Michael B. Trausch <mike at trausch.us> wrote:
> On 03/30/2010 05:40 PM, Greg Freemyer wrote:
>> Mike,
>>
>> My understanding is that you need a GA PI license if you are
>> collecting evidence or preparing reports in anticipation of their use
>> in a court or law, etc.
>>
>> Almost 100% of what I do is in anticipation of a lawsuit, so I have a
>> PI license personally and my company does corporately.
>
> I don't really do anything in _anticipation_ of it ending up in a
> lawsuit or court generally, but I suppose that I should probably see
> what's involved in getting such a license, just in the event that I find
> myself in a situation where I would be required to have one.  I very
> often answer questions like, "What was this employee doing on this
> system" that _could_ have potential legal ramifications, though none
> have actually had such ramifications yet.

I won't give you any legal advice except to say it is currently a
misdemeanor not a felony and to the best of my knowledge no one has
been charged with it practicing without a license for doing IT
security work.

OTOH: We typically work directly for lawyers and on occasion they ask
if we have a license because they don't want any evidence / reports we
produce to be tainted by the fact we are operating without a license.
And there is a letter written by the Sec. of State's office saying a
PI license is needed in GA to practice computer forensics (my field).

As to you getting a PI license, assuming you're not former law enforcement.

Step 1: get a personal license.  You provide fingerprints and some
money to the state.  They run a background and send you a license.
You have to work under the supervision of a PI agency.  (Not full
time, but when performing PI activities.)

Step 2: Every 2 years PI agency internally documents you received 15
hrs of PI training.  Records subject to audit by PI board, but I'm not
familiar with it ever happening.

Step 3:  Once you have 2 years experience you are allowed to take a
qualification test.  If you pass you can apply for a standalone agency
license with yourself as the "designated" person.  The designated
person has to be an officer/director in the agency.

Step 4: Hire people and have them get personal licenses under your
Agency license.

Step 5: Ensure they get their training every 2 years and document it.
(You can provide the training and define the curriculum).  You too
have to maintain your training, but it has to be from a third party.
I don't recall the curriculum details for the designated person.

FYI: I think the above is a bunch of crap as relates to IT security,
but it is the law.  And at least for Computer Forensics, it is follow
the law or be prepared to defend yourself in criminal court.

>> Currently it is a misdemeanor, but a few years ago the Governor had to
>> veto legislation make it a felony.  Apparently the CPA's mounted a
>> large effort to see it veto'd because they did not want it to be a
>> felony for them to do forensic accounting work without a PI license.
>> :)
>
> Wow.

Yeah, that's when I got my license.  For me it was relatively easy
because we work with PIs and former law enforcement all the time.
Former law enforcement are exempt from the 2-year training period.  We
have 4 former law enforcement on staff currently, and a couple of us
now that have met the 2-year training period.

>> I also think ER docs doing rape kits etc. currently are obligated to
>> have a PI license. (but I doubt any do.)
>>
>> Similarly I suspect any IT incident response teams that envision their
>> reports ending up in court should have a PI license.
>>
>> To highlight how weird things can get, I know of a person that was
>> arrested for port scanning a computer in GA.  I don't know the
>> details, but a quick google finds:
>>
>> http://www.internetlibrary.com/cases/lib_case37.cfm
>>
>> A key sentence is "After the meeting, Cherokee County terminated its
>> relationship with plaintiff, who was subsequently arrested for a
>> criminal attempt to commit computer trespass against defendant."
>
> Reading over that, I'm actually rather impressed at the sheer insanity
> in that article.  To make the claim that a rather simple port scan is
> itself an activity which can cause damage is off-the-wall, plainly and
> simply.  Now, a port scan that is done and then followed by an attempt
> to breach any of the services that are running is one thing, but if a
> system is so brittle that the mere act of a port scan causes damage,
> this is something that someone (like myself) doing a port scan would
> have no reasonable expectation of, and certainly no intent to do damage
> by the port scan itself.
>
> It looks to me like the port scanning party was just looking to ensure
> that the subsequent things it was asked to do would be workable.  It
> seems to me that they were being responsible.
>
> I guess I should really harden my contracts with clients.
>

One specific I would add is that if you are subpoenaed to produce
documents / testify, then all effort involved in same will be billed
at your normal rate to your client.

I've heard of fellow forensic firms that had that happen, but did not
have a similar clause.  They ended up doing a bunch of work with no
client to bill.

We have the clause and have had to invoke it a few times now.

Greg