If you work in information security or IT audit (and I don’t mean IT SOX audit), I’d advise you to carry a “get-out-of-jail” (GOOJ) card at all times. In short, get permission before you do your dirty work.
If you are testing the security configuration of a network, system, or devices with security or cracker tools, you could end up on the wrong side of corporate policy, as most corporations forbid possession or use of such tools.
The good news is that if you don’t know the tools I’m referring to (I’ll touch on some of them in a future post), you most likely don’t need a GOOJ card. On the other screen, testing technology for vulnerabilities or misconfiguration doesn’t always require such tools. Many times, all you need is a browser (e.g., when testing for SQL injection). Even if you only use a browser for testing or probing, you’ll want a GOOJ card.
Back when I led a corporate security team, I made sure everyone on the team had a GOOJ card, and I think auditors who do this type of work should have a similar card. Auditors may be covered by the audit charter, but I would not rely on it unless it it is very specific.
What is a GOOJ card?
Basically, a GOOJ card says that you can scan, probe, poke, and break a network, system, or device, or even do more sneaky things, all for the benefit of the corporation (more on that in another post). It’s not actually a card per se, but a piece of paper that is signed by the appropriate senior leaders describing the “bad things” you can do to probe and protect your network, offices, and employees.
Why is a GOOJ card a good idea?
1) If your job description does not state that you can use security and hacker tools, you could get fired if corporate policy prohibits it. All it takes is one VP who wants you fired for any reason (even if you don’t find major holes in his systems), and this could be it. It has happened. Really.
2) You get caught by a physical security guard or someone else testing for vulnerabilities, dumpster diving, or working on an on-going investigation. During a four-year period, I had to use my GOOJ card 4 times.
3) You need to ask for help from IT, information security, physical security, or some other department to accomplish a task (usually during an investigation). When they give you that “are you crazy?” look, you show them the card, and you almost always get the help you need. And more importantly they keep it all confidential.
4) Without one, you could go to jail. Seriously. Always have permission before you poke.
Where do you keep a GOOJ card?
I always carry a copy of my card on my person. I keep a copy at my desk and the signed original in my safety deposit box, just in case I lost it or it was confiscated.
What needs to be on a GOOJ card?
I’ll cover that in my next post.