![I
IV. What the Rehabilitation Records Show 151
1. Introductory 151
2. Social Data and Total Grants and Refusals 152
3. Principal and Subsidiary Grants 157
4. The Re-opening of Cases to Make Further Grants 160
5. Variations in Amounts of Grants, and Refusals 165
I
BEGINNINGS OF REHABILITATION
1. GENERAL POLICY
n the beginning of the Relief Survey it has been shown how, with
what seemed to be an instinctive insistence, the trend of the
work was toward the formulation of a definite rehabilitation
policy. The principle, one might say axiom, which determined the
character of this policy was that help should be extended with
reference to needs and not with reference to losses. It was not easy
to hold to the relief principle in the face of a sentiment by no means
weak nor voiceless that each sufferer was entitled to an equal share
of the funds. That the Rehabilitation Committee did consistently act
on this principle during the periods of its activity was a marked
achievement—an achievement that may be counted to the good, not
only for the relief of San Francisco sufferers but for sufferers from
subsequent disasters.
When the Rehabilitation Committee began its work at the
beginning of July, 1906,[96] it could not know what amount of money
would be available for the purposes of its work. It knew that
$1,500,000 had been suggested as the amount and 15,000 as the
number of families to be rehabilitated. It held many conferences to
consider the possibility of obtaining even the roughest sort of census
of the families who would require assistance.](https://image.slidesharecdn.com/84953720-250616070441-e5463122/85/Ebook-CIS-Critical-Security-Controls-by-Center-for-Internet-Security-51-320.jpg)
![[96] See Part I, p. 21.
No solution was furnished by the population of the various
camps because even if their total population had been known, it
would not have given a clue to the number of families who were
living with relatives or friends or as tenants in the overcrowded
quarters. Unlike the ordinary relief society, the Committee could not
estimate the total actual needs of its prospective applicants.
Therefore it had to fix definite limitations for grants[97] to those who
first applied so that later applicants, with needs equally great, might
not suffer injustice.
[97] A classification of grants was in use which had been adopted by the
Red Cross Special Bureau. The headings of this classification were “Tools,”
“Household Re-establishment,” “Business Enterprise,” “Special Relief,”
“Transportation.” Special Relief was used to describe a miscellaneous
group of grants, and to prevent its being confused with the later Bureau
of Special Relief (see Part II, p. 145), it will hereafter in this study be
designated “General Relief.”
With these considerations in mind the Committee at its first
meeting moved to limit the vast bulk of grants to sums of $500 or
less. The decision was that a grant that did not exceed $200 could
be approved by one member of the Committee, that grants of from
$200 to $500 should require the signatures of two members, and
that grants of more than $500 should require the action of the entire
Committee. During the first few months the number of separate
grants of $500 or over, exclusive of housing grants, was but 121, the
general assumption in the Committee room and among the
rehabilitation workers being that the number of families to receive
over $500 should be small.
Eventually, of the 20,241 families assisted by the Committee,
647 families received as much as $500 each.[98] It was not realized
at the beginning that in a great number of instances there would be
re-openings and new applications leading to the granting of new
forms of rehabilitation; that, for example, a family would be helped
first to re-establish itself in business and later to build a house.
Supplementary grants that increased the total allowance to a family](https://image.slidesharecdn.com/84953720-250616070441-e5463122/85/Ebook-CIS-Critical-Security-Controls-by-Center-for-Internet-Security-52-320.jpg)
![to more than $500 were not passed upon by the Committee as a
whole, though at several meetings the question of requiring the
Committee to act as a whole on the issuance of a series of grants in
excess of $500 to an applicant was informally discussed. No official
action, however, followed the discussions. Before the middle of July
the Committee sent to the newspapers and to others interested, a
circular in which was outlined its general purpose. In this its aim was
shown to be not to determine the size of grants by the extent of
losses, but to help those to re-establish themselves who were
unable, even upon a contracted basis, to do so without assistance.
[98] The difference between these figures and the figures given in Table
45 on page 165 is due to the fact that successive grants of the same
nature to a single applicant were, in making some compilations, treated as
a single grant, and in making others, as successive grants.
The wisdom of limiting the size of grants may be questioned by
some, but there is no doubt of its paramount importance in giving a
rough basis for work at a time when it was impossible to estimate
the number of families that would require assistance. It is hard to
conceive of the setting of any other standard than this. Without it
the possibilities for confusion and injustice were unusually large. The
decision was reached not only from motives of prudence but also
from the Committee’s sense of responsibility in dealing with such
large amounts of money as would undoubtedly be placed in its
hands. That the feeling of personal responsibility was large was
made evident by other actions of the Committee.[99]
[99] Under somewhat similar circumstances the Chicago Fire Commission
practically limited special relief expenditures to $200 per grant. See Report
of the Chicago Relief and Aid Society of Disbursements of Contributions
for the Sufferers by the Chicago Fire (1874), p. 199.
After the Department of Camps and Warehouses was created on
August 1, 1906, the Rehabilitation Committee[100] finally adopted its
own policy with reference to families living in the camps, a policy
which as has been seen[101] had been gradually taking shape during
July. The whole question of the rehabilitation of camp families had](https://image.slidesharecdn.com/84953720-250616070441-e5463122/85/Ebook-CIS-Critical-Security-Controls-by-Center-for-Internet-Security-53-320.jpg)
![been considered at a lunch given before his departure east by Dr.
Devine to the members of the Committee and the staff. The
conclusions of this informal conference did not take official form, but
they may be accepted as marking the first step in the formulation of
the policy. They were: That the camps should provide for the
immediate needs of their inmates; that no stated sum could be set
aside for the ultimate use of those who were expected to become
permanent charges; and that no family living in a camp should be
given rehabilitation aid until it had presented a definite plan for
rehabilitation. It was felt that the effect upon applicants would be
great if once they understood that it was useless for them to come
to the Committee without definite and concrete plans. The subject of
setting aside a sum for the use of the residue came up again in the
latter part of August when Mr. Dohrmann, in making his estimates of
the future disposition of funds, again and again called attention to
the need of reserving large sums to re-establish camp families.
[100] Now a part of the Department of Relief and Rehabilitation, which
included also the Bureau of Special Relief, Bureau of Hospitals, etc.
[101] See Part I, p. 19 ff.
By August 1 the issuing of rations had been discontinued. The
Department of Camps and Warehouses had taken over the bulk of
the work of the short-lived Executive Commission, and the
Rehabilitation Committee had been made responsible, under the
gradual centralization of all relief, for the granting of all aid other
than shelter and the relief-giving incidental to camp life. The
Rehabilitation Committee was, however, in accordance with the
policy it had adopted, steadying the number of applications made to
it by camp families, by requiring an applicant to give proof that he
had an assured dwelling before his request for household aid was
considered. The immediate necessity was to define the relations
between the Department of Relief and Rehabilitation and the
Department of Camps and Warehouses. On August 6, 1906, the
chairman of the latter department, Rudolph Spreckels, met with the](https://image.slidesharecdn.com/84953720-250616070441-e5463122/85/Ebook-CIS-Critical-Security-Controls-by-Center-for-Internet-Security-54-320.jpg)
![Camp No. 29, Mission Park, opened November 19, 1906
Two Cottage Camps
The responsibility of the Department of Relief and Rehabilitation
for relief outside the camps remained absolute, with the exception of
the housing aid given by the Department of Lands and Buildings. Mr.
Bicknell was appointed to carry out the plan so far as it related to
the Rehabilitation Committee, to which he later presented his plan
for the establishment of a Bureau of Special Relief under the
Department of Relief and Rehabilitation. This new bureau, which is
described elsewhere,[102] gave aid in kind; the Rehabilitation
Committee gave emergency aid in cash.
[102] See Part II, p. 145 ff.](https://image.slidesharecdn.com/84953720-250616070441-e5463122/85/Ebook-CIS-Critical-Security-Controls-by-Center-for-Internet-Security-57-320.jpg)
![2. PERIODS OF REHABILITATION WORK
By way of introduction to the following chapter, a summary may
well be made of the periods of time into which the rehabilitation
work naturally fell.
May 5 marked the beginning of the rehabilitation work under
the direction of the Red Cross, a period when a force of workers,
trained and untrained, got steadily to work, and when policies began
to be shaped. It may be called the formative period.
July 7 began the second period. It was the time when the
Rehabilitation Committee of the Finance Committee of Relief and
Red Cross Funds got into the saddle, carrying with it the staff and
adopting the policies of the formative period. It was marked by the
rapid development of district organizations; by the rapid increase in
the number of applications for relief. It may be called the period of
accelerated applications.
August 20 opened the third period, when a decline in the
number of applications was brought about by new restrictions upon
the character of cases eligible for consideration; the time when the
advisability of the district plan of organization was brought in
question. Furthermore, it was the time when grants were sharply
limited by the withholding of the eastern funds.[103] This may be
called the period of arrested progress.
[103] See Part I, p. 99 ff.
November 4 began the fourth period, when the centralized plan
was in force and when a persistent effort was made gradually to
decrease the responsibilities carried by the Rehabilitation Committee.
It was the period of centralized effort.
April 9, 1907, marked the beginning of the fifth and last period,
which closed June 30, 1907, with the taking over of the rehabilitation
work by the Associated Charities. It was a time of rapid discharge of
committees and of readjustments,—the period of withdrawal.](https://image.slidesharecdn.com/84953720-250616070441-e5463122/85/Ebook-CIS-Critical-Security-Controls-by-Center-for-Internet-Security-58-320.jpg)
![B
II
METHODS OF WORK[104]
1. THE DISTRICT SYSTEM
efore the formation of the Rehabilitation Committee the
Associated Charities[105] had assumed responsibility, under
the Red Cross, for the investigation of applicants for
rehabilitation. During July the Associated Charities under the
direction of the Rehabilitation Committee organized in each of the
seven civil sections of the city a committee of persons who were
related more or less to the previous charity work of the locality. Each
section or district office was supervised by a chairman[106] under
whom was an agent with a corps of visitors and clerks. By securing
in addition to the local charity workers the services of several
experienced workers from states east of the Sierras, it was possible,
as has been already stated, to have an experienced agent in each
district. Four sections were in charge of agents drawn from the
outside; three of agents with experience in the San Francisco
Associated Charities.
[104] The section on methods in Appendix I, p. 406 ff., supplements this
chapter. It is more detailed than is this portion, and is important to those
who are responsible for organizing a relief force.
[105] See Part I, p. 14.
[106] These chairmen were the same men who had been serving since
May as the civilian chairmen in their several sections.
The month of July was one that called for the exercise of
discretion and tact, as it was a time when a large untried force had
to be organized to visit families. A general superintendent of district
work was appointed to bring about unity of ideals and standards in
the sections and to cultivate a sympathetic understanding of the
system on the part of all concerned in it. The position was held
during July by one of the eastern workers and after August 1 by the](https://image.slidesharecdn.com/84953720-250616070441-e5463122/85/Ebook-CIS-Critical-Security-Controls-by-Center-for-Internet-Security-59-320.jpg)
![In so large a group of investigators, brought into service at a
time of high pressure, there were necessarily to be found many
attitudes of mind toward the work and varying degrees of readiness
to be instructed. What surprised those who had the task of fitting
the visitors to their work was their adaptability. The committees met
at short intervals to review, one by one, the stories and
recommendations of the investigators, and to make their own
decisions to be submitted for final action to the Rehabilitation
Committee at headquarters.
The investigating force of the Rehabilitation Committee reached
its highest number in August, 1906, when it numbered 96 persons
on full and nine on half time. Sixty-five other persons were also
employed, principally as clerks and messengers. The Committee
from the start took the sensible ground that as far as possible there
should be investigation of each applicant. The record card used in
the sections was the second registration card, which as the reader
knows, superseded the one adopted in the initial relief period.[107]
[107] See Part I, p. 49. See cards in Appendix II, pp. 428 and 429.
The second registration was undertaken by the staff of workers
gathered together by the American National Red Cross, who worked
from the seven civil sections and recorded their investigations on the
improved cards described below. These cards, which were kept on
file at headquarters, were, from the time of the second registration
to the end of the rehabilitation work, used by the various
committees. They held the facts as to an individual’s own
expectation of providing shelter for himself and family. Later these
cards served to measure the degree of success each applicant had
made in carrying out his own plan.
The second registration, though not to the same degree as the
first, failed in completeness, so that many persons who applied later,
not only to the Rehabilitation Committee but to the many other
committees and departments, were given relief by those who were
in ignorance of what help had already been extended. If registration
had been accurate and complete from the beginning much saving of](https://image.slidesharecdn.com/84953720-250616070441-e5463122/85/Ebook-CIS-Critical-Security-Controls-by-Center-for-Internet-Security-61-320.jpg)
![money and time would have been effected, and, of immeasurably
greater importance, much better rehabilitation work could have been
done. A thorough system of registration would have been opposed
by many of the relief workers, as well as by the refugees, but the
importance of securing, in beginning such a work, an accurate
registration of names and references and of entering on the dated
cards the facts of aid requested and given, cannot be over-
estimated. The outstanding need of the later rehabilitation work was
for a registration so inclusive that it might serve as a general
confidential exchange of information[108] of the sums of relief given
and the efforts made to rehabilitate individuals or families. One of
those who had partial supervision of enumeration for the first
registration has said that a more carefully prepared card and a rigid
supervision of investigators could have secured the desired results
even if the investigators were untrained. The lack of a well ordered
bureau for confidential exchange of information led to serious
duplication of inquiry and of grants.
[108] Registration as a means of holding and securing information was in
use by various committees other than the Rehabilitation Committee.
But to return to a consideration of the record card. It provided
for a graphic presentation of the salient economic features of each
family. When rightly filled in it showed the total present income of
the family, its physical condition and the previous occupation of the
breadwinner, the sum of its losses and its present resources. It gave
a picture of the family’s former or present relations to its church, its
lodge, its employers, its plan for rehabilitation, and the investigator’s
estimate of this plan or the investigator’s alternative plan. Each
visitor who had not had previous training as an investigator was
given careful direction as to how an investigation should be made.
Each was instructed to explain to the families that what was being
aimed at was to find a way out which would be a real way out. Relief
that had been already given was emergent, temporary. But now the
Committee was anxious to learn of those who with a fair grant would
be able to re-establish themselves.](https://image.slidesharecdn.com/84953720-250616070441-e5463122/85/Ebook-CIS-Critical-Security-Controls-by-Center-for-Internet-Security-62-320.jpg)
![In compiling the statistical abstract of applications for Chapter
IV of this part of the Relief Survey no attempt was made to ascertain
what references were seen or corresponded with, except for the
business application cases. These were controlled by much stricter
regulations than were the other applications. It is impossible,
therefore, to state accurately the number of applications that were
superficially investigated by visits to the applicants only. It is
probably true that a study of the applications for household
rehabilitation would show that comparatively superficial
investigations had been made although there had usually been some
attempt to corroborate the applicants’ stories by calling for a general
letter of recommendation or one written directly to the Committee.
Letters from ministers bulked large in this correspondence. The
experience of the Rehabilitation Committee, it can be most positively
stated, confirmed that of the special relief committee of the Chicago
fire that such recommendations are valueless in the vast majority of
cases. It is sufficient to state here, as this question will be brought
up later in the discussion of the Committee’s relation to the auxiliary
societies,[109] that the Committee learned quite early in its career
that some of the clergy of the city had had manifolded a stereotyped
form of recommendation to give to any one who might apply.
[109] See Part II, p. 137 ff.
The method of investigation in force would have been
insufficient if it had been thought necessary to inquire closely into
the moral character of the applicants. What the family had to say
about its previous income; what its present income was; what its
plans were and how it hoped with the aid of a grant to carry out
these plans,—these with the visitor’s observations gave a sort of
rough-and-ready gauge. There was, of course, a certain amount of
deception, but the field investigations made later by the Relief
Survey showed that the percentage of grants made upon actually
fraudulent representations was comparatively small. Plans for
rehabilitation that were inherently weak or confused or unwise had
to be guarded against. The grant desideratum was practical](https://image.slidesharecdn.com/84953720-250616070441-e5463122/85/Ebook-CIS-Critical-Security-Controls-by-Center-for-Internet-Security-63-320.jpg)
![definiteness. Illustrations of what were considered to be definite,
what indefinite plans, are incidentally presented under the chapters
dealing with particular forms of rehabilitation. It is well at this point
to state that after October 12, 1906, before a grant for rehabilitation
or aid for furniture could be obtained, an application had to be made
to the Rehabilitation Committee on a printed form.[110]
[110] For reproduction of form see Appendix II, p. 435.
The applications for tools were made the subject of a
comparatively superficial investigation. Transportation cases were
subjected to a gradual rise in the standard of inquiry. In the case of
“general relief,” which included the permanent care of aged or invalid
persons and of unsupported children, medical co-operation was
generally called for. Applications for emergent relief led to no
extended investigation. The housing applications, as will appear,[111]
were subjected to special forms of inquiry.
[111] See Part I, pp. 22-23 and 69 ff.; Part IV, Housing Rehabilitation, p.
211 ff.; and Appendix I, p. 417.
Applications were received at the seven section offices at any
hour of the day, as well as at the central office of the Associated
Charities. The rule was, theoretically, to receive no applications at
the office of the Rehabilitation Committee; but so many applications,
some of which called for immediate investigation and action, were
referred directly to the Committee, that from one to four
interviewers had to be held at the central office to attend to them. It
would have been ill-advised during July and August to limit either
the hours or places at which applications could be made. Any
limitation might in some instances have caused actual distress. The
magnitude of the task did not in itself, save in exceptional
circumstances, delay the giving of emergent relief, as special
arrangements were made for expediting emergency cases.
Before recommendations were brought to the members of the
Rehabilitation Committee for decision they were read by trusted
employes of the Committee in order that apparent injustices](https://image.slidesharecdn.com/84953720-250616070441-e5463122/85/Ebook-CIS-Critical-Security-Controls-by-Center-for-Internet-Security-64-320.jpg)
![resulting from the varying standards of the different section
committees might be done away with. The Committee itself
established rough standards to govern its decisions. For household
rehabilitation, for instance, its standard adopted after a careful
employe had visited several furniture companies to learn the range
of prices, was based upon a rate of $50 a room for each of the
minimum number of rooms which would be required for an
individual family. Certain fixed rules were also adopted with
reference to business rehabilitation.[112] There was no little criticism
of an intermediate step having to be taken between the passage of
records from section committees to the Rehabilitation Committee.
During the latter part of the second period, which ended in August,
1906, some members of the Rehabilitation Committee itself were
inclined to doubt the wisdom of the plan. Nevertheless, the opinion
of the majority of the Committee was that its rough standardizing
was a great time saver. The reviewers exercised no discretionary
authority. They were indeed willing to present any case, in any form,
to the Committee if a section committee insisted upon it. A
justification of the plan lies in the fact that when a case went directly
to the Committee from a section, almost without exception it was
sent back. The reviewers served simply as advisers to the section
committees. They had in mind the broad lines of policy that had
been marked out by the Rehabilitation Committee and were in many
instances able to save from one to two days in the reaching of a
final decision as to a grant. An explanation made by the trained
reviewer to a district messenger, an agent, or Committee member,
was oftentimes much more acceptable than would have been
Committee action which reversed a section decision.
[112] For full discussion see Part III, Business Rehabilitation, p. 171 ff.](https://image.slidesharecdn.com/84953720-250616070441-e5463122/85/Ebook-CIS-Critical-Security-Controls-by-Center-for-Internet-Security-65-320.jpg)
![the section committees was again informally considered. Some of
the section members strongly urged this plan and cited illustrations
of necessary delays incident upon the ordinary procedure,—
illustrations which proved that the delay was a source of
embarrassment. As a member of the Committee recently said, a
great amount of unpleasantness was caused by complaints of delay
in comparatively small matters. Objections still being made by some
members, the Committee asked the Associated Charities to present a
plan, but though such a plan was drawn up it was never presented
for action to the Committee because of the objections that were
raised against it.
This source of friction was removed in the course of events.
When the Bureau of Special Relief[113] was established on August
15, 1906, applications for emergency relief in kind were referred to
it. On the closing of the section headquarters, Committee I of the
centralized system[114] was prepared to give small money grants on
short notice. The Associated Charities, from almost the beginning of
the rehabilitation work, also stood ready to make small gifts of
money to persons in need, or to make immediate purchase of
necessities. It was from time to time reimbursed for these
expenditures, though no formal arrangement was made by which it
could draw on any regular fund for petty cash expenditures.
[113] See Part II, p. 145 ff.
[114] See Part II, p. 125.
Anyone who has had experience in a charity organization
society which has district offices knows that the common rule is to
empower a district superintendent or committee to make emergency
expenditures of comparatively limited amounts and to draw for
reimbursement on the society’s general relief fund. Such special
expenditures are subject to audit. The principle underlying them is at
stated periods to have their issuance made the subject of a careful
review by the general secretary, the district supervisor or some other
central office official. In case of continuous indiscreet expenditures
the question raised is not whether the power shall be withdrawn but](https://image.slidesharecdn.com/84953720-250616070441-e5463122/85/Ebook-CIS-Critical-Security-Controls-by-Center-for-Internet-Security-67-320.jpg)
![the minimum amount that would be required for carrying on the
work of the Department:
TABLE 29.—ESTIMATE OF AMOUNT REQUIRED FOR CARRYING ON
WORK OF RELIEF, PRESENTED AUGUST 16, 1906[115]
Branch of work
Amount
required
Rehabilitation $1,250,000
Hospitals 100,000
Industrial Centers 15,000
Special Relief (General Relief) 250,000
Transportation 10,000
Administration 100,000
Total $1,725,000
[115] On August 11, 1906, the balance sheet of the San Francisco Relief
and Red Cross Funds showed that a total of $5,599,466.02 had been
received by that body; that deducting expenditures and immediate
liabilities there was an actual cash balance of $2,105,309.74. This total
was not all available for the uses of the Rehabilitation Committee but was
the only source of support for the Department of Camps and Warehouses,
the Department of Lands and Buildings, both of which required large
sums, and all other activities of the Relief Corporation.
What the estimate for rehabilitation was based upon it is
difficult to say, though the original estimate of $1,500,000 may have
again been in mind. By August 16, applications to the number of
4,635 had been passed upon by the Committee, involving a total
disbursement of a little over $300,000 and an average grant of
about $80 a case. About 10,000 applications were pending and there
were still three or four thousand families in the camps who would
eventually have to be assisted by the Committee. Upon this basis a
total of $1,120,000 would be required, and this may have been the
basis for the estimate. Prospective applications from persons living
outside the camps were not taken into account.](https://image.slidesharecdn.com/84953720-250616070441-e5463122/85/Ebook-CIS-Critical-Security-Controls-by-Center-for-Internet-Security-69-320.jpg)
![No action was taken when the estimate was presented, but at
the meeting of the Committee on August 20 the chairman again
presented a detailed report regarding funds available for the
Corporation. After a very extended discussion it was agreed that it
would not be safe for the Rehabilitation Committee to take further
action until it knew something more definite regarding the amount
of money it would receive and the amount that would be called for
by the applications on file. The Committee decided therefore to
notify the sections, the societies that were authorized to investigate
applications for relief, and the press, that after August 20 no more
applications for rehabilitation and relief would be received until all
the cases pending had been investigated and disposed of. After this
date no official notice was ever given of the readiness of the
Committee to again receive applications.
Applications for medical aid, and in special instances for food,
were to be received, however, as before, at the section stations. This
action, which was momentous, inaugurated the third period of work,
[116] which extended from August 20 to November 4, 1906. A large
number of applications was received later and all the applications on
file were in the course of time duly considered and made whenever
necessary the subject of grants, the amount of money used for
rehabilitation being in the end considerably larger than was
estimated. August 20 is the sinister date which appears and
reappears in the later chapters, when the subject of delay in the
rehabilitation work is discussed.
[116] See Part II, p. 111.
The superintendent of the Rehabilitation Committee at that time
prepared detailed instructions for the force at the main and at the
section offices. These instructions were adopted later by the sub-
committees of the centralized system. The instructions provided that
future applications and those pending but not yet investigated, for
medicine, medical aid, special diet, food, tools, and sewing
machines, be referred to the Bureau of Special Relief, and that they](https://image.slidesharecdn.com/84953720-250616070441-e5463122/85/Ebook-CIS-Critical-Security-Controls-by-Center-for-Internet-Security-70-320.jpg)
![be considered with reference to the relative disability of the
applicants, in the following order:
1. Aged and infirm.
2. Sick and temporarily disabled.
3. Unsupported women and children (families without male breadwinners and
with the burden of support resting heavily on the women or children).
4. Families insufficiently supported (breadwinners unable to earn enough to
provide a surplus for rehabilitation or enough even to pay running expenses).
After the four classes of cases had been investigated and
reported to the Rehabilitation Committee for final action, the
sections were to investigate the remaining applications. This latter
group of applications[117] was to be divided into three classes:
1. Household rehabilitation.
2. Special building propositions not covered by the Department of Lands and
Buildings.
3. Miscellaneous cases.
[117] All applications made by refugees living outside of San Francisco
were considered by the whole committee.
The immediate attention of the Rehabilitation Committee, now
that the general drawing of checks was suspended, was confined to
those applications already on file in which emergent action was
absolutely necessary or in which grants had been promised provided
certain conditions were complied with by the applicants. All
applications for business rehabilitation were to be laid aside for a
time with the understanding that if the Committee later secured
sufficient means they should be investigated and reported on. The
Committee indicated that unless disablement or sickness were
involved it would be most reluctant to consider any family to be in
urgent need if in it there were a male breadwinner earning
reasonable wages.
The plan of the Rehabilitation Committee was to go over the
whole mass of applications and then draw checks in favor of the first
four classes. This marked a distinct limitation upon its work. By vote](https://image.slidesharecdn.com/84953720-250616070441-e5463122/85/Ebook-CIS-Critical-Security-Controls-by-Center-for-Internet-Security-71-320.jpg)
![SUB-
COMMITTEE
FIELD OF WORK
OF SUB-COMMITTEE
I. Temporary Aid and Transportation.
II. Relief of Aged and Infirm, Unsupported Children, and Friendless
Girls.
III. Relief of Unsupported or Partially Supported Families.
IV. Occupations for Women and Confidential Cases.
V. Housing and Shelter.
VI. Business Rehabilitation.
VII. Furniture Grants to heads of families employed but unable to
furnish their homes.
VIII. Relief in Deferred and Neglected Cases.
Committee VII was formed on January 16, 1907; Committee
VIII on November 17, 1906. Each was considered as a sub-
committee of the older sub-committees. Two of the six secretaries
already appointed served the new committees. It may be noted here
that five of these six secretaries had had previous experience in
charity organization work.
The following members[118] of the Rehabilitation Committee
were appointed chairmen of the respective sub-committees:
SUB-
COMMITTEE
CHAIRMAN
I. O. K. Cushing
II. Dr. John Gallwey
III. Archdeacon J. A. Emery[119]
IV. Archdeacon J. A. Emery
V. Rev. D. O. Crowley
VI. C. F. Leege
[118] Two of these served as chairmen of Committees VII and VIII.
[119] Succeeded by A. Haas.
The methods of investigation under the new system were the
same as under the old, but the change involved radical differences in
treatment. It is generally acknowledged that the district system was
the only one practicable in the early days, when transportation](https://image.slidesharecdn.com/84953720-250616070441-e5463122/85/Ebook-CIS-Critical-Security-Controls-by-Center-for-Internet-Security-73-320.jpg)
(Ebook) CIS Critical Security Controls by Center for Internet Security
- 1. (Ebook) CIS Critical Security Controls by Center for Internet Security download https://ebooknice.com/product/cis-critical-security- controls-42476860 Download more ebook instantly today at https://ebooknice.com
- 2. Instant digital products (PDF, ePub, MOBI) ready for you Download now and discover formats that fit your needs... Start reading on any device today! (Ebook) Controles CIS: versão 8 by Center for Internet Security https://ebooknice.com/product/controles-cis-versao-8-52432596 ebooknice.com (Ebook) CIS Microsoft Windows 10 Enterprise (Release 1909) Benchmark by Center for Internet Security https://ebooknice.com/product/cis-microsoft-windows-10-enterprise- release-1909-benchmark-10666140 ebooknice.com (Ebook) Azure Security For Critical Workloads: Implementing Modern Security Controls for Authentication, Authorization and Auditing by Sagar Lad ISBN 9781484289358, 1484289358 https://ebooknice.com/product/azure-security-for-critical-workloads- implementing-modern-security-controls-for-authentication-authorization-and- auditing-50683072 ebooknice.com (Ebook) Blockchain for International Security: The Potential of Distributed Ledger Technology for Nonproliferation and Export Controls (Advanced Sciences and Technologies for Security Applications) by u6fonter ISBN 9783030862398, 3030862399 https://ebooknice.com/product/blockchain-for-international-security-the- potential-of-distributed-ledger-technology-for-nonproliferation-and-export- controls-advanced-sciences-and-technologies-for-security-applications-35511064 ebooknice.com
- 3. (Ebook) Mission Critical Internet Security by Bradley Dunsmore, Jeffrey W. Brown, Michael Cross ISBN 9781928994206, 1928994202 https://ebooknice.com/product/mission-critical-internet-security-920132 ebooknice.com (Ebook) Essential Computer Security: Everyone's Guide to Email, Internet, and Wireless Security by T. Bradley ISBN 9781597491143, 1597491144 https://ebooknice.com/product/essential-computer-security-everyone-s-guide-to- email-internet-and-wireless-security-1020906 ebooknice.com (Ebook) Applied Cyber Security and the Smart Grid: Implementing Security Controls into the Modern Power Infrastructure by Eric D. Knapp, Raj Samani ISBN 9781597499989, 1597499986 https://ebooknice.com/product/applied-cyber-security-and-the-smart-grid- implementing-security-controls-into-the-modern-power-infrastructure-4445486 ebooknice.com (Ebook) Cyber Security on Azure: An IT Professional’s Guide to Microsoft Azure Security Center by Marshall Copeland ISBN 9781484227398, 9781484227404, 1484227395, 1484227409 https://ebooknice.com/product/cyber-security-on-azure-an-it-professionals-guide- to-microsoft-azure-security-center-22690332 ebooknice.com (Ebook) The Complete Internet Security Manual - 18th Edition 2023 by ,,,,, https://ebooknice.com/product/the-complete-internet-security-manual-18th- edition-2023-50506906 ebooknice.com
- 7. Introduction The CIS Critical Security Controls® (CIS Controls®) started as a simple grassroots activity to identify the most common and important real-world cyber-attacks that affect enterprises every day, translate that knowledge and experience into positive, constructive action for defenders, and then share that information with a wider audience. The original goals were modest—to help people and enterprises focus their attention and get started on the most important steps to defend themselves from the attacks that really mattered. Led by the Center for Internet Security® (CIS®), the CIS Controls have matured into an international community of volunteer individuals and institutions that: Share insights into attacks and attackers, identify root causes, and translate that into classes of defensive action Create and share tools, working aids, and stories of adoption and problem-solving Map the CIS Controls to regulatory and compliance frameworks in order to ensure alignment and bring collective priority and focus to them Identify common problems and barriers (like initial assessment and implementation roadmaps), and solve them as a community The Structure of CIS Controls The presentation of each Control in this document includes the following elements: Overview. A brief description of the intent of the Control and its utility as a defensive action
- 8. Why is this Control critical? A description of the importance of this Control in blocking, mitigating, or identifying attacks, and an explanation of how attackers actively exploit the absence of this Control Procedures and tools. A more technical description of the processes and technologies that enable implementation and automation of this Control Safeguard descriptions. A table of the specific actions that enterprises should take to implement the Control The 18 CIS Critical Security Controls Formerly the SANS Critical Security Controls (SANS Top 20) these are now officially called the CIS Critical Security Controls (CIS Controls). CIS Controls Version 8 combines and consolidates the CIS Controls by activities, rather than by who manages the devices. Physical devices, fixed boundaries, and discrete islands of security implementation are less important; this is reflected in v8 through revised terminology and grouping of Safeguards, resulting in a decrease of the number of Controls from 20 to 18. Click on the individual CIS Control for more information: CIS Control 1: Inventory and Control of Enterprise Assets CIS Control 2: Inventory and Control of Software Assets CIS Control 3: Data Protection CIS Control 4: Secure Configuration of Enterprise Assets and Software CIS Control 5: Account Management CIS Control 6: Access Control Management CIS Control 7: Continuous Vulnerability Management CIS Control 8: Audit Log Management CIS Control 9: Email Web Browser and Protections CIS Control 10: Malware Defenses CIS Control 11: Data Recovery
- 9. CIS Control 12: Network Infrastructure Management CIS Control 13: Network Monitoring and Defense CIS Control 14: Security Awareness and Skills Training CIS Control 15: Service Provider Management CIS Control 16: Application Software Security CIS Control 17: Incident Response Management CIS Control 18: Penetration Testing
- 10. The 3 CIS Critical Security Implementation Groups IG1 An IG1 enterprise is small to medium-sized with limited IT and cybersecurity expertise to dedicate towards protecting IT assets and personnel. The principal concern of these enterprises is to keep the business operational, as they have a limited tolerance for downtime. The sensitivity of the data that they are trying to protect is low and principally surrounds employee and financial information. Safeguards selected for IG1 should be implementable with limited cybersecurity expertise and aimed to thwart general, non-targeted attacks. These Safeguards will also typically be designed to work in conjunction with small or home office commercial off-the-shelf (COTS) hardware and software. IG2 (Includes IG1) An IG2 enterprise employs individuals responsible for managing and protecting IT infrastructure. These enterprises support multiple departments with differing risk profiles based on job function and mission. Small enterprise units may have regulatory compliance burdens. IG2 enterprises often store and process sensitive client or enterprise information and can withstand short interruptions of service. A major concern is loss of public confidence if a breach occurs. Safeguards selected for IG2 help security teams cope with increased operational complexity. Some Safeguards will depend on enterprise- grade technology and specialized expertise to properly install and configure.
- 11. IG3 (Includes IG1 and IG2) An IG3 enterprise employs security experts that specialize in the different facets of cybersecurity (e.g., risk management, penetration testing, application security). IG3 assets and data contain sensitive information or functions that are subject to regulatory and compliance oversight. An IG3 enterprise must address availability of services and the confidentiality and integrity of sensitive data. Successful attacks can cause significant harm to the public welfare. Safeguards selected for IG3 must abate targeted attacks from a sophisticated adversary and reduce the impact of zero-day attacks
- 12. CIS Critical Security Control 1: Inventory and Control of Enterprise Assets Overview Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate. Why is this Control critical? Enterprises cannot defend what they do not know they have. Managed control of all enterprise assets also plays a critical role in security monitoring, incident response, system backup, and recovery. Enterprises should know what data is critical to them, and proper asset management will help identify those enterprise assets that
- 13. hold or manage this critical data, so that appropriate security controls can be applied. External attackers are continuously scanning the internet address space of target enterprises, premise-based or in the cloud, identifying possibly unprotected assets attached to an enterprise’s network. Attackers can take advantage of new assets that are installed, yet not securely configured and patched. Internally, unidentified assets can also have weak security configurations that can make them vulnerable to web- or email-based malware; and, adversaries can leverage weak security configurations for traversing the network, once they are inside. Additional assets that connect to the enterprise’s network (e.g., demonstration systems, temporary test systems, guest networks) should be identified and/or isolated in order to prevent adversarial access from affecting the security of enterprise operations. Large, complex, dynamic enterprises understandably struggle with the challenge of managing intricate, fast-changing environments. However, attackers have shown the ability, patience, and willingness to “inventory and control” our enterprise assets at very large scale in order to support their opportunities. Another challenge is that portable end-user devices will periodically join a network and then disappear, making the inventory of currently available assets very dynamic. Likewise, cloud environments and virtual machines can be difficult to track in asset inventories when they are shut down or paused. Another benefit of complete enterprise asset management is supporting incident response, both when investigating the origination of network traffic from an asset on the network and when identifying all potentially vulnerable, or impacted, assets of similar type or location during an incident.
- 14. Procedures and tools This CIS Control requires both technical and procedural actions, united in a process that accounts for, and manages the inventory of, enterprise assets and all associated data throughout its life cycle. It also links to business governance through establishing data/asset owners who are responsible for each component of a business process. Enterprises can use large-scale, comprehensive enterprise products to maintain IT asset inventories. Smaller enterprises can leverage security tools already installed on enterprise assets or used on the network to collect this data. This includes doing a discovery scan of the network with a vulnerability scanner; reviewing anti- malware logs, logs from endpoint security portals, network logs from switches, or authentication logs; and managing the results in a spreadsheet or database. Maintaining a current and accurate view of enterprise assets is an ongoing and dynamic process. Even for enterprises, there is rarely a single source of truth, as enterprise assets are not always provisioned or installed by the IT department. The reality is that a variety of sources need to be “crowd-sourced” to determine a high- confidence count of enterprise assets. Enterprises can actively scan on a regular basis, sending a variety of different packet types to identify assets connected to the network. In addition to asset sources mentioned above for small enterprises, larger enterprises can collect data from cloud portals and logs from enterprise platforms such as: Active Directory (AD), Single Sign-On (SSO), Multi-Factor Authentication (MFA), Virtual Private Network (VPN), Intrusion Detection Systems (IDS) or Deep Packet Inspection (DPI), Mobile Device Management (MDM), and vulnerability scanning tools. Property inventory databases, purchase order tracking, and local inventory lists are other sources of data to determine which devices are connected. There are tools and methods that normalize this data to identify devices that are unique among these sources.
- 15. → For cloud-specific guidance, refer to the CIS Controls Cloud Companion Guide – https://www.cisecurity.org/controls/v8/ → For tablet and smart phone guidance, refer to the CIS Controls Mobile Companion Guide – https://www.cisecurity.org/controls/v8/ → For IoT guidance, refer to the CIS Controls Internet of Things Companion Guide – https://www.cisecurity.org/controls/v8/ → For Industrial Control Systems (ICS) guidance, refer to the CIS Controls ICS Implementation Guide – https://www.cisecurity.org/controls/v8/ Safeguards Number Title/Description Asset Type Security Function IG1 IG2 IG3 1.1 Establish and Maintain Detailed Enterprise Asset Inventory Devices Identify • • • Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. 1.2 Address Unauthorized Assets Devices Respond • • • Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset. 1.3 Utilize an Active Discovery Tool Devices Detect • •
- 16. Number Title/Description Asset Type Security Function IG1 IG2 IG3 Utilize an active discovery tool to identify assets connected to the enterprise’s network. Configure the active discovery tool to execute daily, or more frequently. 1.4 Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory Devices Identify • • Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise’s asset inventory. Review and use logs to update the enterprise’s asset inventory weekly, or more frequently. 1.5 Use a Passive Asset Discovery Tool Devices Detect • Use a passive discovery tool to identify assets connected to the enterprise’s network. Review and use scans to update the enterprise’s asset inventory at least weekly, or more frequently.
- 17. CIS Critical Security Control 2: Inventory and Control of Software Assets Overview Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution. Why is this Control critical? A complete software inventory is a critical foundation for preventing attacks. Attackers continuously scan target enterprises looking for vulnerable versions of software that can be remotely exploited. For example, if a user opens a malicious website or attachment with a vulnerable browser, an attacker can often install backdoor programs and bots that give the attacker long-term control of the system. Attackers can also use this access to move laterally through the network. One of the key defenses against these attacks is updating and patching software. However, without a complete inventory of
- 18. software assets, an enterprise cannot determine if they have vulnerable software, or if there are potential licensing violations. Even if a patch is not yet available, a complete software inventory list allows an enterprise to guard against known attacks until the patch is released. Some sophisticated attackers use “zero-day exploits,” which take advantage of previously unknown vulnerabilities that have yet to have a patch released from the software vendor. Depending on the severity of the exploit, an enterprise can implement temporary mitigation measures to guard against attacks until the patch is released. Management of software assets is also important to identify unnecessary security risks. An enterprise should review its software inventory to identify any enterprise assets running software that is not needed for business purposes. For example, an enterprise asset may come installed with default software that creates a potential security risk and provides no benefit to the enterprise. It is critical to inventory, understand, assess, and manage all software connected to an enterprise’s infrastructure. Procedures and tools Allowlisting can be implemented using a combination of commercial allowlisting tools, policies, or application execution tools that come with anti-malware suites and popular operating systems. Commercial software inventory tools are widely available and used in many enterprises today. The best of these tools provides an inventory check of hundreds of common software used in enterprises. The tools pull information about the patch level of each installed program to ensure that it is the latest version and leverage standardized application names, such as those found in the Common Platform Enumeration (CPE) specification. One example of a method that can be used is the Security Content Automation Protocol (SCAP). Additional information on SCAP can be found here:
- 19. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST. SP.800- 126r3.pdf Features that implement allowlists are included in many modern endpoint security suites and even natively implemented in certain versions of major operating systems. Moreover, commercial solutions are increasingly bundling together anti-malware, anti- spyware, personal firewall, and host-based IDS and Intrusion Prevention System (IPS), along with application allow and block listing. In particular, most endpoint security solutions can look at the name, file system location, and/or cryptographic hash of a given executable to determine whether the application should be allowed to run on the protected machine. The most effective of these tools offer custom allowlists based on executable path, hash, or regular expression matching. Some even include a non- malicious, yet unapproved, applications function that allows administrators to define rules for execution of specific software for certain users and at certain times of the day. → For cloud-specific guidance, refer to the CIS Controls Cloud Companion Guide – https://www.cisecurity.org/controls/v8/ → For tablet and smart phone guidance, refer to the CIS Controls Mobile Companion Guide – https://www.cisecurity.org/controls/v8/ → For IoT guidance, refer to the CIS Controls Internet of Things Companion Guide – https://www.cisecurity.org/controls/v8/ → For Industrial Control Systems (ICS) guidance, refer to the CIS Controls ICS Implementation Guide – https://www.cisecurity.org/controls/v8/ Safeguards Number Title/Description Asset Type Security Function IG1 IG2 IG3 2.1 Establish and Maintain a Software Inventory Applications Identify • • •
- 20. Number Title/Description Asset Type Security Function IG1 IG2 IG3 Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date. Review and update the software inventory bi-annually, or more frequently. 2.2 Ensure Authorized Software is Currently Supported Applications Identify • • • Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise’s mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently. 2.3 Address Unauthorized Software Applications Respond • • • Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently. 2.4 Utilize Automated Software Inventory Tools Applications Detect • • Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and documentation of installed software. 2.5 Allowlist Authorized Software Applications Protect • • Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently. 2.6 Allowlist Authorized Libraries Applications Protect • • Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files are allowed to load into a system process. Block
- 21. Number Title/Description Asset Type Security Function IG1 IG2 IG3 unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently. 2.7 Allowlist Authorized Scripts Applications Protect • Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
- 22. CIS Critical Security Control 3: Data Protection Overview Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data. Why is this Control critical? Data is no longer only contained within an enterprise’s border; it is in the cloud, on portable end-user devices where users work from home, and is often shared with partners or online services that might have it anywhere in the world. In addition to sensitive data an enterprise holds related to finances, intellectual property, and customer data, there also might be numerous international regulations for protection of personal data. Data privacy has become increasingly important, and enterprises are learning that privacy is about the appropriate use and management of data, not just encryption. Data must be appropriately managed through its entire life cycle. These privacy rules can be complicated for multi-national enterprises of any size; however, there are fundamentals that can apply to all.
- 23. Once attackers have penetrated an enterprise’s infrastructure, one of their first tasks is to find and exfiltrate data. Enterprises might not be aware that sensitive data is leaving their environment because they are not monitoring data outflows. While many attacks occur on the network, others involve physical theft of portable end-user devices, attacks on service providers or other partners holding sensitive data. Other sensitive enterprise assets may also include non-computing devices that provide management and control of physical systems, such as Supervisory Control and Data Acquisition (SCADA) systems. The enterprise’s loss of control over protected or sensitive data is a serious and often reportable business impact. While some data is compromised or lost as a result of theft or espionage, the vast majority are a result of poorly understood data management rules, and user error. The adoption of data encryption, both in transit and at rest, can provide mitigation against data compromise, and, even more important, it is a regulatory requirement for most controlled data. Procedures and tools It is important for an enterprise to develop a data management process that includes a data management framework, data classification guidelines, and requirements for protection, handling, retention, and disposal of data. There should also be a data breach process that plugs into the incident response plan, and the compliance and communication plans. To derive data sensitivity levels, enterprises need to catalog their key types of data and the overall criticality (impact to its loss or corruption) to the enterprise. This analysis would be used to create an overall data classification scheme for the enterprise. Enterprises may use labels, such as “Sensitive,” “Confidential,” and “Public,” and classify their data according to those labels.
- 24. Once the sensitivity of the data has been defined, a data inventory or mapping should be developed that identifies software accessing data at various sensitivity levels and the enterprise assets that house those applications. Ideally, the network would be separated so that enterprise assets of the same sensitivity level are on the same network and separated from enterprise assets with different sensitivity levels. If possible, firewalls need to control access to each segment, and have user access rules applied to only allow those with a business need to access the data. For more comprehensive treatment of this topic, we suggest the following resources to help the enterprise with data protection: → NIST® SP 800-88r1 Guides for Media Sanitization – https://nvlpubs.nist.gov/ nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf → NIST® FIPS 140-2 – https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf → NIST® FIPS 140-3 – https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf → For cloud-specific guidance, refer to the CIS Controls Cloud Companion Guide – https://www.cisecurity.org/controls/v8/ → For tablet and smart phone guidance, refer to the CIS Controls Mobile Companion Guide – https://www.cisecurity.org/controls/v8/ Safeguards Number Title/Description Asset Type Security Function IG1 IG2 IG3 3.1 Establish and Maintain a Data Management Process Data Identify • • • Establish and maintain a data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- 25. Number Title/Description Asset Type Security Function IG1 IG2 IG3 3.2 Establish and Maintain a Data Inventory Data Identify • • • Establish and maintain a data inventory, based on the enterprise’s data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data. 3.3 Configure Data Access Control Lists Data Protect • • • Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. 3.4 Enforce Data Retention Data Protect • • • Retain data according to the enterprise’s data management process. Data retention must include both minimum and maximum timelines. 3.5 Securely Dispose of Data Data Protect • • • Securely dispose of data as outlined in the enterprise’s data management process. Ensure the disposal process and method are commensurate with the data sensitivity. 3.6 Encrypt Data on End- User Devices Devices Protect • • • Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm- crypt. 3.7 Document Data Flows Data Identify • • Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. 3.8 Document Data Flows Data Identify • •
- 26. Number Title/Description Asset Type Security Function IG1 IG2 IG3 Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. 3.9 Encrypt Data on Removable Media Data Protect • • Encrypt data on removable media. 3.10 Encrypt Sensitive Data in Transit Data Protect • • Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH). 3.11 Encrypt Sensitive Data at Rest Data Protect • • Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain- text data. 3.12 Segment Data Processing and Storage Based on Sensitivity Network Protect • Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider, and update the enterprise’s sensitive data inventory. 3.13 Deploy a Data Loss Prevention Solution Data Protect • Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider, and update the enterprise’s sensitive data inventory.
- 27. Number Title/Description Asset Type Security Function IG1 IG2 IG3 3.14 Log Sensitive Data Access Data Detect • Log sensitive data access, including modification and disposal.
- 28. CIS Critical Security Control 4: Secure Configuration of Enterprise Assets and Software Overview Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications). Why is this Control critical? As delivered from manufacturers and resellers, the default configurations for enterprise assets and software are normally geared towards ease-of-deployment and ease-of- use rather than security. Basic controls, open services and ports, default accounts or passwords, pre-configured Domain Name System (DNS) settings, older (vulnerable) protocols, and pre-installation of unnecessary software can all be exploitable if left in their default state. Further, these security configuration updates need to be managed and
- 29. maintained over the life cycle of enterprise assets and software. Configuration updates need to be tracked and approved through configuration management workflow process to maintain a record that can be reviewed for compliance, leveraged for incident response, and to support audits. This CIS Control is important to on- premises devices, as well as remote devices, network devices, and cloud environments. Service providers play a key role in modern infrastructures, especially for smaller enterprises. They often are not set up by default in the most secure configuration to provide flexibility for their customers to apply their own security policies. Therefore, the presence of default accounts or passwords, excessive access, or unnecessary services are common in default configurations. These could introduce weaknesses that are under the responsibility of the enterprise that is using the software, rather than the service provider. This extends to ongoing management and updates, as some Platform as a Service (PaaS) only extend to the operating system, so patching and updating hosted applications are under the responsibility of the enterprise. Even after a strong initial configuration is developed and applied, it must be continually managed to avoid degrading security as software is updated or patched, new security vulnerabilities are reported, and configurations are “tweaked,” to allow the installation of new software or to support new operational requirements. Procedures and tools There are many available security baselines for each system. Enterprises should start with these publicly developed, vetted, and supported security benchmarks, security guides, or checklists. Some resources include: → The CIS Benchmarks™ Program – http://www.cisecurity.org/cis-benchmarks/
- 30. → The National Institute of Standards and Technology (NIST®) National Checklist Program Repository – https://nvd.nist.gov/ncp/repository Enterprises should augment or adjust these baselines to satisfy enterprise security policies, and industry and government regulatory requirements. Deviations of standard configurations and rationale should be documented to facilitate future reviews or audits. For a larger or more complex enterprise, there will be multiple security baseline configurations based on security requirements or classification of the data on the enterprise asset. Here is an example of the steps to build a secure baseline image: 1. Determine the risk classification of the data handled/stored on the enterprise asset (e.g., high, moderate, low risk). 2. Create a security configuration script that sets system security settings to meet the requirements to protect the data used on the enterprise asset. Use benchmarks, such as the ones described earlier in this section. 3. Install the base operating system software. 4. Apply appropriate operating system and security patches. 5. Install appropriate application software packages, tool, and utilities. 6. Apply appropriate updates to software installed in Step 4. 7. Install local customization scripts to this image. 8. Run the security script created in Step 2 to set the appropriate security level. 9. Run a SCAP compliant tool to record/score the system setting of the baseline image. 10. Perform a security quality assurance test. 11. Save this base image in a secure location. Commercial and/or free configuration management tools, such as the CIS Configuration Assessment Tool (CIS-CAT®) https://learn.cisecurity.org/cis-cat-lite, can be deployed to measure
- 31. the settings of operating systems and applications of managed machines to look for deviations from the standard image configurations. Commercial configuration management tools use some combination of an agent installed on each managed system, or agentless inspection of systems through remotely logging into each enterprise asset using administrator credentials. Additionally, a hybrid approach is sometimes used whereby a remote session is initiated, a temporary or dynamic agent is deployed on the target system for the scan, and then the agent is removed. Safeguards Number Title/Description Asset Type Security Function IG1 IG2 IG3 4.1 Establish and Maintain a Secure Configuration Process Applications Protect • • • Establish and maintain a secure configuration process for enterprise assets (end- user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. 4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure Network Protect • • • Establish and maintain a secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. 4.3 Configure Automatic Session Locking on Enterprise Assets Users Protect • • • Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes. 4.4 Implement and Manage Devices Protect • • •
- 32. Number Title/Description Asset Type Security Function IG1 IG2 IG3 a Firewall on Servers Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third- party firewall agent. 4.5 Implement and Manage a Firewall on End-User Devices Devices Protect • • • Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed. 4.6 Securely Manage Enterprise Assets and Software Network Protect • • • Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled-infrastructure-as-code and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. 4.7 Manage Default Accounts on Enterprise Assets and Software Users Protect • • • Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable. 4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software Devices Protect • • • Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function. 4.9 Configure Trusted DNS Servers on Enterprise Assets Devices Protect • •
- 33. Number Title/Description Asset Type Security Function IG1 IG2 IG3 Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers. 4.10 Enforce Automatic Device Lockout on Portable End-User Devices Devices Respond • • Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices, where supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and smartphones, no more than 10 failed authentication attempts. Example implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts. 4.11 Enforce Remote Wipe Capability on Portable End-User Devices Devices Protect • • Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise. 4.12 Separate Enterprise Workspaces on Mobile End-User Devices Devices Protect • Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implementations include using an Apple® Configuration Profile or Android™ Work Profile to separate enterprise applications and data from personal applications and data.
- 34. CIS Critical Security Control 5: Account Management Overview Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software. Why is this Control critical? It is easier for an external or internal threat actor to gain unauthorized access to enterprise assets or data through using valid user credentials than through “hacking” the environment. There are many ways to covertly obtain access to user accounts, including: weak passwords, accounts still valid after a user leaves the enterprise, dormant or lingering test accounts, shared accounts that have not been changed in months or years, service accounts embedded in applications for scripts, a user having the same password as one they use for an online account that has been compromised (in a public password dump), social engineering a user
- 35. to give their password, or using malware to capture passwords or tokens in memory or over the network. Administrative, or highly privileged, accounts are a particular target, because they allow attackers to add other accounts, or make changes to assets that could make them more vulnerable to other attacks. Service accounts are also sensitive, as they are often shared among teams, internal and external to the enterprise, and sometimes not known about, only to be revealed in standard account management audits. Finally, account logging and monitoring is a critical component of security operations. While account logging and monitoring are covered in CIS Control 8 (Audit Log Management), it is important in the development of a comprehensive Identity and Access Management (IAM) program. Procedures and tools Credentials are assets that must be inventoried and tracked like enterprise assets and software, as they are the primary entry point into the enterprise. Appropriate password policies and guidance not to reuse passwords should be developed. → For guidance on the creation and use of passwords, reference the CIS Password Policy Guide – https://www.cisecurity.org/white-papers/cis- password-policy- guide/ Accounts must also be tracked; any account that is dormant must be disabled and eventually removed from the system. There should be periodic audits to ensure all active accounts are traced back to authorized users of the enterprise asset. Look for new accounts added since previous review, especially administrator and service accounts. Close attention should be made to identify and track administrative, or high- privileged accounts and service accounts.
- 36. Users with administrator or other privileged access should have separate accounts for those higher authority tasks. These accounts would only be used when performing those tasks or accessing especially sensitive data, to reduce risk in case their normal user account is compromised. For users with multiple accounts, their base user account, used day-to-day for non-administrative tasks, should not have any elevated privileges. Single Sign-On (SSO) is convenient and secure when an enterprise has many applications, including cloud applications, which helps reduce the number of passwords a user must manage. Users are recommended to use password manager applications to securely store their passwords, and should be instructed not to keep them in spreadsheets or text files on their computers. MFA is recommended for remote access. → An excellent resource is the NIST® Digital Identity Guidelines – https://pages. nist.gov/800-63-3/ Safeguards Number Title/Description Asset Type Security Function IG1 IG2 IG3 5.1 Establish and Maintain an Inventory of Accounts Users Identify • • • Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and administrator accounts. The inventory, at a minimum, should contain the person’s name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. 5.2 Use Unique Passwords Users Protect • • • Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA.
- 37. Number Title/Description Asset Type Security Function IG1 IG2 IG3 5.3 Disable Dormant Accounts Users Respond • • • Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported. 5.4 Restrict Administrator Privileges to Dedicated Administrator Accounts Users Protect • • • Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account. 5.5 Establish and Maintain an Inventory of Service Accounts Users Identify • • Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. 5.6 Centralize Account Management Users Protect • • Centralize account management through a directory or identity service.
- 38. CIS Critical Security Control 6: Access Control Management Overview Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software. Why is this Control critical? Where CIS Control 5 deals specifically with account management, CIS Control 6 focuses on managing what access these accounts have, ensuring users only have access to the data or enterprise assets appropriate for their role, and ensuring that there is strong authentication for critical or sensitive enterprise data or functions. Accounts should only have the minimal authorization needed for the role. Developing consistent access rights for each role and assigning roles to users is a best practice. Developing a program for complete provision and de-provisioning access is also important. Centralizing this function is ideal.
- 39. There are some user activities that pose greater risk to an enterprise, either because they are accessed from untrusted networks, or performing administrator functions that allow the ability to add, change, or remove other accounts, or make configuration changes to operating systems or applications to make them less secure. This also enforces the importance of using MFA and Privileged Access Management (PAM) tools. Some users have access to enterprise assets or data they do not need for their role; this might be due to an immature process that gives all users all access, or lingering access as users change roles within the enterprise over time. Local administrator privileges to users’ laptops is also an issue, as any malicious code installed or downloaded by the user can have greater impact on the enterprise asset running as administrator. User, administrator, and service account access should be based on enterprise role and need. Procedures and tools There should be a process where privileges are granted and revoked for user accounts. This ideally is based on enterprise role and need through role-based access. Role- based access is a technique to define and manage access requirements for each account based on: need to know, least privilege, privacy requirements, and/or separation of duties. There are technology tools to help manage this process. However, there might be more granular or temporary access based on circumstance. MFA should be universal for all privileged or administrator accounts. There are many tools that have smartphone applications to perform this function, and are easy to deploy. Using the number-generator feature is more secure than just sending a Short Messaging Service (SMS) message with a one-time code, or prompting a “push” alert for a user to accept. However, neither is recommended for privileged account MFA. PAM tools are available for privileged account control, and provide a one-time password that must be checked out for each
- 40. use. For additional security in system administration, using “jump- boxes” or out of band terminal connections is recommended. Comprehensive account de-provisioning is important. Many enterprises have repeatable consistent processes for removing access when employees leave the enterprise. However, that process is not always consistent for contractors, and must be included in the standard de-provisioning process. Enterprises should also inventory and track service accounts, as a common error is leaving clear text tokens or passwords in code, and posting to public cloud-based code repositories. High-privileged accounts should not be used for day-to-day use, such as web surfing and email reading. Administrators should have separate accounts that do not have elevated privileges for daily office use, and should log into administrator accounts only when performing administrator functions requiring that level of authorization. Security personnel should periodically gather a list of running processes to determine whether any browsers or email readers are running with high privileges. → An excellent resource is the NIST® Digital Identity Guidelines – https://pages.nist.gov/800-63-3/ Safeguards Number Title/Description Asset Type Security Function IG1 IG2 IG3 6.1 Establish an Access Granting Process Users Protect • • • Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights grant, or role change of a user. 6.2 Establish an Access Revoking Process Users Protect • • • Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights
- 41. Number Title/Description Asset Type Security Function IG1 IG2 IG3 revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails. 6.3 Require MFA for Externally-Exposed Applications Users Protect • • • Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard. 6.4 Require MFA for Remote Network Access Users Protect • • • Require MFA for remote network access. 6.5 Require MFA for Administrative Access Users Protect • • • Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider. 6.6 Establish and Maintain an Inventory of Authentication and Authorization Systems Users Identify • • Establish and maintain an inventory of the enterprise’s authentication and authorization systems, including those hosted on-site or at a remote service provider. Review and update the inventory, at a minimum, annually, or more frequently. 6.7 Centralize Access Control Users Protect • • Centralize access control for all enterprise assets through a directory service or SSO provider, where supported. 6.8 Define and Maintain Role-Based Access Control Data Protect • Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of
- 42. Number Title/Description Asset Type Security Function IG1 IG2 IG3 enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.
- 43. CIS Critical Security Control 7: Continuous Vulnerability Management Overview Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information. Why is this Control critical? Cyber defenders are constantly being challenged from attackers who are looking for vulnerabilities within their infrastructure to exploit and gain access. Defenders must have timely threat information available to them about: software updates, patches, security advisories, threat bulletins, etc., and they should regularly review their environment to identify these vulnerabilities before the attackers do. Understanding and managing vulnerabilities is a continuous activity, requiring focus of time, attention, and resources.
- 44. Attackers have access to the same information and can often take advantage of vulnerabilities more quickly than an enterprise can remediate. While there is a gap in time from a vulnerability being known to when it is patched, defenders can prioritize which vulnerabilities are most impactful to the enterprise, or likely to be exploited first due to ease of use. For example, when researchers or the community report new vulnerabilities, vendors have to develop and deploy patches, indicators of compromise (IOCs), and updates. Defenders need to assess the risk of the new vulnerability to the enterprise, regression-test patches, and install the patch. There is never perfection in this process. Attackers might be using an exploit to a vulnerability that is not known within the security community. They might have developed an exploit to this vulnerability referred to as a “zero-day” exploit. Once the vulnerability is known in the community, the process mentioned above starts. Therefore, defenders must keep in mind that an exploit might already exist when the vulnerability is widely socialized. Sometimes vulnerabilities might be known within a closed community (e.g., vendor still developing a fix) for weeks, months, or years before it is disclosed publicly. Defenders have to be aware that there might always be vulnerabilities they cannot remediate, and therefore need to use other controls to mitigate. Enterprises that do not assess their infrastructure for vulnerabilities and proactively address discovered flaws face a significant likelihood of having their enterprise assets compromised. Defenders face particular challenges in scaling remediation across an entire enterprise, and prioritizing actions with conflicting priorities, while not impacting the enterprise’s business or mission. Procedures and tools A large number of vulnerability scanning tools are available to evaluate the security configuration of enterprise assets. Some enterprises have also found commercial services using remotely
- 45. managed scanning appliances to be effective. To help standardize the definitions of discovered vulnerabilities across an enterprise, it is preferable to use vulnerability scanning tools that map vulnerabilities to one or more of the following industry-recognized vulnerability, configuration and platform classification schemes and languages: Common Vulnerabilities and Exposures (CVE®), Common Configuration Enumeration (CCE), Open Vulnerability and Assessment Language (OVAL®), Common Platform Enumeration (CPE), Common Vulnerability Scoring System (CVSS), and/or Extensible Configuration Checklist Description Format (XCCDF). These schemes and languages are components of SCAP. → More information on SCAP can be found here – https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.80 0-126r3.pdf The frequency of scanning activities should increase as the diversity of an enterprise’s assets increases to account for the varying patch cycles of each vendor. Advanced vulnerability scanning tools can be configured with user credentials to authenticate into enterprise assets and perform more comprehensive assessments. These are called “authenticated scans.” In addition to the scanning tools that check for vulnerabilities and misconfigurations across the network, various free and commercial tools can evaluate security settings and configurations of enterprise assets. Such tools can provide fine-grained insight into unauthorized changes in configuration or the inadvertent introduction of security weaknesses from administrators. Effective enterprises link their vulnerability scanners with problem- ticketing systems that track and report progress on fixing vulnerabilities. This can help highlight unmitigated critical vulnerabilities to senior management to ensure they are resolved. Enterprises can also track how long it took to remediate a vulnerability, after identified, or a patch has been issued. These can
- 46. support internal or industry compliance requirements. Some mature enterprises will go over these reports in IT security steering committee meetings, which bring leaders from IT and the business together to prioritize remediation efforts based on business impact. In selecting which vulnerabilities to fix, or patches to apply, an enterprise should augment NIST’s Common Vulnerability Scoring System (CVSS) with data concerning the likelihood of a threat actor using a vulnerability, or potential impact of an exploit to the enterprise. Information on the likelihood of exploitation should also be periodically updated based on the most current threat information. For example, the release of a new exploit, or new intelligence relating to exploitation of the vulnerability, should change the priority through which the vulnerability should be considered for patching. Various commercial systems are available to allow an enterprise to automate and maintain this process in a scalable manner. The most effective vulnerability scanning tools compare the results of the current scan with previous scans to determine how the vulnerabilities in the environment have changed over time. Security personnel use these features to conduct vulnerability trending from month to month. Finally, there should be a quality assurance process to verify configuration updates, or that patches are implemented correctly and across all relevant enterprise assets. Safeguards Number Title/Description Asset Type Security Function IG1 IG2 IG3 7.1 Establish and Maintain a Vulnerability Management Process Applications Protect • • • Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- 47. Number Title/Description Asset Type Security Function IG1 IG2 IG3 7.2 Establish and Maintain a Remediation Process Applications Respond • • • Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews. 7.3 Perform Automated Operating System Patch Management Applications Protect • • • Perform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis. 7.4 Perform Automated Application Patch Management Applications Protect • • • Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis. 7.5 Perform Automated Vulnerability Scans of Internal Enterprise Assets Applications Identify • • • Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool. 7.6 Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets Applications Identify • • Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis. 7.7 Remediate Detected Vulnerabilities Applications Respond • • Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
- 48. CIS Critical Security Control 8: Audit Log Management Overview Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack. Why is this Control critical? Log collection and analysis is critical for an enterprise’s ability to detect malicious activity quickly. Sometimes audit records are the only evidence of a successful attack. Attackers know that many enterprises keep audit logs for compliance purposes, but rarely analyze them. Attackers use this knowledge to hide their location, malicious software, and activities on victim machines. Due to poor or nonexistent log analysis processes, attackers sometimes control victim machines for months or years without anyone in the target enterprise knowing. There are two types of logs that are generally treated and often configured independently: system logs and audit logs. System logs
- 49. typically provide system-level events that show various system process start/end times, crashes, etc. These are native to systems, and take less configuration to turn on. Audit logs typically include user-level events—when a user logged in, accessed a file, etc.—and take more planning and effort to set up. Logging records are also critical for incident response. After an attack has been detected, log analysis can help enterprises understand the extent of an attack. Complete logging records can show, for example, when and how the attack occurred, what information was accessed, and if data was exfiltrated. Retention of logs is also critical in case a follow-up investigation is required or if an attack remained undetected for a long period of time. Procedures and tools Most enterprise assets and software offer logging capabilities. Such logging should be activated, with logs sent to centralized logging servers. Firewalls, proxies, and remote access systems (Virtual Private Network (VPN), dial-up, etc.) should all be configured for verbose logging where beneficial. Retention of logging data is also important in the event an incident investigation is required. Furthermore, all enterprise assets should be configured to create access control logs when a user attempts to access resources without the appropriate privileges. To evaluate whether such logging is in place, an enterprise should periodically scan through its logs and compare them with the enterprise asset inventory assembled as part of CIS Control 1, in order to ensure that each managed asset actively connected to the network is periodically generating logs. Safeguards Number Title/Description Asset Type Security Function IG1 IG2 IG3 8.1 Establish and Maintain an Audit Log Network Protect • • •
- 50. Exploring the Variety of Random Documents with Different Content
- 51. I IV. What the Rehabilitation Records Show 151 1. Introductory 151 2. Social Data and Total Grants and Refusals 152 3. Principal and Subsidiary Grants 157 4. The Re-opening of Cases to Make Further Grants 160 5. Variations in Amounts of Grants, and Refusals 165 I BEGINNINGS OF REHABILITATION 1. GENERAL POLICY n the beginning of the Relief Survey it has been shown how, with what seemed to be an instinctive insistence, the trend of the work was toward the formulation of a definite rehabilitation policy. The principle, one might say axiom, which determined the character of this policy was that help should be extended with reference to needs and not with reference to losses. It was not easy to hold to the relief principle in the face of a sentiment by no means weak nor voiceless that each sufferer was entitled to an equal share of the funds. That the Rehabilitation Committee did consistently act on this principle during the periods of its activity was a marked achievement—an achievement that may be counted to the good, not only for the relief of San Francisco sufferers but for sufferers from subsequent disasters. When the Rehabilitation Committee began its work at the beginning of July, 1906,[96] it could not know what amount of money would be available for the purposes of its work. It knew that $1,500,000 had been suggested as the amount and 15,000 as the number of families to be rehabilitated. It held many conferences to consider the possibility of obtaining even the roughest sort of census of the families who would require assistance.
- 52. [96] See Part I, p. 21. No solution was furnished by the population of the various camps because even if their total population had been known, it would not have given a clue to the number of families who were living with relatives or friends or as tenants in the overcrowded quarters. Unlike the ordinary relief society, the Committee could not estimate the total actual needs of its prospective applicants. Therefore it had to fix definite limitations for grants[97] to those who first applied so that later applicants, with needs equally great, might not suffer injustice. [97] A classification of grants was in use which had been adopted by the Red Cross Special Bureau. The headings of this classification were “Tools,” “Household Re-establishment,” “Business Enterprise,” “Special Relief,” “Transportation.” Special Relief was used to describe a miscellaneous group of grants, and to prevent its being confused with the later Bureau of Special Relief (see Part II, p. 145), it will hereafter in this study be designated “General Relief.” With these considerations in mind the Committee at its first meeting moved to limit the vast bulk of grants to sums of $500 or less. The decision was that a grant that did not exceed $200 could be approved by one member of the Committee, that grants of from $200 to $500 should require the signatures of two members, and that grants of more than $500 should require the action of the entire Committee. During the first few months the number of separate grants of $500 or over, exclusive of housing grants, was but 121, the general assumption in the Committee room and among the rehabilitation workers being that the number of families to receive over $500 should be small. Eventually, of the 20,241 families assisted by the Committee, 647 families received as much as $500 each.[98] It was not realized at the beginning that in a great number of instances there would be re-openings and new applications leading to the granting of new forms of rehabilitation; that, for example, a family would be helped first to re-establish itself in business and later to build a house. Supplementary grants that increased the total allowance to a family
- 53. to more than $500 were not passed upon by the Committee as a whole, though at several meetings the question of requiring the Committee to act as a whole on the issuance of a series of grants in excess of $500 to an applicant was informally discussed. No official action, however, followed the discussions. Before the middle of July the Committee sent to the newspapers and to others interested, a circular in which was outlined its general purpose. In this its aim was shown to be not to determine the size of grants by the extent of losses, but to help those to re-establish themselves who were unable, even upon a contracted basis, to do so without assistance. [98] The difference between these figures and the figures given in Table 45 on page 165 is due to the fact that successive grants of the same nature to a single applicant were, in making some compilations, treated as a single grant, and in making others, as successive grants. The wisdom of limiting the size of grants may be questioned by some, but there is no doubt of its paramount importance in giving a rough basis for work at a time when it was impossible to estimate the number of families that would require assistance. It is hard to conceive of the setting of any other standard than this. Without it the possibilities for confusion and injustice were unusually large. The decision was reached not only from motives of prudence but also from the Committee’s sense of responsibility in dealing with such large amounts of money as would undoubtedly be placed in its hands. That the feeling of personal responsibility was large was made evident by other actions of the Committee.[99] [99] Under somewhat similar circumstances the Chicago Fire Commission practically limited special relief expenditures to $200 per grant. See Report of the Chicago Relief and Aid Society of Disbursements of Contributions for the Sufferers by the Chicago Fire (1874), p. 199. After the Department of Camps and Warehouses was created on August 1, 1906, the Rehabilitation Committee[100] finally adopted its own policy with reference to families living in the camps, a policy which as has been seen[101] had been gradually taking shape during July. The whole question of the rehabilitation of camp families had
- 54. been considered at a lunch given before his departure east by Dr. Devine to the members of the Committee and the staff. The conclusions of this informal conference did not take official form, but they may be accepted as marking the first step in the formulation of the policy. They were: That the camps should provide for the immediate needs of their inmates; that no stated sum could be set aside for the ultimate use of those who were expected to become permanent charges; and that no family living in a camp should be given rehabilitation aid until it had presented a definite plan for rehabilitation. It was felt that the effect upon applicants would be great if once they understood that it was useless for them to come to the Committee without definite and concrete plans. The subject of setting aside a sum for the use of the residue came up again in the latter part of August when Mr. Dohrmann, in making his estimates of the future disposition of funds, again and again called attention to the need of reserving large sums to re-establish camp families. [100] Now a part of the Department of Relief and Rehabilitation, which included also the Bureau of Special Relief, Bureau of Hospitals, etc. [101] See Part I, p. 19 ff. By August 1 the issuing of rations had been discontinued. The Department of Camps and Warehouses had taken over the bulk of the work of the short-lived Executive Commission, and the Rehabilitation Committee had been made responsible, under the gradual centralization of all relief, for the granting of all aid other than shelter and the relief-giving incidental to camp life. The Rehabilitation Committee was, however, in accordance with the policy it had adopted, steadying the number of applications made to it by camp families, by requiring an applicant to give proof that he had an assured dwelling before his request for household aid was considered. The immediate necessity was to define the relations between the Department of Relief and Rehabilitation and the Department of Camps and Warehouses. On August 6, 1906, the chairman of the latter department, Rudolph Spreckels, met with the
- 55. Rehabilitation Committee, and after prolonged consideration the following definite agreement was reached: The Department of Camps and Warehouses agreed: 1. To provide necessary food, clothing, and tent equipment to residents of camps. 2. To refer to the Rehabilitation Committee only such applicants as were believed to be prepared to leave the tents and to become undoubtedly self- supporting. 3. To make within the limits of the camp all investigations necessary to determine the current needs of the refugees. 4. To inform the Rehabilitation Committee of any applicant who had shown a readiness to leave the camp and to be rehabilitated. The Rehabilitation Committee on its part agreed: 1. To follow the notification of an applicant’s readiness to leave a camp by an investigation of its own and to take such action as the inquiry would warrant. 2. To assume responsibility for supplying all relief outside of the camps, this full responsibility to be assumed not later than the end of August.
- 56. Camp No. 25, Richmond District, opened November 20, 1906
- 57. Camp No. 29, Mission Park, opened November 19, 1906 Two Cottage Camps The responsibility of the Department of Relief and Rehabilitation for relief outside the camps remained absolute, with the exception of the housing aid given by the Department of Lands and Buildings. Mr. Bicknell was appointed to carry out the plan so far as it related to the Rehabilitation Committee, to which he later presented his plan for the establishment of a Bureau of Special Relief under the Department of Relief and Rehabilitation. This new bureau, which is described elsewhere,[102] gave aid in kind; the Rehabilitation Committee gave emergency aid in cash. [102] See Part II, p. 145 ff.
- 58. 2. PERIODS OF REHABILITATION WORK By way of introduction to the following chapter, a summary may well be made of the periods of time into which the rehabilitation work naturally fell. May 5 marked the beginning of the rehabilitation work under the direction of the Red Cross, a period when a force of workers, trained and untrained, got steadily to work, and when policies began to be shaped. It may be called the formative period. July 7 began the second period. It was the time when the Rehabilitation Committee of the Finance Committee of Relief and Red Cross Funds got into the saddle, carrying with it the staff and adopting the policies of the formative period. It was marked by the rapid development of district organizations; by the rapid increase in the number of applications for relief. It may be called the period of accelerated applications. August 20 opened the third period, when a decline in the number of applications was brought about by new restrictions upon the character of cases eligible for consideration; the time when the advisability of the district plan of organization was brought in question. Furthermore, it was the time when grants were sharply limited by the withholding of the eastern funds.[103] This may be called the period of arrested progress. [103] See Part I, p. 99 ff. November 4 began the fourth period, when the centralized plan was in force and when a persistent effort was made gradually to decrease the responsibilities carried by the Rehabilitation Committee. It was the period of centralized effort. April 9, 1907, marked the beginning of the fifth and last period, which closed June 30, 1907, with the taking over of the rehabilitation work by the Associated Charities. It was a time of rapid discharge of committees and of readjustments,—the period of withdrawal.
- 59. B II METHODS OF WORK[104] 1. THE DISTRICT SYSTEM efore the formation of the Rehabilitation Committee the Associated Charities[105] had assumed responsibility, under the Red Cross, for the investigation of applicants for rehabilitation. During July the Associated Charities under the direction of the Rehabilitation Committee organized in each of the seven civil sections of the city a committee of persons who were related more or less to the previous charity work of the locality. Each section or district office was supervised by a chairman[106] under whom was an agent with a corps of visitors and clerks. By securing in addition to the local charity workers the services of several experienced workers from states east of the Sierras, it was possible, as has been already stated, to have an experienced agent in each district. Four sections were in charge of agents drawn from the outside; three of agents with experience in the San Francisco Associated Charities. [104] The section on methods in Appendix I, p. 406 ff., supplements this chapter. It is more detailed than is this portion, and is important to those who are responsible for organizing a relief force. [105] See Part I, p. 14. [106] These chairmen were the same men who had been serving since May as the civilian chairmen in their several sections. The month of July was one that called for the exercise of discretion and tact, as it was a time when a large untried force had to be organized to visit families. A general superintendent of district work was appointed to bring about unity of ideals and standards in the sections and to cultivate a sympathetic understanding of the system on the part of all concerned in it. The position was held during July by one of the eastern workers and after August 1 by the
- 60. general secretary of the Associated Charities. The section committees, mentioned above, made a strong and interested group of volunteers. In one of the sections was to be found a group of workers who knew their neighborhood thoroughly,—a physician who had done active work among the poorer people previous to April 18, the president of a settlement, and the priest. These met together each day with others to go over the case work of the investigators who were studying the individual needs of refugees. Nowhere else could one get such an impression of the cosmopolitan character of San Francisco. The names of the investigators showed their origin,— Italian, Spanish, English, Scotch. These could speak to the refugees in their own tongues. One of the investigators was a trained nurse who had been at work in the neighborhood; another, an artist who had been the year before as far away from the Pacific Coast as the Albert Nyanza; the third, a student of economics. In still another section were to be found as investigators a force of college students. Seven of them were from Stanford University. They gave devoted service from April until the university opened in the autumn. They camped in the outer office and would work from early in the morning until late in the evening. They were often visiting at six in the morning and were to be found in the office writing reports at ten in the evening. Several teachers, a physician, and a trained nurse made up the rest of the group, which was guided at first by one of the most active and devoted local workers, a probation officer of the juvenile court. In another section one felt the distinctive mark to be catholicity. The chairman of this committee was a Presbyterian minister and the assistant to the agent was a Unitarian minister who had given up his charge to devote himself for a year to the charitable work of the city. A Hebrew whose strong personal influence counted for much in dealing with the refugees of his faith; another Hebrew, a woman, who as a volunteer had done most important service in securing work for the refugees; an active worker in women’s clubs; and other men and women who had had experience as teachers and in business, completed this section committee.
- 61. In so large a group of investigators, brought into service at a time of high pressure, there were necessarily to be found many attitudes of mind toward the work and varying degrees of readiness to be instructed. What surprised those who had the task of fitting the visitors to their work was their adaptability. The committees met at short intervals to review, one by one, the stories and recommendations of the investigators, and to make their own decisions to be submitted for final action to the Rehabilitation Committee at headquarters. The investigating force of the Rehabilitation Committee reached its highest number in August, 1906, when it numbered 96 persons on full and nine on half time. Sixty-five other persons were also employed, principally as clerks and messengers. The Committee from the start took the sensible ground that as far as possible there should be investigation of each applicant. The record card used in the sections was the second registration card, which as the reader knows, superseded the one adopted in the initial relief period.[107] [107] See Part I, p. 49. See cards in Appendix II, pp. 428 and 429. The second registration was undertaken by the staff of workers gathered together by the American National Red Cross, who worked from the seven civil sections and recorded their investigations on the improved cards described below. These cards, which were kept on file at headquarters, were, from the time of the second registration to the end of the rehabilitation work, used by the various committees. They held the facts as to an individual’s own expectation of providing shelter for himself and family. Later these cards served to measure the degree of success each applicant had made in carrying out his own plan. The second registration, though not to the same degree as the first, failed in completeness, so that many persons who applied later, not only to the Rehabilitation Committee but to the many other committees and departments, were given relief by those who were in ignorance of what help had already been extended. If registration had been accurate and complete from the beginning much saving of
- 62. money and time would have been effected, and, of immeasurably greater importance, much better rehabilitation work could have been done. A thorough system of registration would have been opposed by many of the relief workers, as well as by the refugees, but the importance of securing, in beginning such a work, an accurate registration of names and references and of entering on the dated cards the facts of aid requested and given, cannot be over- estimated. The outstanding need of the later rehabilitation work was for a registration so inclusive that it might serve as a general confidential exchange of information[108] of the sums of relief given and the efforts made to rehabilitate individuals or families. One of those who had partial supervision of enumeration for the first registration has said that a more carefully prepared card and a rigid supervision of investigators could have secured the desired results even if the investigators were untrained. The lack of a well ordered bureau for confidential exchange of information led to serious duplication of inquiry and of grants. [108] Registration as a means of holding and securing information was in use by various committees other than the Rehabilitation Committee. But to return to a consideration of the record card. It provided for a graphic presentation of the salient economic features of each family. When rightly filled in it showed the total present income of the family, its physical condition and the previous occupation of the breadwinner, the sum of its losses and its present resources. It gave a picture of the family’s former or present relations to its church, its lodge, its employers, its plan for rehabilitation, and the investigator’s estimate of this plan or the investigator’s alternative plan. Each visitor who had not had previous training as an investigator was given careful direction as to how an investigation should be made. Each was instructed to explain to the families that what was being aimed at was to find a way out which would be a real way out. Relief that had been already given was emergent, temporary. But now the Committee was anxious to learn of those who with a fair grant would be able to re-establish themselves.
- 63. In compiling the statistical abstract of applications for Chapter IV of this part of the Relief Survey no attempt was made to ascertain what references were seen or corresponded with, except for the business application cases. These were controlled by much stricter regulations than were the other applications. It is impossible, therefore, to state accurately the number of applications that were superficially investigated by visits to the applicants only. It is probably true that a study of the applications for household rehabilitation would show that comparatively superficial investigations had been made although there had usually been some attempt to corroborate the applicants’ stories by calling for a general letter of recommendation or one written directly to the Committee. Letters from ministers bulked large in this correspondence. The experience of the Rehabilitation Committee, it can be most positively stated, confirmed that of the special relief committee of the Chicago fire that such recommendations are valueless in the vast majority of cases. It is sufficient to state here, as this question will be brought up later in the discussion of the Committee’s relation to the auxiliary societies,[109] that the Committee learned quite early in its career that some of the clergy of the city had had manifolded a stereotyped form of recommendation to give to any one who might apply. [109] See Part II, p. 137 ff. The method of investigation in force would have been insufficient if it had been thought necessary to inquire closely into the moral character of the applicants. What the family had to say about its previous income; what its present income was; what its plans were and how it hoped with the aid of a grant to carry out these plans,—these with the visitor’s observations gave a sort of rough-and-ready gauge. There was, of course, a certain amount of deception, but the field investigations made later by the Relief Survey showed that the percentage of grants made upon actually fraudulent representations was comparatively small. Plans for rehabilitation that were inherently weak or confused or unwise had to be guarded against. The grant desideratum was practical
- 64. definiteness. Illustrations of what were considered to be definite, what indefinite plans, are incidentally presented under the chapters dealing with particular forms of rehabilitation. It is well at this point to state that after October 12, 1906, before a grant for rehabilitation or aid for furniture could be obtained, an application had to be made to the Rehabilitation Committee on a printed form.[110] [110] For reproduction of form see Appendix II, p. 435. The applications for tools were made the subject of a comparatively superficial investigation. Transportation cases were subjected to a gradual rise in the standard of inquiry. In the case of “general relief,” which included the permanent care of aged or invalid persons and of unsupported children, medical co-operation was generally called for. Applications for emergent relief led to no extended investigation. The housing applications, as will appear,[111] were subjected to special forms of inquiry. [111] See Part I, pp. 22-23 and 69 ff.; Part IV, Housing Rehabilitation, p. 211 ff.; and Appendix I, p. 417. Applications were received at the seven section offices at any hour of the day, as well as at the central office of the Associated Charities. The rule was, theoretically, to receive no applications at the office of the Rehabilitation Committee; but so many applications, some of which called for immediate investigation and action, were referred directly to the Committee, that from one to four interviewers had to be held at the central office to attend to them. It would have been ill-advised during July and August to limit either the hours or places at which applications could be made. Any limitation might in some instances have caused actual distress. The magnitude of the task did not in itself, save in exceptional circumstances, delay the giving of emergent relief, as special arrangements were made for expediting emergency cases. Before recommendations were brought to the members of the Rehabilitation Committee for decision they were read by trusted employes of the Committee in order that apparent injustices
- 65. resulting from the varying standards of the different section committees might be done away with. The Committee itself established rough standards to govern its decisions. For household rehabilitation, for instance, its standard adopted after a careful employe had visited several furniture companies to learn the range of prices, was based upon a rate of $50 a room for each of the minimum number of rooms which would be required for an individual family. Certain fixed rules were also adopted with reference to business rehabilitation.[112] There was no little criticism of an intermediate step having to be taken between the passage of records from section committees to the Rehabilitation Committee. During the latter part of the second period, which ended in August, 1906, some members of the Rehabilitation Committee itself were inclined to doubt the wisdom of the plan. Nevertheless, the opinion of the majority of the Committee was that its rough standardizing was a great time saver. The reviewers exercised no discretionary authority. They were indeed willing to present any case, in any form, to the Committee if a section committee insisted upon it. A justification of the plan lies in the fact that when a case went directly to the Committee from a section, almost without exception it was sent back. The reviewers served simply as advisers to the section committees. They had in mind the broad lines of policy that had been marked out by the Rehabilitation Committee and were in many instances able to save from one to two days in the reaching of a final decision as to a grant. An explanation made by the trained reviewer to a district messenger, an agent, or Committee member, was oftentimes much more acceptable than would have been Committee action which reversed a section decision. [112] For full discussion see Part III, Business Rehabilitation, p. 171 ff.
- 66. Headquarters Department of Relief and Rehabilitation, Gough and Geary Streets Another subject that called for anxious debate was as to the degree of power that should be given by the Rehabilitation Committee to the section committees to make grants of money for emergency need. On July 12, the Committee resolved that in an emergency case a requisition might be made on the treasurer for a sum not to exceed $50, provided the request were signed by two members of the section committee. The Committee reserved the right to review such grants and at any time to withdraw the privilege from the sections. At a meeting held a day or so afterward this matter was reconsidered and laid over because several members of the Committee expressed themselves forcibly as opposed to any division of responsibility. At a joint meeting of the Rehabilitation Committee with the members of the section committees, held on July 19, 1906, the question of placing small funds in the hands of
- 67. the section committees was again informally considered. Some of the section members strongly urged this plan and cited illustrations of necessary delays incident upon the ordinary procedure,— illustrations which proved that the delay was a source of embarrassment. As a member of the Committee recently said, a great amount of unpleasantness was caused by complaints of delay in comparatively small matters. Objections still being made by some members, the Committee asked the Associated Charities to present a plan, but though such a plan was drawn up it was never presented for action to the Committee because of the objections that were raised against it. This source of friction was removed in the course of events. When the Bureau of Special Relief[113] was established on August 15, 1906, applications for emergency relief in kind were referred to it. On the closing of the section headquarters, Committee I of the centralized system[114] was prepared to give small money grants on short notice. The Associated Charities, from almost the beginning of the rehabilitation work, also stood ready to make small gifts of money to persons in need, or to make immediate purchase of necessities. It was from time to time reimbursed for these expenditures, though no formal arrangement was made by which it could draw on any regular fund for petty cash expenditures. [113] See Part II, p. 145 ff. [114] See Part II, p. 125. Anyone who has had experience in a charity organization society which has district offices knows that the common rule is to empower a district superintendent or committee to make emergency expenditures of comparatively limited amounts and to draw for reimbursement on the society’s general relief fund. Such special expenditures are subject to audit. The principle underlying them is at stated periods to have their issuance made the subject of a careful review by the general secretary, the district supervisor or some other central office official. In case of continuous indiscreet expenditures the question raised is not whether the power shall be withdrawn but
- 68. whether there shall be some change in the district force or some calling of volunteers to account. In other words, the principle has been recognized that though there can be no division of final responsibility as to expenditures, as a matter of practical efficiency, districts must be given a certain amount of discretion in the making of small emergency grants. The extent of the task of investigating and reviewing cases can be measured by the following showing. When the Rehabilitation Committee settled to its task on July 7, 1906, the formative period of rehabilitation work closed. The second period was inaugurated by public announcement of the Rehabilitation Committee’s plans. During July, 1906, the work increased by leaps and bounds. Though the Committee might wish to feel its way there was no time for deliberate action as the members had simply to speed up in order to keep ahead of the applications awaiting action. By August 1 the Committee had passed upon 3,000 applications. On that same date there were about 9,000 applications in the sections which either were awaiting investigation or had been partially or fully investigated, but awaited action by the section committees. The original estimate of families that would need rehabilitation was 15,000. To pass on one-fifth of the whole may be considered to be fairly good progress for the first three weeks of a committee’s real work. During the next twelve days, as the news of the grants began to circulate widely, came the high-water mark of applications. On August 13, at the request of the chairman of the Committee, a complete return was made which showed that there were then 8,916 applications pending, and that the average rate of applications was somewhat over 200 a day. The danger of swamping the work was evident. At the time when the number of applications for rehabilitation was heaviest came the uncertainty as to whether funds would be available. The chairman of the Rehabilitation Committee, therefore, at an important meeting held on August 12, requested members to present a definite plan as to the amount of money that they would request the Executive Committee to set aside for rehabilitation. Accordingly, on August 16, the following estimate was presented as
- 69. the minimum amount that would be required for carrying on the work of the Department: TABLE 29.—ESTIMATE OF AMOUNT REQUIRED FOR CARRYING ON WORK OF RELIEF, PRESENTED AUGUST 16, 1906[115] Branch of work Amount required Rehabilitation $1,250,000 Hospitals 100,000 Industrial Centers 15,000 Special Relief (General Relief) 250,000 Transportation 10,000 Administration 100,000 Total $1,725,000 [115] On August 11, 1906, the balance sheet of the San Francisco Relief and Red Cross Funds showed that a total of $5,599,466.02 had been received by that body; that deducting expenditures and immediate liabilities there was an actual cash balance of $2,105,309.74. This total was not all available for the uses of the Rehabilitation Committee but was the only source of support for the Department of Camps and Warehouses, the Department of Lands and Buildings, both of which required large sums, and all other activities of the Relief Corporation. What the estimate for rehabilitation was based upon it is difficult to say, though the original estimate of $1,500,000 may have again been in mind. By August 16, applications to the number of 4,635 had been passed upon by the Committee, involving a total disbursement of a little over $300,000 and an average grant of about $80 a case. About 10,000 applications were pending and there were still three or four thousand families in the camps who would eventually have to be assisted by the Committee. Upon this basis a total of $1,120,000 would be required, and this may have been the basis for the estimate. Prospective applications from persons living outside the camps were not taken into account.
- 70. No action was taken when the estimate was presented, but at the meeting of the Committee on August 20 the chairman again presented a detailed report regarding funds available for the Corporation. After a very extended discussion it was agreed that it would not be safe for the Rehabilitation Committee to take further action until it knew something more definite regarding the amount of money it would receive and the amount that would be called for by the applications on file. The Committee decided therefore to notify the sections, the societies that were authorized to investigate applications for relief, and the press, that after August 20 no more applications for rehabilitation and relief would be received until all the cases pending had been investigated and disposed of. After this date no official notice was ever given of the readiness of the Committee to again receive applications. Applications for medical aid, and in special instances for food, were to be received, however, as before, at the section stations. This action, which was momentous, inaugurated the third period of work, [116] which extended from August 20 to November 4, 1906. A large number of applications was received later and all the applications on file were in the course of time duly considered and made whenever necessary the subject of grants, the amount of money used for rehabilitation being in the end considerably larger than was estimated. August 20 is the sinister date which appears and reappears in the later chapters, when the subject of delay in the rehabilitation work is discussed. [116] See Part II, p. 111. The superintendent of the Rehabilitation Committee at that time prepared detailed instructions for the force at the main and at the section offices. These instructions were adopted later by the sub- committees of the centralized system. The instructions provided that future applications and those pending but not yet investigated, for medicine, medical aid, special diet, food, tools, and sewing machines, be referred to the Bureau of Special Relief, and that they
- 71. be considered with reference to the relative disability of the applicants, in the following order: 1. Aged and infirm. 2. Sick and temporarily disabled. 3. Unsupported women and children (families without male breadwinners and with the burden of support resting heavily on the women or children). 4. Families insufficiently supported (breadwinners unable to earn enough to provide a surplus for rehabilitation or enough even to pay running expenses). After the four classes of cases had been investigated and reported to the Rehabilitation Committee for final action, the sections were to investigate the remaining applications. This latter group of applications[117] was to be divided into three classes: 1. Household rehabilitation. 2. Special building propositions not covered by the Department of Lands and Buildings. 3. Miscellaneous cases. [117] All applications made by refugees living outside of San Francisco were considered by the whole committee. The immediate attention of the Rehabilitation Committee, now that the general drawing of checks was suspended, was confined to those applications already on file in which emergent action was absolutely necessary or in which grants had been promised provided certain conditions were complied with by the applicants. All applications for business rehabilitation were to be laid aside for a time with the understanding that if the Committee later secured sufficient means they should be investigated and reported on. The Committee indicated that unless disablement or sickness were involved it would be most reluctant to consider any family to be in urgent need if in it there were a male breadwinner earning reasonable wages. The plan of the Rehabilitation Committee was to go over the whole mass of applications and then draw checks in favor of the first four classes. This marked a distinct limitation upon its work. By vote
- 72. of the Committee on August 30, 1906, it was decided to settle at once all unpaid grants that had been approved on August 20. By September 20 accumulated applications had been investigated and the Committee was ready to pass upon them. It is not clear from the records just when the bars were lifted and when checks were issued as heretofore upon all classes of cases approved by the Committee. There appears to have been no formal action in this matter. It is interesting to note that on August 18 the total disbursements recorded were $356,773.75 and the total applications acted upon 5,241. By September 20, 1906, the total disbursements amounted to $573,337.91 and the total cases acted upon were 10,374. 2. THE CENTRALIZED SYSTEM In October, 1906, there was a radical change of method. On September 27, the Rehabilitation Committee was notified by the Corporation that all the sections except Section II would close by the end of September. As the section offices closed, members of the paid and voluntary staffs were drawn into the work of the central office, the paid workers to continue as investigators or clerks, the members of the district committees to serve as an auxiliary committee to the Rehabilitation Committee for the review of cases. These were steps preliminary to a centralizing of the work. On October 11, when the chairman presented his plan for a division of the Rehabilitation Committee into sub-committees, 18,196 applications altogether had been passed upon. At close of business, October 11, 1906, the bookkeeper of the Committee had handled these 18,196 cases and had paid out on them $842,076.21. The plan for the centralized system was presented by a sub- committee consisting of the chairman and the superintendent, who was the secretary of the Associated Charities and responsible for the issuing of instructions to the district workers. It was to create six sub-committees. The Rehabilitation Committee was to be drawn on to provide a chairman for each and the former section committees to provide the membership. The numbers of the sub-committees and their respective fields of work were as follows:
- 73. SUB- COMMITTEE FIELD OF WORK OF SUB-COMMITTEE I. Temporary Aid and Transportation. II. Relief of Aged and Infirm, Unsupported Children, and Friendless Girls. III. Relief of Unsupported or Partially Supported Families. IV. Occupations for Women and Confidential Cases. V. Housing and Shelter. VI. Business Rehabilitation. VII. Furniture Grants to heads of families employed but unable to furnish their homes. VIII. Relief in Deferred and Neglected Cases. Committee VII was formed on January 16, 1907; Committee VIII on November 17, 1906. Each was considered as a sub- committee of the older sub-committees. Two of the six secretaries already appointed served the new committees. It may be noted here that five of these six secretaries had had previous experience in charity organization work. The following members[118] of the Rehabilitation Committee were appointed chairmen of the respective sub-committees: SUB- COMMITTEE CHAIRMAN I. O. K. Cushing II. Dr. John Gallwey III. Archdeacon J. A. Emery[119] IV. Archdeacon J. A. Emery V. Rev. D. O. Crowley VI. C. F. Leege [118] Two of these served as chairmen of Committees VII and VIII. [119] Succeeded by A. Haas. The methods of investigation under the new system were the same as under the old, but the change involved radical differences in treatment. It is generally acknowledged that the district system was the only one practicable in the early days, when transportation
- 74. facilities were so limited. The physical difficulties that would have been involved in attempting to make an investigation from one center was not the only, if indeed the most important factor that led social leaders to determine upon the district plan. The primary reason was that the seven civil sections were known to the people when they wished to follow their early applications for clothing and other emergent needs by applications for rehabilitation. The social investigation was made to fit the civil section plan, which was based upon the theory that by working from district centers it was possible to gain more accurate knowledge of the actual needs of families and to have such brought more quickly to the attention of the workers and be followed more surely by helpful recommendations than would be the case if need were relieved and recommendations made by one or several central committees. In short, it was believed that the district plan of the larger charity organization societies could be well adapted to the rehabilitation work and would give it greater firmness, accuracy, and swiftness of action. As it turned out, however, under the district plan the hoped-for swiftness of action was not achieved, which was one of the reasons for the change to the centralized system. After the change the average period of time lapsing between application and grant was considerably reduced; however, this is partly to be accounted for by the fact that after October, 1906, the Rehabilitation Committee acted more rigorously on the policy adopted August 20 to limit the number of applications received. During the first five months of the great relief work the most destitute had made application. This fact, and the further fact that prompt action was made possible through the creation of the Bureau of Special Relief, justified in a measure the change to the centralized system. The advantages of the centralized system as developed in San Francisco may be said to be that under it the attention of a group of workers was confined to the consideration of a specific class of grants. Such limitations brought expertness and a surer standardizing of the grants within a class. The disadvantage is that with the gain in expertness came a loss in general appreciation of the need of the individual case. The individual members of the
- 75. Welcome to our website – the ideal destination for book lovers and knowledge seekers. With a mission to inspire endlessly, we offer a vast collection of books, ranging from classic literary works to specialized publications, self-development books, and children's literature. Each book is a new journey of discovery, expanding knowledge and enriching the soul of the reade Our website is not just a platform for buying books, but a bridge connecting readers to the timeless values of culture and wisdom. With an elegant, user-friendly interface and an intelligent search system, we are committed to providing a quick and convenient shopping experience. Additionally, our special promotions and home delivery services ensure that you save time and fully enjoy the joy of reading. Let us accompany you on the journey of exploring knowledge and personal growth! ebooknice.com