InformationWeek: "Map Out An Organizational Structure For Security"
SmartAdvice: Map Out An Organizational Structure For Security
Question C: How do we keep sensitive information from walking out the door on high-capacity, thumb-size USB storage devices?
Our advice: This problem isn't a new one. Companies have always had to deal with the challenge of the loss of sensitive data, whether in the form of handwritten notes, printed material, downloaded data, diskette copies, E-mailed information, or burned CDs. What's new about this challenge, however, is that it has become progressively easier for a disgruntled worker to deliberately, or for a nondisgruntled worker to accidentally, take larger quantities of valuable information, such as design sheets, customer records, or employee information, and pass it along to competitors, suppliers, and others.
• From a people perspective, the key lies in developing a culture where information is respected and data is considered sacrosanct, and communicating the importance of adhering to strict intellectual-property protection policies. Instituting a whistleblower-protection program will help bring to the attention of senior management possible unscrupulous or underhanded dealings of employees with possible competitors, vendors, and the like.
• From a technology perspective, there are a number of solutions available, ranging from disabling USB ports within the system BIOS to locking users out of accessing the driver.cab device file on a Windows platform to deploying such third-party software as DeviceLock, which lets IT prevent users from accessing certain devices such as USB ports. However, the challenge with all these methods is that ultimately, if someone wants to get away with it, that person quite easily could use another form of media/transmission to illegally export the information out of the organization and into the hands of someone who shouldn't have it.
• From a physical security perspective, it's possible to do random bag-checks and other forms of screening for such devices as diskettes, CDs, and thumb-size USB storage devices. However, the biggest challenge with this is that in a typical organization it isn't possible to screen everyone who enters and leaves, and many employees and visitors will likely find it offensive that management resorted to such distasteful measures. This will be perceived (correctly) as mistrust and will likely result in causing some workers to become disgruntled and thereby find innovative means of getting information out. In addition, it's virtually impossible to train the security staff in all the new USB storage devices that are entering the market, such as executive storage pens, storage watches, and Swiss Army drives.
• From an information-security perspective, the organization needs to be cognizant and careful about granting access to sensitive pieces of information to employees. Access to design specifications, data sheets, customer records, and employee information is best kept limited to those whose jobs require them to have it. Others must be locked out of such data using information-security policies and procedures such as system passwords, database security, and application security. The likelihood of data pilferage declines substantially when one or more of these methods is put into place in an organization.
• Finally, from a legal perspective, how does the company protect itself in the event of the loss of such data? This boils down to the intellectual-property protection policies that the organization has put in place through patents, trademarks, and copyrights, as well as the legal protection the company has in terms of confidentiality agreements and privacy policies. Ideally, an organization wouldn't need to resort to such measures as taking legal action against an employee. However, should the need arise, the organization is better off taking action sooner rather than later.
-- Sanjay Anand