GRAND RAPIDS – The recent rash of highly publicized laptop thefts has led to a corresponding increase in articles on what to do about sensitive customer data on employee laptops. It seems to me that these articles are too narrowly focused and need to expand their scope to all removable media.
Laptops aren?t the only problem. Floppy disks, compact discs, memory cards, external hard drives and even your old backup tapes are all part of the problem of sensitive customer data ending up in the wrong hands. Regardless of scope, one thing is clear; it?s time to get serious about securing your client?s data. The reputation risk alone should be enough to scare any professional service firm managing partner into action by now.
Gartner group suggests a variety of practices for restricting the use of such devices and limiting employee access to sensitive data, ranging from banning portable storage devices entirely to an increased focus on data encryption and digital rights management. If you are looking go the cheap route and use the encryption capability that is included with Microsoft Windows 2000/XP, my own experience with it indicates that it not reliable enough for an enterprise solution that handles mission critical data.
Believe me, it is no fun to have to explain to your boss that the results of the lengthy computer scans done on site cannot be saved because the encryption algorithm is malfunctioning. Besides, a data encryption policy needs to be combined with your access control policy. An effective design should allow for centralized management of encryption that enables the data owner, not the data user, to control data viewing. So far, only expensive third-party solutions are promising that.
If you don?t already have removable media addressed in your security policy, it?s easy to do so. The SANS Institute continues to maintain its Security Policy Project at: Sans.Org
They actually want you to take their sample policies and use them. The State of Oklahoma has addressed removable media, remote access, disposal of media and access control in their security policies at: Divisions.OKCareertech.Org
If you are a financial institution or medical facility subject to the Gramm-Leach Bliley Act (GLBA) or Health Insurance Portability and Accountability Act (HIPAA), our own Director of Security, Scott Montgomery, maintains a library of security policies that specifically address their auditor?s requirements. Just remember that any security policy needs to be reviewed by your legal consol before being put into effect.
Security policies, however, are all subject to one thing. The human factor. Security policies will not protect the company if they are not followed. In the end, you have to trust your employees. There is no avoiding that, so you?ll need to include background checks in your hiring practices and follow up on continued background and credit checks of existing employees that handle sensitive data.
Where are we headed with all this security policy and security awareness training? We?ll the truth is that as much as you need to invest in these preventive steps you could still get hit with a security breach that could cost you your business. The solutions that we may be headed towards are infrastructure changes. It may be too much to ask to keep your client?s data secure while providing for all the demands of an increasingly mobile workforce. Why not just go head and keep your client?s data in a secure data center that is professionally maintained with all the backup, disaster recovery, remote monitoring and data security taken care of for you.
You could still have the convenience of mobility with secure remote access that does not involve your client?s data leaving the secure facility. The remote access would be secured by using a product like Citrix Presentation Server. You could even add RSA SecurID two-factor authentication software to provide employees and partners with secure remote access to the firm?s application and data.
Such a solution would help to ensure that only authorized users have access to sensitive information and to comply with government regulations regarding data security while providing remote access to data, reducing costs, improving the productivity and efficiency of the professional staff and providing enhanced client service.
This column was written by Daniel G. Romej, CPA, MCSE, CISSP, EnCE, Security Consultant, Computer Products & Resources, Inc.
