Social Engineering/Industrial Espionage.
Annual Security Awareness Training with monthly reminders in the form of
e-mail reminders, Security Awareness posters at entry/exit points and areas
of congregation. Also included in training is information regarding
industrial espionage. What to watch for and what actions to take should you
suspect internal theft of information or intellectual property. Annual
acknowledgement by all employees of their S.A.T. attendance. Detailed
policies that address the use of communication services and how these
services can be used as a tool to jeopardize the company and customers.
These combined with actual penetration testing. Actually calling random
employees and trying to obtain useful information. It is truly amazing what
a few kind words will get you sometimes.
Lost or Stolen portable devices
Use of SSL VPN with 2 factor authentication to allow remote and traveling
users to access sensitive information with edge devices while preventing
said data from actually leaving the network perimeter. In such cases where
data must leave the perimeter controls, then the edge devices utilize
encryption of the hard drives, thumb drives, and other portable media, to
prevent loss of data. Strict policies that govern the use and maintenance
of all portable devices.
Disaster Recover/Business Continuity
This one is really dependant on your company and the Business Impact
Analysis that should be performed to determine the actual impact to your
line of business in the event of a disaster. FFIEC guidelines are a great
place to start along with NIST, SANS and others.
I would consider these to be my top 3 worries/concerns. I would also add
that the current trend to packing more and more features into cell phones
is cause for concern to security individuals. I am currently working on
policies to restrict the use of certain mobile devices due to the added
risk that comes with allowing these devices into data processing
facilities. Phones with cameras could easily be used to steal data and now
with services such as iTunes being loaded onto mobile phones, I am
concerned with the capability of using the phone as a USB storage device in
the same manner as a common thumb drive.
\_\_\_\_\_\_\_\_\_\_\_/_/_/_/_/_/_/_/_/_/_/
\_ Steve Angell, MCSE, CCNA _/
\_ Security and Compliance _/
\_ Senior Manager, Risk Services _/
\_ TSYS Debt Management _/
\_ Norcross, GA _/
\_ Phone 770-409-5570 _/
\_ Cell 770-365-2986 _/
\_ Fax 770-416-1752 _/
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
This message may contain confidential communications intended solely for
the personal and confidential use of the recipient(s) named above. If you
are not the intended recipient, you are hereby notified that you have
received this communication in error, and that any review, dissemination,
distribution, or copying of this message is strictly prohibited. If you
have received this communication in error, please notify me immediately by
e-mail, and delete the original message. Thank you.
