This really depends on your environment's busienss nature. Everything counts
down to business requirement (or "$$$" to be straight forward).. For my
environment, a global logistic and transport company, productivities and
efficiency are the keys and thus achieving a balance of productivity and
security poses as the biggest challenge. It is true in most cases that
security and convenience are on the opposite side of the balance, especially
during the initial stages of implementing security policy and measures to
your environment.
One of the resolutions is to fully understand the impact of the security
measures and technologies to the user environment, this will boils down to
implementations and operations details including specific technical
knowledge. And inform your management and users together with your
suggestions and advice before they report the problems and make noise of it.
Cheers!
Rick Zhong Liming
On 10/24/05, sangell@nan.net <sangell@nan.net> wrote:
Social Engineering/Industrial Espionage.
Annual Security Awareness Training with monthly reminders in the form of
e-mail reminders, Security Awareness posters at entry/exit points and
areas
of congregation. Also included in training is information regarding
industrial espionage. What to watch for and what actions to take should
you
suspect internal theft of information or intellectual property. Annual
acknowledgement by all employees of their S.A.T. attendance. Detailed
policies that address the use of communication services and how these
services can be used as a tool to jeopardize the company and customers.
These combined with actual penetration testing. Actually calling random
employees and trying to obtain useful information. It is truly amazing
what
a few kind words will get you sometimes.
Lost or Stolen portable devices
Use of SSL VPN with 2 factor authentication to allow remote and traveling
users to access sensitive information with edge devices while preventing
said data from actually leaving the network perimeter. In such cases where
data must leave the perimeter controls, then the edge devices utilize
encryption of the hard drives, thumb drives, and other portable media, to
prevent loss of data. Strict policies that govern the use and maintenance
of all portable devices.
Disaster Recover/Business Continuity
This one is really dependant on your company and the Business Impact
Analysis that should be performed to determine the actual impact to your
line of business in the event of a disaster. FFIEC guidelines are a great
place to start along with NIST, SANS and others.
I would consider these to be my top 3 worries/concerns. I would also add
that the current trend to packing more and more features into cell phones
is cause for concern to security individuals. I am currently working on
policies to restrict the use of certain mobile devices due to the added
risk that comes with allowing these devices into data processing
facilities. Phones with cameras could easily be used to steal data and now
with services such as iTunes being loaded onto mobile phones, I am
concerned with the capability of using the phone as a USB storage device
in
the same manner as a common thumb drive.
\_\_\_\_\_\_\_\_\_\_\_/_/_/_/_/_/_/_/_/_/_/
\_ Steve Angell, MCSE, CCNA _/
\_ Security and Compliance _/
\_ Senior Manager, Risk Services _/
\_ TSYS Debt Management _/
\_ Norcross, GA _/
\_ Phone 770-409-5570 _/
\_ Cell 770-365-2986 _/
\_ Fax 770-416-1752 _/
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
This message may contain confidential communications intended solely for
the personal and confidential use of the recipient(s) named above. If you
are not the intended recipient, you are hereby notified that you have
received this communication in error, and that any review, dissemination,
distribution, or copying of this message is strictly prohibited. If you
have received this communication in error, please notify me immediately by
e-mail, and delete the original message. Thank you.
