John,
Within our organization, we have the possibility to access the corporate
network with different solutions, VPN and SSL based.
But before you start working on this, you should have a couple of things
clear such as: what risks do I run when I open the corporate network, what
risk is the organization (senior management) prepared to accept.
If you make a segregation between opening the network with full access and
those who only need access to their mail etc. (web based access/ssl) You can
limit the risks to an acceptable level.
There is VPN software available that enforces certain security policies
(firewall with specific settings, AV software running, etc) which will limit
the risks even further.
Home users that NEED access to the corporate network from their own
equipment are allowed (and obliged) to use corporate AV and FW software.
That is the only way you can control the security on an access level. All
policies are in place and staff is being educated prior to providing the
access.
Regarding things like shoulder-surfing, that's basically a matter of
awareness. People will always be your weakest link.
HtH
Regards,
Koos Varkevisser, CISSP, ISSMP
Unisys GOIS
Information Security Officer, MSC Amsterdam
T: +31 (0)20 526 3947
M: +31 (0)6 1000 1455
N: 774 1455
E: koos.varkevisser@nl.unisys.com
-----Original Message-----
From: Kuisle, John P. [mailto:JPKuisle@fedins.com]
Sent: donderdag 17 november 2005 16:24
To: security-management@securityfocus.com
Subject: Access from home/public computer
With advances in technology and the push to make information on our network
accessible anywhere, we're getting a push to open up access to things like
e-mail and our corporate Internet to home users or travelers using public
computers. Obviously there are some risks associated with allowing this
type of access. Among them:
* No control over what security measures are installed on the
non-company owned workstation (AV software, Anti-spyware, Personal
Firewalls, etc.).
* The user may accidentally or intentionally store sensitive
information on the workstation.
* Public places in particular lend themselves to things like shoulder
surfing.
What stance are your companies taking on access to corporate resources from
a non-corporate workstation? Is it allowed? Do you have any technical
controls in place to monitor what is being done? Do you provide security
controls for home users? Have you just established a policy and educated
your users on the risks?
I'd appreciated any input you have. Thanks in advance for your help.
John Kuisle - CISSP
Information Security Supervisor
Federated Mutual Insurance
507-455-5477
This e-mail and its attachments are intended only for the use of the
addressee(s) and may contain privileged, confidential or proprietary
information. If you are not the intended recipient, or the employee or agent
responsible for delivering the message to the intended recipient, you are
hereby notified that any dissemination, distribution, displaying, copying,
or use of this information is strictly prohibited. If you have received this
communication in error, please inform the sender immediately and delete and
destroy any record of this message. Thank you.
smime.p7s
Description: S/MIME cryptographic signature
