Yep, you read that right. I finally got an iPad. Early on, I had an iPhone. I loved it but got tired of the abysmal AT&T cellular service in my area. Then I got a Motorola Droid from Verizon. Cellular service is great, but there are several places where Android is not as polished as iOS.

The iPhone and Droid are great for being connected wherever you go.

• … work email … yep
• … personal email … of course
• … texting … does it
• … talking … duh
• … playing games … the Real Reason
• … big, readable screen … no, No, NO!!!

So, the opportunity came to acquire an iPad and I jumped on it. It’s like a big iPhone. For those in the over-50 crowd, the biggest implication is that it is readable. I like that.

Should I have waited until the iPad2 comes out? Probably. They say it will be shipping sometime in early 2011. However, I’ve been waiting for two years for the iPhone to make it to Verizon and it hasn’t yet. No one really knows when iPad2 will be available.

So, now I’ve got 2 devices to carry – Motorola Droid and iPad. I guess that I need to get a suit specially made with big inside pockets to hold the iPad.

But, as with any consumer device that is introduced into the workplace, questions arise…

1. How do I best use this thing for work?
2. What if I lose it? What happens to all my “secret” information?
3. Can I use this to replace my notebook computer?
4. What is the best application to download?
5. Will my I.T. folks let me connect the iPad to the corporate network?

As I explore some of these issues for myself, I’ll post my findings.

I do expect iPad (and similar Android devices) to be game-changers in the realm of personal computing.

- Dan

I checked my email yesterday morning and was greeted with these three headlines:

Employee at Maryland state agency posts client information online

Sensitive database compromised at Buena Vista University

Hospital: files with personal, medical data on 800,000 gone

Whether a state agency, hospital or university, the issues are the same. Confidential information must remain confidential and there must be practices in place to maintain this confidentiality.

This is true for the small business, also.

I have heard many small business owners state that “no one would care about them”. This may have been correct in the past, but it is certainly no longer the case.

Policy statements, and enforcement of that policy, can be a significant deterrent to events such as are depicted in the above links.

Think about this: Who is in charge of updating the business website? Is only authorized information put on the Internet? Who is the one responsible for authorization?

Sometimes a file may accidentally get put on a web server. The contents of the web server should be a part of the regular audits.

Regardless of policy, breach and data loss events are usually a result of someone not being diligent.

I sure not would want to be the one responsible for any of these data loss events.

- Dan

We can’t let employees use an Android phone. It’s not enterprise-ready!

A Mac? We don’t use those.

Flash drives are not allowed here!

We have all heard arguments like that.

For as long as I’ve been active with information security, there has been tension between non-InfoSec folks and technology users.

Users perspective – The tools and devices that the company provides just are not good enough. I use a <some device> at home and it really would help me at my job. In fact, I’ve already started using it for some work activities…

InfoSec perspective – The consumer device may be Really Cool, but we haven’t done a security assessment on it yet. Can the data on it be encrypted? What about a remote wipe of the data? We’re not going to allow that on our corporate network…

And so the tension goes on and on and on.

What ever happened to technology being an enabler?

So, what role does Information Security play?

• Don’t allow unwanted traffic on the network.
• Don’t allow unauthorized software on the workstation.
• Don’t allow access to certain data.
• Don’t allow unapproved devices.

That’s all pretty negative, isn’t it? Here are some random thoughts about what we should be doing…

• Don’t forget that business exists for a reason. Our job is to help protect that business, not always to be like Nancy Reagan and “just say NO”.
• Encourage personal responsibility to protect the business. It is the job of everyone.
• Find out what the real deficiency is that the user is trying to remediate with the consumer device and address that real need.
• Remember that there are legitimate times to take a stand and refuse to allow certain devices to be used in the company.
• Regulation, such as PCI/DSS, SOX, GLBA, etc, exist to provide guidelines. Many businesses can be surprisingly flexible, even when these regulations must be followed.
• But, don’t be afraid to do the necessary work to perform the risk analysis of the device, and maybe change policy or practice if the risk is at an acceptable level.
• Finally, an attitude of working together can go a long way in helping the user to understand the issues surrounding their favorite consumer device.

That’s about it for my thoughts this week. Until next time…

- Dan

Twitter hacked by old technique — again by AP: Yahoo! Tech

This article came out yesterday. The short description is that a compromised personal email account led to a compromise at Twitter.

Although the article is written with the focus on Twitter, this can just as easily happen to you and your organization.

Tip: Keep work email and data separate from personal email and data.

We need to constantly remind folks that there needs to be separation between work and personal email and storage. The selling point is that it protects both the employee and the company in the event the other is compromised.

Once again, the weakest link is The Human.

- Dan

A couple of posts ago, we began the End of Year Cleanup discussion. In that post, I encouraged you to ask the question “Where are we?” with regard to information security within your organization.

Now, we must address the question “Where do we want to be?

Over the years I’ve had several people express that they don’t know where to begin in thinking about this.

Covey says to begin with the end in mind. So, what is the end that you are after? Have you given any thought to this?

The Payment Card Industry (PCI) has created data security standards (DSS) that are to be followed by any organization accepting Visa, MasterCard, American Express, JCB, and Discover cards. It is a very good standard to use as a framework. The PCI DSS quick start can be downloaded here.

In a nutshell, here are the general steps…

• Build and maintain a secure network
• Protect cardholder data
• Maintain a vulnerability management program
• Implement strong access control measures
• Regularly monitor and test networks
• Maintain an information security policy

You can always find more details for each of these steps in the full PCI DSS documents. Check out www.pcisecuritystandards.org for more information.

Keep in mind that not every organization needs to follow all of the details of the PCI DSS. You should aim for security that is reasonable for your organization.

Have fun!

- Dan

Many companies and individuals filter their connection to the Internet. Many others allow wide-open, unfiltered access to whatever their ISP provides. While there may be some good reasons to have unfiltered access in some settings, it is wise to consider applying some filtering to the Internet connection.

Consideration should be given to these issues:

1. Policing vs protecting – This is the most basic question that must be addressed as you think about filtering. What is your objective? Are you hoping to keep you employees from surfing to the Bad Sites, or is your intention to protect them and the company?

   Unfortunately, many employees will take filtering as a statement of distrust. It is important that it be “sold” as being to their benefit that the company be protected and this be done. Employees must also realize that when at work they are about the business of advancing the company.

   Additionally, filtering can help to protect the organization and individuals from falling prey to phishing attacks. (More information on phishing can be found at Wikipedia.)

2. Productivity – Filtering the Internet has the potential to increase productivity of the staff. Let’s face it, unless there are strong policy statements against personal web surfing when at work, and the policies are backed by actions, people will naturally tend to kill time and surf non-work related sites.

   I’ve not found consistent numbers, but there are several studies that seem to suggest personal Internet use consumes a great deal of time for the American worker. Filtering, combined with strong policy, can increase productivity.

3. Liability – Minimizing exposure to liability is a must for the modern business. Any time a “hostile work environment” exists, the company is responsible. I am surprised how easy it is to have someone surf to a web site that makes someone else uncomfortable thus introducing the possibility of harassment charges.

   Instituting filtering indicates that the company is actively taking steps to promote a positive environment. It helps to reduce the possibility of harassment charges. Of course, I am not a lawyer, nor am I giving legal advice. You should seek advice and counsel from your own attorney.

So, now that you have decided to implement some sort of Internet filtering, you need to reach a point of balance in that filtering. Many options will allow filtering anything from pornography to gambling to chat sites to classified ad sites to social networking sites, and so on. Reaching a balance of what will be acceptable vis a vis unacceptable is important. Management must carefully work through this.

Once you have given due attention to those issues, and have decided to implement filtering, you need to know your options. We’ll address that in a follow-up entry.

- Dan

The passwords you use to access your computer, various web sites, your online banking or your financial software are the final line of defense against unauthorized access. It is imperative that you protect these passwords.

What are some practical ways to protect passwords? Here are some guidelines…

1. Don’t write your UserName and Password down on the same piece of paper. Many times these two bits of information are all that is required to access the system.
2. Don’t share your passwords with other people. You can generally be assured that if another person needs to access the information or application, they can secure their own password.
3. Don’t use the same password for multiple and critical applications. For instance, if you password protect your Quicken files, don’t use the same password for your workstation login.
4. Do manage your passwords. If you have several unique passwords and cannot remember them, use some software to keep an encrypted copy of them. I have used Password Safe (http://www.schneier.com/passsafe.html) on Windows computers and the Keychain on OS X.
5. Use a common password for non-confidential applications. The primary benefit of this is that it helps to minimize the number of passwords you use. I use a common password, for instance, for newspaper website registrations.

Of course, if you work in a corporate environment, there will be specific InfoSec policies concerning password management. Be sure to follow them. With just a little thought and work, you can decrease the risk of compromised information.

- Dan

Do you have an acceptable use policy? Acceptable use policies are often viewed as putting an unreasonable burden on employees and managers in the small business environment. These thoughts are often built on the notion that the owner/manager trusts the employees and “no one would ever do that”. Here are five reasons why the small business should consider an Acceptable Use Policy (AUP) in the organization.

1. Expectations are set for the employees – When a company places a computer in front of the employee, there is a basic question in the mind of the employee. “What am I allowed to do with this computer?” Am I allowed to connect to it from home using GoToMyPC? Am I allowed to put iTunes on the computer? The AUP clarifies these questions.
2. Expectations are set for the company – Similarly, the manager does not have to wonder if the employee is using the company computer to print their Christmas cards, or remember if he let anyone do that last year. Consistent treatment of employees is important in the event of employment disputes. The AUP sets forth the guidelines of consistent expectations.
3. It protects the employee – Is it ok for you to surf the Internet at work? How about over lunch-time? Can I use my company-issued notebook computer to watch the latest James Bond movie on dvd at home? Answers to these questions should be embedded in the AUP. For instance, if personal surfing of the Internet is allowed over lunch time, then it should be stated in the AUP. Without an AUP, how is the employees to know what’s allowed and what’s not?
4. It protects the company – No one wants to work in a hostile environment, and no one wants to create a hostile workplace. Anytime someone views adult-oriented material on their computer in the workplace, the company may be accused of creating a hostile work environment. If there is a policy in place whereby employees know in advance that certain behaviors will not be tolerated, the risk of lawsuit may be reduced. Basically, employees need to know what is acceptable and unacceptable behavior.
5. It may keep an employee from activities that are a little “over the line” – I once worked with a lady who would spend time during the day working on a database of her jewelry customers. Our AUP was exceptionally vague, but most people would view this as being unacceptable. But, she saw nothing wrong with it! This is a case of an activity that I would view as over the line of acceptable behavior. The AUP should deal with this.

As you read these comments, remember that I am not offering legal advice. If you have questions about employee discipline, termination or unacceptable behavior, you should consult your own favorite legal counsel.

- Dan