We can’t let employees use an Android phone. It’s not enterprise-ready!
A Mac? We don’t use those.
Flash drives are not allowed here!
We have all heard arguments like that.
For as long as I’ve been active with information security, there has been tension between non-InfoSec folks and technology users.
Users perspective – The tools and devices that the company provides just are not good enough. I use a <some device> at home and it really would help me at my job. In fact, I’ve already started using it for some work activities…
InfoSec perspective – The consumer device may be Really Cool, but we haven’t done a security assessment on it yet. Can the data on it be encrypted? What about a remote wipe of the data? We’re not going to allow that on our corporate network…
And so the tension goes on and on and on.
What ever happened to technology being an enabler?
So, what role does Information Security play?
- Don’t allow unwanted traffic on the network.
- Don’t allow unauthorized software on the workstation.
- Don’t allow access to certain data.
- Don’t allow unapproved devices.
That’s all pretty negative, isn’t it? Here are some random thoughts about what we should be doing…
- Don’t forget that business exists for a reason. Our job is to help protect that business, not always to be like Nancy Reagan and “just say NO”.
- Encourage personal responsibility to protect the business. It is the job of everyone.
- Find out what the real deficiency is that the user is trying to remediate with the consumer device and address that real need.
- Remember that there are legitimate times to take a stand and refuse to allow certain devices to be used in the company.
- Regulation, such as PCI/DSS, SOX, GLBA, etc, exist to provide guidelines. Many businesses can be surprisingly flexible, even when these regulations must be followed.
- But, don’t be afraid to do the necessary work to perform the risk analysis of the device, and maybe change policy or practice if the risk is at an acceptable level.
- Finally, an attitude of working together can go a long way in helping the user to understand the issues surrounding their favorite consumer device.
That’s about it for my thoughts this week. Until next time…
- Dan
Tags: InfoSec Function
According to cnnfn.com, simplification is coming to Facebook privacy configurations. The article starts out with this…
NEW YORK (CNNMoney.com) — Facebook confirmed Tuesday that it will simplify its privacy settings, in a move aimed at quelling growing concerns over how much user information is exposed online.
“I can confirm that our new, simpler user controls will begin rolling out tomorrow (Wednesday). I can’t say more yet,” Andrew Noyes, a Facebook spokesman, said in a statement.
You can read the rest of the article to see what is being said.
Of course, Facebook has been talking about privacy settings for a long time. So has the press, pundits and bloggers. Not that I’m skeptical, or anything, but time will tell as to whether Facebook is truly making any useful changes.
While you are waiting for Facebook to make things simple, head on over to http://www.reclaimprivacy.org/ and use their scanner to help you identify and understand your current settings. The tool will also make some recommendations for you.
Was that a black helicopter that I just saw flying overhead?
- Dan
Tags: FaceBook
Pay attention, everyone -
You should never have the only copy of your important files be stored on your flash drive. It will die (or be lost or be stolen). If this is the case, you may be completely out of luck.
I had a friend give me a flash drive this past weekend. The flash drive is not recognized by any computer. Where there normally is a light that comes on when plugged in, now there is no longer a light.
If the problem is more that just a poor USB connector, then it will be pretty costly to recover the data, if it is possible at all… Usually the cost will outweigh the benefit of recovered files.
So, use the flash drive only as a working and portable storage device. Make sure they are encrypted. Copy the files back to your computer if they are important. That way they will be a part of your normal backups. (You do have a backup system, right?)
If you don’t have a backup system in place, consider using something like LockYourData (www.lockyourdata.com). It allows you to manage both online and local backups as well as keeping multiple generations of files.
The last thing you want to hear is the words of Dr. McCoy as he looks up and says, “He’s dead, Jim.”
- Dan
Tags: FlashDrive
Fred Langa with Windows Secrets has written about his experiences with Microsoft Security Essentials (MSE) running on Windows 7.
http://windowssecrets.com/2010/05/06/01-The-120-day-Microsoft-security-suite-test-drive
Important points…
- Use firewall, filters (in browsers & email), and anti-malware.
- Products from Microsoft are finally easy-to-use for normal users.
- MSE can be configured to be very unobtrusive.
- MSE will frustrate advanced users, or those who need more complex customization.
Personally, I’ve had MSE running on a virtual machine that I use every day, and have been pleased. It is lightweight in it’s use of system resources.
It seems that for most home users who are running Windows 7, there is no need to purchase a security suite.
- Dan
Facebook’s Eroding Privacy Policy: A Timeline
You really need to take a look at this article. It shows how Facebook has slowly and steadily made your privacy disappear.
You should carefully consider how this impacts you.
- Dan
Tags: FaceBook
