Then, she started telling me that when she turned her computer on there was evidence that someone had been using her computer, as well.

Needless to say, she was pretty upset and wanted to know how she could tell who the offender was. She was hoping that there were some “tracks” somewhere that would tell here everything about who had been using her computer.

She wanted to confront the others in the office about accessing her computer and desk items while she was out.

Now, let’s look at some details from a common-sense perspective…

• The computer was configured so that it didn’t require a password to get into Windows. My recommendation was that she make the computer require a password to enter Windows. I suggested to her that the added security far outweighed any perceived inconvenience here.
• It also turns out that the computer in question is a notebook. She had just been turning the computer off at night and leaving it on her desk. Further inquiry led to the discovery that she had a locked file cabinet where she kept the important company information. My recommendation was to make it so the computer could not be accessed while she was not there. I suggested that she lock the notebook computer in the cabinet when she left the office for the day.
• Further questioning helped me to realize that the business has purchased this notebook computer a year ago, but there was no need for portability. So, why did they purchase a notebook? I couldn’t get a firm answer. My recommendation is that a notebook only be purchased if there is a need for portability, as portability makes theft of the computer easier.
• Regarding who and why someone accessed the computer without permission, there could be a variety of reasons. I suggested to her that she calmly discuss with her office-mates that it appeared someone had been looking for something while she was out. I also suggested that it is important she do this professionally, and to encourage them to call her is something is needed while she is out. These are people that she has to work with, and it is important that relationships not be antagonistic.

The conclusion is that this situation could have been averted with just a few simple actions.

Let’s all use common sense when approaching physical security.

- Dan

Time and effort must be invested in people.

I used to think that good technology and procedures could overcome almost any problem. That was before a co-worker was arrested for stealing many thousands-of-dollars worth of new computers. He was able to circumvent operational procedures. The technology in place to watch the receiving dock did not catch him. People really can be the weakest link!

Here are a couple of items you need to consider as you work to strengthen the People portion of the information security program.

• Top-level management support – While this may sound pretty basic, it is key to the whole InfoSec program. Everyone says this, but it really is true. It is critical that the CIO or CEO support the efforts to protect the information assets of the organization. It may require some creative work to ensure this happens, but is certainly worth the effort.
• Awareness of employees – The folks that do the work of the organization need to understand their role. Most people want to do the right thing, but sometimes do not know how. Creativity is the key here. Will people remember a two-hour briefing on their role in information security? Probably not! So, how about spending some time coming up with unusual ways to show them.

The role of people in your information security strategy cannot be over-emphasized. They need to be aware of their role and the importance of their careful actions. The top-level of management needs to buy in to the efforts.

Take a look at your organization. Make sure that the CIO or CEO or owner know and support the program. Help people to understand their role.

Have fun!

- Dan

How about the home user?

The phrase “defense in depth” is tossed around in the Information Security field as if everyone knows what is being talked about.

Just what is Defense in Depth?

The National Security Agency has put out a short paper which discusses a strategy for defense in depth.

I certainly encourage you to take a look at that paper.

The defense in depth strategy focuses on three important elements as we work toward information assurance. These elements are:

• People
• Technology
• Operations

We will soon begin looking at each of these elements as it related to Information Security and the small business or home user.

- Dan