For Your Eyes Only

Article Tools

• December 2006 Issue
• Post a Comment
• Print This Article
• Email This Article to a Friend
• Save This Article
• Order a Reprint

From the December 2006 Issue

We’ve all heard or read the sensational stories: VA laptop stolen containing social security information of more than 26.5 million veterans; Laptop with credit card information for more than 243,000 customers stolen from auditor’s car; hard drives containing a treasure trove of confidential information recovered from machines “donated” to a worthy charity or fished out of a local landfill. On and on, the stories splash on our screens and evening news, each one a glowing example of breach in confidentiality — one of the “pillars” of IT security.

So with recent news events as a backdrop, I felt it would be especially worthwhile to begin a multi-part series that focuses on the topic of confidentiality — threats to maintaining the confidentiality of our most sensitive information — along with reasonable steps and measures we can take to safeguard this information. And as we explore confidentiality — threats and responses — you will quickly notice a number of factors that need to be considered since our data is susceptible across a number of fronts.

As a refresher, there are three primary goals (also known as the pillars) of IT security. They are as follows:

• Confidentiality — Information should only be available to authorized individuals.
• Integrity — Information should only be modified by those who are authorized to do so.
• Availability — Information should be accessible to those who need it, when they need it.

IDENTIFY WHAT'S IMPORTANT

The first step in ensuring the confidentiality of critical data is clearly identifying the information itself. For instance, an organization might not much care if an outsider gains access to the company’s complete branch office address listing (in fact, many organizations publish this information directly to their websites). But unauthorized access to client name and address information would probably be much more problematic. In fact, unauthorized access to virtually all types of key data, ranging from customer lists and operational information to business plans and financial data, could spell disaster for an organization. Yet often, much of this information is distributed across a number of machines, in a number of locations, throughout an organization — many times with little or no thought given to security — with no clear corporate knowledge of what exists where.

PROTECT PHYSICAL ACCESS TO DATA

Once you’ve identified mission-critical data, the next order of business is to make certain it’s physically protected. This means that no one should be able to physically walk off with it. So to make that happen, all an organization needs to do is place network servers in a locked closet or server room, and the last person out at night locks the office doors … right? Well, not so quickly. With more and more organizations equipping their users with laptops, the reality is that increasing amounts of key data is walking out the door each and every day. In fact, as recent headlines point out, some of the most significant data breaches are the result of simple laptop theft (i.e., homes and cars broken into and laptops stolen). Our organization has experienced this first-hand when one of our staff consultants had her car broken into and machine stolen this past year.

So how should an organization respond? Well, in addition to some of the obvious measures, including placing all servers in locked closets as previously suggested, the following additional steps should also be considered:

• Train users regarding the importance of physically protecting company data, wherever it resides, including desktop machines, corporate laptops, backup media, USB drives, CD disks, etc.
• Caution users on the risk presented by portable USB thumb drives since large amounts of data can be quickly transferred to these devices from any accessible machine and because these devices can be easily lost, stolen or misplaced. Some organizations have gone so far as to disable USB ports on user machines in order to prevent unauthorized individuals from potentially downloading data to one of these portable devices.
• Purchase a locking cable for each laptop user so the machine can be physically secured in the event it needs to be left unattended for a short period of time — a must for anyone regularly on the road!
• Remove keyboards from server machines if they don’t need to be regularly accessed.