Re: USB pen drive policyJun 06 2006 05:13AM Paul W Brager Jr CISSP CISM (paul-brager houston rr com) (2 replies)
Kosala,
The main thing with pen drives and another "portable" storage is to define in the policy that these devices be protected by a demonstrable encryption mechanism, with sufficient strength to protect the data contained on them. In general, most of the devices come with some rudimentary encryption software, but I would recommend standardizing on something like PGP, where a high strength key can be used to encrypt the data. Obviously, the safest course of action is not to use them for corporate data - however, knowing that sentiment is unrealistic, it is our task as security professionals to meet the "customer" where they are, to the extent it is feasible. Hope this helps.
Paul W Brager Jr CISSP CISM
Information Security Professional
paul-brager (at) houston.rr (dot) com [email concealed]
----- Original Message -----
From: "Wilson Wong" <wilson.wong (at) netrust (dot) net [email concealed]>
To: "'Kosala Atapattu'" <kosalaa (at) carcumb (dot) com [email concealed]>; <bs7799 (at) securityfocus (dot) com [email concealed]>
Sent: Monday, June 05, 2006 11:27 PM
Subject: RE: USB pen drive policy
: Hi,
:
: My experience is that through a security audit, some auditors would look at
: the mobile hard disk and pen drive as possible security leakage and would
: recommend some sort of security.
:
: You could check out www.mysecuredoc.com on their media security. Yes I am
: selling this stuff but do consider this on its merit and comment.
The main thing with pen drives and another "portable" storage is to define in the policy that these devices be protected by a demonstrable encryption mechanism, with sufficient strength to protect the data contained on them. In general, most of the devices come with some rudimentary encryption software, but I would recommend standardizing on something like PGP, where a high strength key can be used to encrypt the data. Obviously, the safest course of action is not to use them for corporate data - however, knowing that sentiment is unrealistic, it is our task as security professionals to meet the "customer" where they are, to the extent it is feasible. Hope this helps.
Paul W Brager Jr CISSP CISM
Information Security Professional
paul-brager (at) houston.rr (dot) com [email concealed]
----- Original Message -----
From: "Wilson Wong" <wilson.wong (at) netrust (dot) net [email concealed]>
To: "'Kosala Atapattu'" <kosalaa (at) carcumb (dot) com [email concealed]>; <bs7799 (at) securityfocus (dot) com [email concealed]>
Sent: Monday, June 05, 2006 11:27 PM
Subject: RE: USB pen drive policy
: Hi,
:
: My experience is that through a security audit, some auditors would look at
: the mobile hard disk and pen drive as possible security leakage and would
: recommend some sort of security.
:
: You could check out www.mysecuredoc.com on their media security. Yes I am
: selling this stuff but do consider this on its merit and comment.
:
: Wilson
:
: -----Original Message-----
: From: Kosala Atapattu [mailto:kosalaa (at) carcumb (dot) com [email concealed]]
: Sent: Tuesday, June 06, 2006 11:30 AM
: To: bs7799 (at) securityfocus (dot) com [email concealed]
: Subject: USB pen drive policy
:
:
: Hi all,
:
: Is there any one use a USB pendrive policy? I was just wondering how to
: handle USB pendrives since there capacities are increasing by day and
: becoming a potential threat of Information leakage.
:
: At the same time USB pendrive have become some thing we can't get rid
: of, there uses overwhelm user productivity in some cases (people take
: work home..:)).
:
: Has any one come across similar Policy regarding USB pen drives. Any
: comment highly appreciated.
:
: Kosala Atapattu
:
[ reply ]