Implement access control on server side. All access on need to know.

Once that is done we take either an approach of trust or no-trust

TRUST - There are no further controls. If he wants, the user can misuse
information he has access to . Copy it , send it out to others through email
or Internet.

or we take a NO-TRUST approach - where there is no Internet , No email , no
mobile , no CDROM or USB for the user. See te information and thats it.!

-----Original Message-----
From: Kosala Atapattu [mailto:kosalaa (at) carcumb (dot) com [email concealed]]
Sent: Tuesday, June 06, 2006 11:23 AM
To: jose.varghese (at) paladion (dot) net [email concealed]
Cc: bs7799 (at) securityfocus (dot) com [email concealed]
Subject: Re: USB pen drive policy

Jose Varghese wrote:
> Building security awareness is the key.
>
> Technology keeps changing - mobile phones with disk drives. These
> technologies are quite handy. I feel it is counterproductive to try
> and ban their usage. Educate the users on the risks and provide them
> the tools to use them securely!
>
I agree on the point that these technologies should not be banned from the
organization, I'm looking at ways to restrict them.

User induction is a good approach, yet we should not forget that typical
users are ignorant as ever. They always try to stick in to the convenient
end of the line, where we expect them to stick to the secure end.

Up to now I realized following things from the discussion,

1. People Carrying Data in removable media....which information might be at
a risk if they lose the media.
- Solution would be Encryption
2. People taking restricted data out of office premises. Information
Leakage.
- Any Solutions for this...?

anything else?

Kosala Atapattu

[ reply ]