SecurityFocus

USB pen drive policy Jun 06 2006 03:30AM
Kosala Atapattu (kosalaa carcumb com) (4 replies)

Re: USB pen drive policy Jun 06 2006 11:18AM
Mark Waghorne (mark_waghorne yahoo co uk)

RE: USB pen drive policy Jun 06 2006 11:17AM
Ellenburg, George (GELLENBR southernco com)

Re: USB pen drive policy Jun 06 2006 05:14AM
Samir Pawaskar (samirp emirates net ae)

RE: USB pen drive policy Jun 06 2006 04:27AM
Wilson Wong (wilson wong netrust net) (1 replies)

Re: USB pen drive policy Jun 06 2006 05:13AM
Paul W Brager Jr CISSP CISM (paul-brager houston rr com) (2 replies)

Re: USB pen drive policy Jun 06 2006 11:31AM
ljknews (ljknews mac com) (1 replies)

At 12:13 AM -0500 6/6/06, Paul W Brager Jr CISSP CISM wrote:
> Kosala,
>
> The main thing with pen drives and another "portable" storage is to
> define in the policy that these devices be protected by a demonstrable
> encryption mechanism, with sufficient strength to protect the data
> contained on them. In general, most of the devices come with some
> rudimentary encryption software, but I would recommend standardizing
> on something like PGP, where a high strength key can be used to encrypt
> the data.

It may be that PGP could be used for a copy of data to be taken off site,
but "standardizing" on PGP is dangerous as it is not oriented toward use
of emergency recovery keys. What happens if the person with key knowledge
gets hit by a bus ? That is not a problem with a copy of the data but
could be disasterous in the case of the original data.

=======================================

Since this list discusses the ISO standard rather than NIST 800-53,
my presumption is that most participants are not in the US. Have
participants been following the news where the US _government_
lost a PC containing Names, birth dates and Social Security Numbers
(enough for identity theft) of 26 Million military veterans ?

That data was on a laptop that was stolen from an employee's home.

I can see no reason why _anyone_ should be entitled to take that
much data off site. The explanation was that it was for some
"data-intensive" work. If this person was programming, he could
have developed the software at home and then brought it in to the
office for use on the real data.

But programmers should not have _any_ access to production data.

=======================================

I think focusing attention on encrypting off-site data is the wrong
approach. Large amounts of data should not be off-site. Let any
telecommuter who is actually authorized to access all of the data
access it from home - one record at a time. Nobody is so productive
that they are going to access 26 million records in a day and look
at each with human eyes.
--
Larry Kilgallen
LJK Software

[ reply ]

Re: USB pen drive policy Jun 06 2006 02:49PM
paul-brager houston rr com

RE: USB pen drive policy Jun 06 2006 05:32AM
Jose Varghese (jose varghese paladion net) (1 replies)

Re: USB pen drive policy Jun 06 2006 05:53AM
Kosala Atapattu (kosalaa carcumb com) (2 replies)

Re: USB pen drive policy Jun 06 2006 07:03AM
Maurice Smit (m smit dsinet org)

RE: USB pen drive policy Jun 06 2006 06:12AM
Jose Varghese (jose varghese paladion net)