|
|
BS 7799/ISO 17799
USB pen drive policy Jun 06 2006 03:30AM Kosala Atapattu (kosalaa carcumb com) (4 replies) RE: USB pen drive policy Jun 06 2006 04:27AM Wilson Wong (wilson wong netrust net) (1 replies) Re: USB pen drive policy Jun 06 2006 05:13AM Paul W Brager Jr CISSP CISM (paul-brager houston rr com) (2 replies) RE: USB pen drive policy Jun 06 2006 05:32AM Jose Varghese (jose varghese paladion net) (1 replies) |
|
Privacy Statement |
for data to be properly controlled within the corporate network -
however, both you and I know that it is not IT security that drives
these requirements...the business drives these requirements, and that
business is enabled by IT (and Security). I too am concerned about the
recent rash of data disclosures, but monitoring what data is being
transferred from internal systems and placed on USB drives, cdroms,
whatever, is a daunting, if not impossible and impractical task. As
one of the respondents said early, security awareness training and an
acknowledgement that the end-user understands the risk is the key to
safely telecommuting. Much of the accountability for data has to lie
with the end-user, and there has to be sufficient policy in place and
an enforcement process which can hold the end-user accountable for
their actions.
Paul W Brager Jr CISSP CISM
Information Security Professional
281-682-5879
paul-brager (at) housrton.rr (dot) com [email concealed]
----- Original Message -----
From: ljknews <ljknews (at) mac (dot) com [email concealed]>
Date: Tuesday, June 6, 2006 7:16 am
Subject: Re: USB pen drive policy
To: bs7799 (at) securityfocus (dot) com [email concealed]
> At 12:13 AM -0500 6/6/06, Paul W Brager Jr CISSP CISM wrote:
> > Kosala,
> >
> > The main thing with pen drives and another "portable" storage is to
> > define in the policy that these devices be protected by a
> demonstrable> encryption mechanism, with sufficient strength to
> protect the data
> > contained on them. In general, most of the devices come with some
> > rudimentary encryption software, but I would recommend standardizing
> > on something like PGP, where a high strength key can be used to
> encrypt> the data.
>
> It may be that PGP could be used for a copy of data to be taken
> off site,
> but "standardizing" on PGP is dangerous as it is not oriented
> toward use
> of emergency recovery keys. What happens if the person with key
> knowledgegets hit by a bus ? That is not a problem with a copy of
> the data but
> could be disasterous in the case of the original data.
>
> =======================================
>
> Since this list discusses the ISO standard rather than NIST 800-53,
> my presumption is that most participants are not in the US. Have
> participants been following the news where the US _government_
> lost a PC containing Names, birth dates and Social Security Numbers
> (enough for identity theft) of 26 Million military veterans ?
>
> That data was on a laptop that was stolen from an employee's home.
>
> I can see no reason why _anyone_ should be entitled to take that
> much data off site. The explanation was that it was for some
> "data-intensive" work. If this person was programming, he could
> have developed the software at home and then brought it in to the
> office for use on the real data.
>
> But programmers should not have _any_ access to production data.
>
> =======================================
>
> I think focusing attention on encrypting off-site data is the wrong
> approach. Large amounts of data should not be off-site. Let any
> telecommuter who is actually authorized to access all of the data
> access it from home - one record at a time. Nobody is so productive
> that they are going to access 26 million records in a day and look
> at each with human eyes.
> --
> Larry Kilgallen
> LJK Software
>
[ reply ]