Results 1 to 6 of 6

Thread: Security Procedures/policy

  1. #1
    Junior Member
    Join Date
    Apr 2003
    Posts
    11

    Security Produures/policy

    Any laptop that contains senitive data on its hard drive, the data is strictly prohibited from accessing any non company network including wireless networks.

    the problem is "senitive" made me think and it needs more specify.

    Any one can help?
    Prana0777

  2. #2
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Hey Hey,

    Maybe it's just me, but that policy would serve to make corporate laptops next to useless. Generally I've used my work laptop (at this job and previous ones) to access the network via VPN while travelling, to check my email and to perform research... All of these would not be possible with that policy in place.

    Why allow laptops to leave the site??? If a laptop is properly secured when taken off site the biggest threat is going to be theft, not being compromised via network.

    1. Only company issued laptops should be used to access the corporate VPN
    2. Company issued laptops should be properly locked down by IT Services via the Lockdown Standards Policy (Create this policy with all things that most be in place: Properly Updated (auto-update via SUS maybe), Client-Based Firewall (even the internal one is sufficient in XP), Encrypted Partition/Drive for corporate documents, ScreenSaver auto lockout after 10 minutes, Install AV Software (setup updates), etc)
    3. All corporate documents must be stored on your encrypted drive/partition
    4. Files not related to work are not to be downloaded.

    I don't see your policy as being overly useful...

    Peace,
    HT

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi prana0777

    The basic problem that you have is that there is no definition of "sensitive", so this "policy" is useless.

    "Sensitive" is NOT defined by people in IT, it is defined by your CEO/CFO and the like. They will have to define it rigorously.

    IT can advise as to information that is required to be protected by law, and that is about it.

    the data is strictly prohibited from accessing any non-company network including wireless networks.
    There should not be any "secret" information on laptops, and if you do have some information of a critical nature on a local machine, it should be a TEMPORARY state of affairs. That is what you use removable hard drives for

    Everything else should be on your servers and perhaps even a secure network such as we use in the defence industry.

    Obviously, you are a commercial organisation, so your Directors/Vice presidents and the like are responsible for the definitions, where they are not prescribed by law (Sarbanes-Oxley, HIAPPA etc.....)

    The ruling makes considerable sense, as in the Defence, Armaments and National Security sectors, you have a "secure" and a "general" network. Devices that connect to one are NOT permitted to connect to the other, for obvious reasons.

    I suspect that this is where the concept may have come from?





    EDIT: Moved from computer forensics.

  4. #4
    "Any laptop that contains senitive data on its hard drive, the data is strictly prohibited from accessing any non company network including wireless networks.

    the problem is "senitive" made me think and it needs more specify."

    You are correct. There are certain pieces of information which needs classification. This however is process of document classification and criteria. Then with with each classification, best practices and mitigating processes and technologies:

    For example if Document is classified as "Secret" perhaps a Design Spec that contains alot of IP. The Laptop should conform to: (here you list etc what would be acceptable risk levels and
    how best to mitigate with processes and policies. Perhaps you would say: Laptop file/folder encryption using technology such as credant. If Wireless technology, a seperate APN with Cell companies that drops users into a corporate specific APN that would cater for only your users, thus you would not be connected to seperate networks, as you can use radius etc to homogenise/institutionalise your solutions. remember your classification and policy is key. The How to secure will always follow, what is it that I need to secure.
    HO$H Pagamisa. Pro Amour Ludi....

  5. #5
    Originally posted here by nihil
    Hi prana0777

    The basic problem that you have is that there is no definition of "sensitive", so this "policy" is useless.

    "Sensitive" is NOT defined by people in IT, it is defined by your CEO/CFO and the like. They will have to define it rigorously.

    IT can advise as to information that is required to be protected by law, and that is about it.



    There should not be any "secret" information on laptops, and if you do have some information of a critical nature on a local machine, it should be a TEMPORARY state of affairs. That is what you use removable hard drives for



    Everything else should be on your servers and perhaps even a secure network such as we use in the defence industry.

    Obviously, you are a commercial organisation, so your Directors/Vice presidents and the like are responsible for the definitions, where they are not prescribed by law (Sarbanes-Oxley, HIAPPA etc.....)

    The ruling makes considerable sense, as in the Defence, Armaments and National Security sectors, you have a "secure" and a "general" network. Devices that connect to one are NOT permitted to connect to the other, for obvious reasons.

    I suspect that this is where the concept may have come from?





    EDIT: Moved from computer forensics.
    You are correct about sensitive data being housed there for temporary storage. The issue is how to secure the data and mitigate risk. Some laptops such as IBM T series comes with embedded encryption chip. This plus mobile guardian perhaps on laptop drive and one has a very securely encrypted hard drive. Also removable drive data is obviously also encrypted.

    Also agree with the CFO/CEO issue. Perhaps prana should check on iso/iec 17799 and/or 27001 and Perhaps aligning CoBIT and ITIL. Processes and policy underpin everything.

    Also then as stated in above quote, the regulatory requirements. Do you have policy that states no computer may be connected to more than 1 network at the same time (except where applicable such as nat or gateway/proxy) or cause a bridge network or so?

    Remember also that policy must align to process. Otherwise you will have an eskewed process or unenforcable policy as it does not adequately or incorrectly defines and addresses risk and business process.
    HO$H Pagamisa. Pro Amour Ludi....

  6. #6
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Yes,

    The problem here is that prana~ has quoted just one element of his corporate security model?

    I think that one needs to look at the model as a whole, to ensure that it is complete and that the elements are complementary.

    Also, as S1lv3rW3bSurf3r points out; once you have your policies you need processes to support them, or the policies are meaningless. Similarly it is foolish to copy someone else's processes without understanding what is behind them, and ensuring that you have a complete security model.

    If you check HTRegz's post above, you will see just how much more complex the model is, compared to the simple "rule"


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •