Originally posted here by nihil
Hi prana0777

The basic problem that you have is that there is no definition of "sensitive", so this "policy" is useless.

"Sensitive" is NOT defined by people in IT, it is defined by your CEO/CFO and the like. They will have to define it rigorously.

IT can advise as to information that is required to be protected by law, and that is about it.



There should not be any "secret" information on laptops, and if you do have some information of a critical nature on a local machine, it should be a TEMPORARY state of affairs. That is what you use removable hard drives for



Everything else should be on your servers and perhaps even a secure network such as we use in the defence industry.

Obviously, you are a commercial organisation, so your Directors/Vice presidents and the like are responsible for the definitions, where they are not prescribed by law (Sarbanes-Oxley, HIAPPA etc.....)

The ruling makes considerable sense, as in the Defence, Armaments and National Security sectors, you have a "secure" and a "general" network. Devices that connect to one are NOT permitted to connect to the other, for obvious reasons.

I suspect that this is where the concept may have come from?





EDIT: Moved from computer forensics.
You are correct about sensitive data being housed there for temporary storage. The issue is how to secure the data and mitigate risk. Some laptops such as IBM T series comes with embedded encryption chip. This plus mobile guardian perhaps on laptop drive and one has a very securely encrypted hard drive. Also removable drive data is obviously also encrypted.

Also agree with the CFO/CEO issue. Perhaps prana should check on iso/iec 17799 and/or 27001 and Perhaps aligning CoBIT and ITIL. Processes and policy underpin everything.

Also then as stated in above quote, the regulatory requirements. Do you have policy that states no computer may be connected to more than 1 network at the same time (except where applicable such as nat or gateway/proxy) or cause a bridge network or so?

Remember also that policy must align to process. Otherwise you will have an eskewed process or unenforcable policy as it does not adequately or incorrectly defines and addresses risk and business process.