Off-network security: From knowing better to doing better

by Robert Houghton
Be the first to comment | I like it!
Tags: asset management, data breach
More »
on this topic
July 8, 2008, 09:33 AM —  Redemtech — 

When Redemtech commissioned the Ponemon Institute to study data breaches last summer, they confirmed something we all probably understood: most breaches result from the loss or theft of a data bearing asset, often a laptop. They also confirmed that a large majority of surveyed companies have existing policies to govern the handling of data bearing equipment once it is taken "off the wire," or off-network. Not anticipated was that a majority of companies report doing nothing to measure or govern the effectiveness of those policies.

These five steps will take you from knowing better to doing better.

Identify a means for measuring and managing
Almost a third of respondents to the Ponemon survey said they would never be able to identify the loss of a data bearing asset -- a legal obligation for privacy regulated companies. Ideally every company will have an inventory database of record for asset management. In fact, many organizations operate from fixed asset ledgers, which are not appropriate tools for managing inventory. Those who lack an accurate asset repository should maintain inventory lists by location and put processes in place for recording additions and decrements to the list. Inventory lists should be routinely verified by physical counts.

Secure idle inventory
Assets at rest are assets at risk, and most losses occur inside company facilities. Allocate a secure area for storing idle inventory. Never stage transitional assets in hallways, conference rooms, or the convenient storage area. Lock them up and update inventory lists to reflect the new location. Take periodic cycle counts of storage areas and be assertive in reconciling discrepancies when they are found.

Encrypt as much as you can
Full data encryption is the best practice for protecting off-network data, but only about 25 percent of companies report that their desktop infrastructures are encrypted. Mixed environments are the most difficult to manage because of the extra care required to segregate encrypted devices from the unencrypted. Note that even encrypted data must be sanitized at end-of-life.

Hold people accountable
The Ponemon study found that most losses resulted not from dishonesty, but from a simple failure to follow established policy. Management must communicate that security is a priority, and must insist that everyone follow established procedures. The keys to real accountability are regular inspection of conformance to procedure and painful personal consequences for anyone who ignores the rules.

Create an audit trail
Humans will inevitably make mistakes, but with adequate documentation, those mistakes -- inventory variances -- can often be corrected. Suspected hardware losses are usually due to simple paperwork errors. When good records allow missing assets to be quickly located, privacy regulated companies can avoid the incredibly expensive process of managing a data breach.

IT organizations that adopt rigorous off-network security discipline, following these five steps, will soon find themselves less vulnerable to data breaches. Getting from knowing better to doing better only takes a little willpower.

Robert Houghton is president of Redemtech, a Columbus-based IT asset recovery firm (www.redemtech.com). He can be reached at (614) 850-3366 or mailto:bhoughto@redemtech.com.

» posted by ITworld staff

I like it!
Post a comment
The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
Free stuff

Win an Amazon Kindle!
This month's giveaway gadget - Amazon's Kindle - will keep you entertained on the long trip home to visit family and friends over the holidays. Enter the drawing now!

Applied Security Visualization
By Raffael Marty
Published by Addison-Wesley Professional
Learn more!

 

IT Manager's Handbook
By Bill Holtsnider and Brian D. Jaffe
Published by Morgan Kaufmann
Learn more!

 

Windows Vista Resource Kit
By Mitch Tulloch, Tony Northrup, and Jerry Honeycutt
Published by Microsoft Press
Learn more!

Featured Sponsor
Case Study: AISO grows its "green" business

AISO founders envisioned a Web hosting company that was environmentally friendly. While the company employed energy-efficient innovations like solar panels, its infrastructure produced unacceptable power and cooling requirements. Find out how AISO leveraged AMD technology to overcome their challenge in this case study white paper.

Download this white paper »
Myth of the Million Dollar Database

In this whitepaper, Scalar explores the opportunity to change the landscape with respect to mission critical databases built around Oracle. Leveraging technologies such as Linux, high-end commodity processing power and Oracle RAC technology to architect, design, build and maintain database infrastructure that delivers maximum availability, reliability and performance at a fraction of traditional cost.

Download this white paper »
Success Story: Weather.com handles whatever nature serves up

On a typical day, weather.com, the Web site for The Weather Channel in Atlanta, serves up between 15 million and 20 million page views. But in September 2004, when back-to-back hurricanes ransacked Florida, the peak traffic on one day more than tripled: over 70 million page views by more than 7 million unique visitors. Read the full success story now.

Download this white paper »
More Resources