Security Basics mailing list archives
Re: Physical Security & Protecting Information
From: A B <hadavidi () yahoo com>
Date: 14 Mar 2003 19:14:22 -0000
In-Reply-To: <200303122013.44431.discipulus () attbi com> Hi While it is hard (if not impossible) to stop such thefts, a lot depends on your threat analysis and risk assessment. It is not clear from your mail about the industry you are in and what your mangement's prespectives are regarding this issue. A lot also depends on the premium the managment is ready to put for your information. In my organization, some of the departments have removed floppy drives/No CD-RW/No Zip Drives from their systems. They also have a clear policy that requires the employees to get appropriate permissions before attaching any external storage devices. So any violation of this policy is subject to disciplinary action. Of course, alternate arrangements have to be made to ensure that work flow is not impeded. Does this stop incidents such as those described in your mail. Definitely not. But it goes a long way in raising the bar and if you are liable for the information you hold, well the due diligence will definitely save you in the court of law. My .01 cent Cheers
Received: (qmail 22594 invoked from network); 13 Mar 2003 23:50:54 -0000 Received: from outgoing3.securityfocus.com (205.206.231.27) by mail.securityfocus.com with SMTP; 13 Mar 2003 23:50:54 -0000 Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
by outgoing3.securityfocus.com (Postfix) with QMQP id DDD33A30B8; Thu, 13 Mar 2003 16:52:08 -0700 (MST) Mailing-List: contact security-basics-help () securityfocus com; run by
ezmlm
Precedence: bulk List-Id: <security-basics.list-id.securityfocus.com> List-Post: <mailto:security-basics () securityfocus com> List-Help: <mailto:security-basics-help () securityfocus com> List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com> List-Subscribe: <mailto:security-basics-subscribe () securityfocus com> Delivered-To: mailing list security-basics () securityfocus com Delivered-To: moderator for security-basics () securityfocus com Received: (qmail 25527 invoked from network); 13 Mar 2003 03:04:39 -0000 Content-Type: text/plain; charset="us-ascii" From: discipulus <discipulus () attbi com> To: security-basics () securityfocus com Subject: Physical Security & Protecting Information Date: Wed, 12 Mar 2003 20:13:44 -0700 X-Mailer: KMail [version 1.4] MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200303122013.44431.discipulus () attbi com> Hi,=20 =20 I've read a lot of posts on this list and others and a good deal of=20 security related articles on this site and others like
http://www.sans.or=
g=20 and http://www.cert.org Most of what I have read focuses on network=20 and/or computer security but I haven't found very much information
that=20
focuses on physical security, specifically in the area of protecting=20 confidential proprietary company information.=20 =20 Here's a scenerio that should clarify what I'm trying to explain:=20 =20 Bob who works as a developer for StealOurStuff inc. tells Mary in=20 the next cube that he's had a job offer from a competitor, plans to=20 quit soon but hasn't told anybody. In the afternoon the following
day,=20
Mary notices Bob loading up a box with CDs, floppies and other media,=20 including reams of documentation. She also notices Bob loading this=20 box into the trunk of his car at the end of the day.=20 =20 What can be done to keep this type of potential compromise from=20 happening? From my perspective, even if you have armed =20 security guards that check bags & boxes going in and out of a=20 building, people can still find creative or not so creative ways to=20 get it out. A standard CD isn't that big and flash cards are even=20 smaller. Are there ways to keep someone from getting the information=20 in the first place or at least record what they've obtained? How do you do this when they haven't yet provided notice they are leaving and still have access to loads of confidential information? =20 I've read about corporate espionage cases where a perpetrator=20 at one company busts into the network of another company and=20 stumbles into a directory named "Proposals" of all things but=20 employees who walk out the front doors carrying protected information=20 seems just as damaging or more so to me. Any insight would be appreciated. Thanks
Current thread:
- Re: Physical Security & Protecting Information, (continued)
- Re: Physical Security & Protecting Information Philip Storry (Mar 17)
- Re: Physical Security & Protecting Information ullmic (Mar 18)
- Re: Physical Security & Protecting Information Lists (Mar 18)
- Re: Physical Security & Protecting Information Mike Dresser (Mar 18)
- RE: Physical Security & Protecting Information Duston Sickler (Mar 19)
- Re: Physical Security & Protecting Information ullmic (Mar 18)
- Re: Physical Security & Protecting Information Todd (Mar 17)
- Re: Physical Security & Protecting Information discipulus (Mar 17)
- RE: Physical Security & Protecting Information Filip Maertens (Mar 17)
- Re: Physical Security & Protecting Information discipulus (Mar 17)
- Re: Physical Security & Protecting Information pablo gietz (Mar 19)
- Re: Physical Security & Protecting Information A B (Mar 17)
- RE: Physical Security & Protecting Information Mike Heitz (Mar 17)
- Re: Physical Security & Protecting Information ullmic (Mar 20)
- Re: Physical Security & Protecting Information Philip Storry (Mar 17)