RE: New workplace security measures. Are they usual?

[<securityfocus () aldomedina com>]

I'm two levels below the CEO, so I'm not worried about my personal
activities, but what if I discuss the recruitment or dismissal of some
personal, the purchase of expensive equipment or other sensitive matters?
Can a fake buy-recommendation come from my PC? Maybe I should reformulate
the question to address how can we trust the informatics personal? (they're
not specialized information security personal, just IT engineers who care
for anything computer/electronic related)

-----Mensaje original-----
De: Todd Haverkos [mailto:infosec () haverkos com] 
Enviado el: lunes, 19 de julio de 2010 03:31 p.m.
Para: securityfocus () aldomedina com
CC: security-basics () securityfocus com
Asunto: Re: New workplace security measures. Are they usual?

<securityfocus () aldomedina com> writes:

> In my new workplace, they recently implemented severe security measures:
> security guards, video cams in every hall, they changed all the BIOS and
> administrator passwords, protected the computers from case-opening,
limited
> all the Windows accounts. I assume this is fine (I don't know the Mexican
> law about this).
>
> However, they also installed a VNC server in every computer, and I'm
> concerned because I believe they can fake any file, document or even email
> as if I had wrote them. They should also be able to see everyone of my
files
> and communications, even the private ones. Am I alright? Is this usual in
a
> work environment? Is this legal in US or in Mexico?

It's probably safest to assume that any communication on an
employer-owned pc is NOT private.

I don't see anything there that strikes me as unusual for a US
workplace that has adequate security controls.  The choice of VNC
raises my eybrows a little from a technology selection standpoint, but
some form of remote control is quite common to facilitate support.

"Recently implemented" strikes my ear as a place that's either
recently had an incident, audit, or security review whereby they had
to get religion about security, or a new CISO or equivalent has been
hired to tame the beast.

Employees do have to trust that the information security folks and
support folks with access to such tools on your workstation lack the
time or inclination to go about forging emails as you.

You only have any real worries if you are doing things on (or have
files on) your work computer that you wouldn't want your boss and
boss's boss to know about.  Assume that everything you do can be
monitored at any moment.  I have no experience or knowledge of the
situation in Mexico, but in the US -- and I'll be quick to make clear
that I am not a lawyer -- I've read that there are limits what an
employer can log/record/monitor[1], but as a general rule, the "they
bought it, they own it, you work for them, they can monitor it" is the
thought process. Details vary by state, and the employment agreement
as well.


[1]
http://darkreading.com/insiderthreat/security/privacy/showArticle.jhtml?arti
cleID=224201355


--
Todd Haverkos, LPT MsCompE
http://haverkos.com/


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------