mtg followup

Alvin Oga alvin at Mail.Linux-Consulting.com
Fri Nov 18 01:07:55 PST 2005


hi ya blw..

good talks... the 2 speaker format,
and it's even better with pizza & beer

--- a followup ... ( my dumb ideas )

assuming our jobs, or at least say my job
is to protect corp data, i think it
is fairly simple to take some preventative
steps to prevent unauthorized trade secrets
from leaking out to the world or unknowingly receiving
competitor's secrets 

i typically, list these "security risks" as 
a major problem if the company wants to protect
themself against "oops, we shoulda known better"
after the fact, and at the same time, still be able 
to do productive work without
running into legal issues ( lawyers are expensive )

some of the security risks..
a) create a clear and explicit corp security policies
	
b) i disallow dhcp .. i want to know who is using 
   what ip# 

c) i disallow home networks from connecting into
   the local corp lan, because we do not get
   to monitor and secure the employee's home network

d) i disallow wireless ... i think it's too ez to sniff the data

e) i disallow laptops .. there is nothing on an individuals
   laptop that is so important to the company's survival

	- and if it is important, it needs to be backed up
	along with the regular backups ( at night )

	- biggest problems with laptop is it gets 
	lost/stolen and/or the disk crashes, and thus
	a major corp leak of info

	- traveling sales and out-of-office presentations
	is where laptops is useful ... 

f) the company should provide the computer, media, ( disks )
   and laptops .. so they have total control of how its
   used for corp use and can erase and/or maintain it as needed

	- disable things like usb/firewire ports too, 
	otherwise, one is inviting trouble ... and if people 
	like to fiddle and tamper with it, oh well, it'd 
	be time to bring in "the donald"

g) how much info/work is done at home ?? vs the risk
   of loss of trade secrets and important data losses to the company

	- think about how many xxx,xxx of credit card numbers 
	were lost within the last year ... why was the credit card
	numbers on the laptops ?? for what purpose ??

there's obviously an endless list of "how to minimize 
trade secret leakage or 'unknowingly' inheriting trade secrets"
	- there's not many people with photographic memory
	that they can take all that important info out
	if all electronic devices including paper is not
	available to them

if anything goes wrong, guess who gets to stay up
till 3am or 6am to fix the usually avoidable problems during the 
after hours when you rather be at the kids birthday party 
or somewhere else

and yes ... i worked in places that have policy and proceedures
that have senstive area .. some requiring gov't clearances

	- walk in with empty hands/pockets.. do your magic ...
	than walk out with empty hands/pockets ... 

	- it's nice to see they do not allow laptops/wifi/dhcp ..
	etc, etc ... 

	- but they do allow vpn from home to start/stop/view 
	multi-day weekend jobs on the clusters, oh well, we 
	can't close all the doors/windoze/air-vents

data security with risk analysis is a fun/interesting subject
and highly flammable w/ multiple dozen different solutions

there's no clear answer to keep everybody happy ... 
but there is lots of common sense reasons for both approaches
of allowing and disallowing certain "activities"

...there .. that feels better .. :-)

have fun
alvin




More information about the Baylisa mailing list