Last week we talked about data classification and policies and restrictions. My conclusion is it is very difficult for organizations to fully implement a broad restriction of access to personal use sites such as social networking sites, webmail, blogs, YouTube etc. Although, many tools exist to help enforce this policy on the LAN, or corporate network, users may simply be able to use their Internet enabled phone/Smart-phone to access these sites undetected by IT security.

If the organization allows synchronization of email, calendars, notes, documents, files or maybe even hosts an extranet service like a CRM application which is accessible by the mobile sales force, it is important to know the type and class of the data being shared. Mobile Phones may introduce a new risk to compromise sensitive data, which may not be as easy to control as implementing a gateway system or access control list. Should the organization have access to control personal devices or restrict what users can do on these devices? It probably is not realistic to tell users they cannot bring their mobile phones to work in the event they have a personal or family emergency, or if they want to make a personal call during a break or lunchtime. Perhaps an approach of limited use would help provide better controls to monitor use versus users turning to alternatives such as their smart-phones. I attended a concert recently where they said no cameras allowed. I wondered how it would be enforced since virtually all new generation phones have an integrated camera; they did not confiscate my phone. Maybe if I tried to march in with a high end SLR, I would have had a problem. What type of risk does this present to organizations? (Maybe another entire discussion)

As a former security consultant, I used the following trust and operations model.

1) Relied on Managers and Human Resources (HR) for employee background checks, and screening.
2) Provided network and data access based on job roles and responsibilities; enabled higher level of auditing/logging for first 90 days for all new users to monitor activity
3) If a user had a high level of access to customer records, financial data or HR, verbose logging was enabled on the systems and reports were provided to the user’s manager on a periodic basis for review.
4) Implemented security infrastructure and polices, and used BS17799/ISO17799 as a guide; all users would sign a computer use (Zero tolerance) agreement as part of the hiring process.
5) Promoted awareness/best practices through emails, meetings, and lunch-n-learns. Encouraged users to report suspicious behavior.
6) Ensured a balance of security and usability. i.e. user visits a site considered non-work related (webmail), a warning message appears to notify them, they are being monitored, but can click through to continue. A simple but effective reminder to not spend too much time on non-work related sites.

So simply, establishing a trust baseline, but restricting users from roaming servers and data in which they had no reason to access. You would think most Admins would naturally do this, but after countless audits and vulnerability assessments there would almost always be case of users having access to resources which were not necessary.

I believe this is a result of IT not having intimate knowledge of department application servers, initiatives which did not involve IT or job changes, promotions etc and the user is “grand-fathered” in with the original access rights and new permissions are added. Smaller organizations tend to have a flat and open system where many users have full access. The receptionist may handle the book-keeping and customer service and their IT department, most likely an independent computer consultant who wants to ensure productivity while security is sidetracked. In my opinion the small business owner’s data is no less important than a larger organization’s data, so security should be weaved into the any IT deployment of hardware, software, and assignment of users’ rights.

I am interested in hearing your thoughts on:

1. How do you segregate resources? Roles, Responsibilities, other?
2. Do you think of soft policies/reminders is an effective approach for non-work use of IT resources? Any experiences you can share?
3. Should organizations have a policy over personal devices such as smart-phones, personal voice recorders etc. How would you enforce it?

Building on my post from last week I want to invoke thought about how you as an individual or on behalf of your organization approach data loss prevention (DLP). I used an example of the way we (generally speaking) expect, and rely on our financial institutions to keep our money safe and accurately accounted for but I also mention the expectations banks and institutions place on users and consumers. If we apply this same model to computer use, it is form of a privileged system model (authentication and permissions). i.e. proper authentication to access resources , and permission based rules to govern activities just as the bank controls access to accounts.

The challenge remains there are constant threats to our data from vectors by misuse, social networks, theft, lost devices, malware, viruses, Trojans, botnets, social engineering, integrated business partners, outsourcing etc. IT administrators adhering to best practices are vigilant in protecting data but are required to balance it with usability for businesses to remain productive and competitive. Businesses continue to rely on faster and broader communications and data security is often perceived as a hindrance.

“Every day, CIOs face the challenge of putting the necessary technologies and processes in place to protect confidential data and comply with federal regulations, but they have to accomplish this without impeding daily business operations.” – CIO Magazine

So where do we practically begin? Does the organization know what their sensitive data is/classified, where it resides, how it travels through business processes, how it is shared and used? Some of these questions are easy to answer but some might be difficult. Who owns the data? If a user accesses his or her personal email account, or another personal use site, is any information or data downloaded belong to the organization? Does the company have a legal obligation to protect it? Should the company control the user’s content? Do they have a legal obligation to do so to protect company or customer information and interests?

How do we classify data? These are often the questions and challenges facing organizations on a daily basis. Is it practical to just restrict access? Perhaps sales and marketing or the executives of the company have specific needs requiring access? Maybe the company promotes control versus broad restrictions? I don’t have answers to all of these questions nor do I believe there is a simple answer which applies to all organizations. How do you approach it?

I am interested in hearing your thoughts on:

1. Do you think it is important to classify data formally? If so, have you done this and what was your experience?

2. What do you think is the largest threat to your confidential data? Users, malicious attacks, social networks, data leakage via lost or stolen devices etc.

3. Do you or your organization promote control over broad restriction policies or how do you determine the best practice? e.g. restrict or block webmail, and social networking sites versus providing limited access with monitoring