EXPERT RESPONSE
Unfortunately, it's impossible to draw a line that works for every organization. Choosing between security and business functionality has always been a struggle and it is up to the security officer, or whoever has been delegated this type of position, to decide what is best for the organization. There will be times when security needs outweigh business functionality needs and vice versa.
However, here are three steps to help you.
-
Examine what regulations you must comply with and how the methods used to transfer sensitive data can make your organization non-compliant. This will put you in a better position to "lay down the law" and obtain the necessary funding from management.
Each of the following regulations has to secure some type of sensitive data. While none of them specifically require protection of removable devices, if sensitive data resides on these devices then they fall under the requirements of these regulations.
- Health Information Portability and Accountability Act (HIPAA)
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- Gramm-Leach-Bliley Act (GLBA)
- California Senate Bill 1386
- Sarbanes-Oxley Act (SOX)
- SEC Rule 17a
- Learn what sensitive data your users can access and potentially remove. Most environments have sensitive data transferred throughout the network and in too many accessible places. Centralize the organization's sensitive data in one or two locations, and encrypt it while at rest and in transit.
- Finally, implement strong access controls on the central locations where the data resides.
Unfortunately, for most employees to do their work, you will need to allow sensitive data to reside in more places than you would prefer – as in user workstations and laptops. In this type of situation most organizations cannot ban the use of removable storage devices. To ensure sensitive data is properly protected, implement a product that controls how removable storage devices are used and monitor the type of data saved to these devices. Many of these products allow you to develop a "white list" of devices that are allowed. All other devices on the "black list" are disabled. Finally, consider implementing an encryption mechanism and password protection for the removable storage devices. Some of these products provide these options.
Here are some vendors that provide these product types. (Note: I have not tested them and am not promoting them, however they may be helpful.)
http://www.pointsec.com/
http://www.securewave.com/home.jsp
http://www.gfi.com/endpointsecurity/
http://www.devicewall.com/?gclid=CJSu8byCnoYCFSA7SgodMwnkug
http://www.trigeo.com/products/usbdefender/
http://www.reflex-magnetics.com/products/disknetpro/
It is true that removable devices usually fly under the security radar. This is because security teams are too busy attempting to secure the more traditional methods used for data transfer, and removable storage devices have not fully hit the consciousness of those responsible for securing sensitive data, yet. Do not overlook PDAs, digital cameras, smartphones, Bluetooth and infrared devices. These are all potential points of danger; all allow data into and out of your environment, and must be properly identified and controlled.
It is also necessary to make users accountable for their actions. This is where most organizations fall short. Integrate removable storage risks into your security policy. Provide configuration standards for the type of product you choose to purchase and implement. Integrate these types of risks into your security awareness training programs and when people do not do as they are told, management should hold them accountable and potentially make an example out of them. Sadly, users will usually ignore the rules unless the rules are accompanied with repercussions. Since organizations can now get hit with penalties themselves (SOX, GLBA, HIPAA, Privacy laws, etc.) users need to be forced to act responsibly.
More Information
Learn how to encrypt and password-protect removable storage devices.
Learn how to safeguard stored data.
|
