Coming on the heels of my most recent post about the security risk posed by USB storage devices, here’s a story to chill the bones. It seems that classified military information is leaking out of Afghanistan and offered for sale on those wonderful flash drives that we love so much.
I spend most of my time trying to get businesses, and particularly mid-size businesses, to grasp the security nettle and put in place a proper ISMS. The military hasn’t been much of a priority for me because, apart from anything else, you would sort of hope they understood these things better than many. I guess not.
For any organisation, a fundamental part of the solution has to be an appropriate system of usernames, rights and privileges. To the greatest extent possible, you need to confine access to sensitive information to those people who really need it. Properly mapping out access rights and keeping them up to date is critical. For example, if someone leaves an organisation or moves within it their username must be withdrawn or access rights amended immediately, not three months later. Similarly, if someone needs particular access rights to do a project, those should be curtailed again as soon as the project is finished.
That might not prove popular, but it is part of the ‘soft skills’ requirements of modern IT managers to be able to sell their policies as well as implement them. They need to be explain persuasively why security is good for the employee as well as the organisation. (However, this article indicates that there is still a long way to go before the IT function develops the necessary people management skills. Note to the CEO – investing in this area is not a ‘nice to have’ item, it is an urgent requirement if you expect your IT to remain secure.)
It is also essential to have in place clear user agreements and acceptable use policies, (a) to ensure that employees understand what is expected of them and (b) to provide a basis for taking legal action against them if they flout this. These measures should include explicit instructions not to remove data without authorization and various other measures to safeguard the integrity of the system.
I have written in considerably more detail about these issues in various books. However, in light of profusion of USB storage devices today, I am thinking of adding one more measure to my recommendations, based on an item I read somewhere recently. If you are still worried that best practice policies and procedures aren’t enough, seal up the USB ports on people’s machines with glue!