Re: Physical Security & Protecting Information

[Todd <tod () megachump com>]

I would make sure that HR and Legal have armed themself with a signed confidentiality agreement from all employees, 
vendors, and contractors(include something about intellectual property rights). Ensure they make it part of the new 
employee orientation process and a reminder upon the termination/exit of an employee. 

Also, confirm existence of copyright notices in source code, clear audit trails and custodial efforts for any media in 
hardcopy of paper or disc are a standard policy and part of regular auditing. Try to get this in your security policy 
and endorsed by upper management to keep line managers as sole heirs of responsibility in this task.

Finally, keep a good awareness program.  Remind end-users that security is best served through their diligence and 
reporting of suspicious activities.  Also, try to remind upper management by sending them occassional articles on same.

Hope that gives you somewhere to start.
 
--
Todd Plesco

On Wed, Mar 12, 2003 at 08:13:44PM -0700, discipulus wrote:
> Hi, 
>  
> I've read a lot of posts on this list and others and a good deal of 
> security related articles on this site and others like http://www.sans.org 
> and http://www.cert.org  Most of what I have read focuses on network 
> and/or computer security but I haven't found very much information that 
> focuses on physical security, specifically in the area of protecting 
> confidential proprietary company information. 
>  
> Here's a scenerio that should clarify what I'm trying to explain: 
>  
> Bob who works as a developer for StealOurStuff inc. tells Mary in 
> the next cube that he's had a job offer from a competitor, plans to 
> quit soon but hasn't told anybody.  In the afternoon the following day, 
> Mary notices Bob loading up a box with CDs, floppies and other media, 
> including reams of documentation.  She also notices Bob loading this 
> box into the trunk of his car at the end of the day. 
>  
> What can be done to keep this type of potential compromise from 
> happening?  From my perspective, even if you have armed  
> security guards that check bags & boxes going in and out of a 
> building, people can still find creative or not so creative ways to 
> get it out.  A standard CD isn't that big and flash cards are even 
> smaller.  Are there ways to keep someone from getting the information 
> in the first place or at least record what they've obtained?  How
> do you do this when they haven't yet provided notice they are
> leaving and still have access to loads of confidential information?
>  
> I've read about corporate espionage cases where a perpetrator 
> at one company busts into the network of another company and 
> stumbles into a directory named "Proposals" of all things but 
> employees who walk out the front doors carrying protected information 
> seems just as damaging or more so to me.
>
> Any insight would be appreciated.
>
> Thanks

-- 
Todd
tod () megachump com