Re: Physical Security & Protecting Information

[discipulus <discipulus () attbi com>]

I wish to thank you all for your informative responses.

It doesn't appear that there is any easy way to effectively police
something like this but like a lot of vulnerabilities, the goal isn't
to eliminate but to minimize by making it extremely difficult for
someone to exploit.

In a world where worms/viruses and external attacks garner most
of the attention, I feel that an equal amount should focus on the 
protection of information through implementation and use of good
physical security policy and procedures.  I also think that one
key strategy is education and involvement at all levels through the
use of an effective security awareness program.

Thanks again..

-D



On Wednesday 12 March 2003 08:13 pm, discipulus scribbled:
> Hi,
>
> I've read a lot of posts on this list and others and a good deal of
> security related articles on this site and others like http://www.sans.org
> and http://www.cert.org  Most of what I have read focuses on network
> and/or computer security but I haven't found very much information that
> focuses on physical security, specifically in the area of protecting
> confidential proprietary company information.
>
> Here's a scenerio that should clarify what I'm trying to explain:
>
> Bob who works as a developer for StealOurStuff inc. tells Mary in
> the next cube that he's had a job offer from a competitor, plans to
> quit soon but hasn't told anybody.  In the afternoon the following day,
> Mary notices Bob loading up a box with CDs, floppies and other media,
> including reams of documentation.  She also notices Bob loading this
> box into the trunk of his car at the end of the day.
>
> What can be done to keep this type of potential compromise from
> happening?  From my perspective, even if you have armed
> security guards that check bags & boxes going in and out of a
> building, people can still find creative or not so creative ways to
> get it out.  A standard CD isn't that big and flash cards are even
> smaller.  Are there ways to keep someone from getting the information
> in the first place or at least record what they've obtained?  How
> do you do this when they haven't yet provided notice they are
> leaving and still have access to loads of confidential information?
>
> I've read about corporate espionage cases where a perpetrator
> at one company busts into the network of another company and
> stumbles into a directory named "Proposals" of all things but
> employees who walk out the front doors carrying protected information
> seems just as damaging or more so to me.
>
> Any insight would be appreciated.
>
> Thanks