Re: Physical Security & Protecting Information

[pablo gietz <pablo.gietz () nuevobersa com ar>]

Hi discipulus

I sugest you to read the "orange book" and find the category of 
operating system that meet your needs (B1 for example).
Then if you are parent of saruman (lord of the rings) you may find 
that OS.

Seriously you may put some dumb terminals like NET PCs in the most 
risky sectors.
Also for confidential documents you must search for a tool like a 
specialized browser with neither print or save file capabilities and a 
correspondent server with encryption which serves this kind of files. 
This kind of tool may be developed with no much effort.

Sorry my bad english.




discipulus wrote:

> Hi, 
>
> I've read a lot of posts on this list and others and a good deal of 
> security related articles on this site and others like http://www.sans.org 
> and http://www.cert.org  Most of what I have read focuses on network 
> and/or computer security but I haven't found very much information that 
> focuses on physical security, specifically in the area of protecting 
> confidential proprietary company information. 
>
> Here's a scenerio that should clarify what I'm trying to explain: 
>
> Bob who works as a developer for StealOurStuff inc. tells Mary in 
> the next cube that he's had a job offer from a competitor, plans to 
> quit soon but hasn't told anybody.  In the afternoon the following day, 
> Mary notices Bob loading up a box with CDs, floppies and other media, 
> including reams of documentation.  She also notices Bob loading this 
> box into the trunk of his car at the end of the day. 
>
> What can be done to keep this type of potential compromise from 
> happening?  From my perspective, even if you have armed  
> security guards that check bags & boxes going in and out of a 
> building, people can still find creative or not so creative ways to 
> get it out.  A standard CD isn't that big and flash cards are even 
> smaller.  Are there ways to keep someone from getting the information 
> in the first place or at least record what they've obtained?  How
> do you do this when they haven't yet provided notice they are
> leaving and still have access to loads of confidential information?
>
> I've read about corporate espionage cases where a perpetrator 
> at one company busts into the network of another company and 
> stumbles into a directory named "Proposals" of all things but 
> employees who walk out the front doors carrying protected information 
> seems just as damaging or more so to me.
>
> Any insight would be appreciated.
>
> Thanks
>
>
> .
>
>  

--
Pablo A. C. Gietz
Jefe de Seguridad Informática
Nuevo Banco de Entre Ríos S.A.
Te.: 0343 - 4201351