funsec mailing list archives
Re: [privacy] 26 IRS Tapes Missing in Kansas City
From: Valdis.Kletnieks () vt edu
Date: Mon, 22 Jan 2007 15:35:24 -0500
On Sat, 20 Jan 2007 21:06:57 EST, Shyaam said:
forensics". So best is to avoid people storing CONFIDENTIAL data on portable devices no matter what their security clearance level is. The other best thing is to use always track data that goes in and out of the network. The next is to not let people whom you dont know into the building itself(perimeter) and to restrict people from moving from one department floor to the other or something of that sort(perimeter protection). Cant these be simple for people to take action on ?
The problem is that it's all about *tradeoffs* - yes, you've enumerated the "best" way to do all that stuff. The problem is that in trying to *enforce* that, you end up hitting all these corner cases where implementing proper security gets in the way of actually getting work done. For instance - security-wise, it would be "best" if the files that Social Services has on their clients stay on the central servers. However, what do you do if you have a case worker that makes house calls, and having the files on a laptop where they can reference them while at the site would make things a lot easier? What do you do if you have a valued employee who has legitimate reasons to telecommute? And so on, in a twisty little maze of corner cases, all different.... And it gets worse - that social worker doesn't understand computer security, and they don't want to. They have a Master's in Psychology or some social science, and *their* job is to make sure that these kid's mom is staying off crack. That worker's manager isn't interested either - he's responsible for making sure as many client moms stay off crack as possible. You go up the org chart food chain, and by the time you hit somebody that *might* care about security, it's probably somebody who doesn't even *know* that social worker is on the payroll, and is too busy worrying about getting the department their share of Federal money to think about computer security. And if you've *ever* put in a temporary firewall rule because something had to work *this afternoon*, you're just as guilty as that social worker's manager, who OK'ed putting stuff on laptops because work had to get done *this week*. More so, because you should know better...
Attachment:
_bin
Description:
_______________________________________________ privacy mailing list privacy () whitestar linuxbox org http://www.whitestar.linuxbox.org/mailman/listinfo/privacy
Current thread:
- [privacy] 26 IRS Tapes Missing in Kansas City Fergie (Jan 19)
- Re: [privacy] 26 IRS Tapes Missing in Kansas City Brian Loe (Jan 19)
- <Possible follow-ups>
- Re: [privacy] 26 IRS Tapes Missing in Kansas City RMueller (Jan 20)
- Re: [privacy] 26 IRS Tapes Missing in Kansas City Shyaam (Jan 20)
- Re: [privacy] 26 IRS Tapes Missing in Kansas City Valdis . Kletnieks (Jan 22)
- Re: [privacy] 26 IRS Tapes Missing in Kansas City Shyaam (Jan 22)
- Re: [privacy] 26 IRS Tapes Missing in Kansas City Brian Loe (Jan 22)
- Re: [privacy] 26 IRS Tapes Missing in Kansas City Valdis . Kletnieks (Jan 22)
- Re: [privacy] 26 IRS Tapes Missing in Kansas City Brian Loe (Jan 22)
- Re: [privacy] 26 IRS Tapes Missing in Kansas City Valdis . Kletnieks (Jan 22)
- Re: [privacy] 26 IRS Tapes Missing in Kansas City Brian Loe (Jan 23)
- Re: [privacy] 26 IRS Tapes Missing in Kansas City Valdis . Kletnieks (Jan 23)
- Re: [privacy] 26 IRS Tapes Missing in Kansas City Brian Loe (Jan 23)
- Re: [privacy] 26 IRS Tapes Missing in Kansas City Shyaam (Jan 20)