Re: [privacy] 26 IRS Tapes Missing in Kansas City

[Valdis.Kletnieks () vt edu]

On Sat, 20 Jan 2007 21:06:57 EST, Shyaam said:
> forensics". So best is to avoid people storing CONFIDENTIAL data on portable
> devices no matter what their security clearance level is. The other best
> thing is to use always track data that goes in and out of the network. The
> next is to not let people whom you dont know into the building
> itself(perimeter) and to restrict people from moving from one department
> floor to the other or something of that sort(perimeter protection). Cant
> these be simple for people to take action on ?

The problem is that it's all about *tradeoffs* - yes, you've enumerated the
"best" way to do all that stuff.  The problem is that in trying to *enforce*
that, you end up hitting all these corner cases where implementing proper
security gets in the way of actually getting work done.

For instance - security-wise, it would be "best" if the files that Social
Services has on their clients stay on the central servers.  However, what do
you do if you have a case worker that makes house calls, and having the files
on a laptop where they can reference them while at the site would make things
a lot easier?

What do you do if you have a valued employee who has legitimate reasons to
telecommute?

And so on, in a twisty little maze of corner cases, all different....

And it gets worse - that social worker doesn't understand computer security,
and they don't want to.  They have a Master's in Psychology or some social
science, and *their* job is to make sure that these kid's mom is staying off
crack.  That worker's manager isn't interested either - he's responsible
for making sure as many client moms stay off crack as possible.  You go up
the org chart food chain, and by the time you hit somebody that *might* care
about security, it's probably somebody who doesn't even *know* that social
worker is on the payroll, and is too busy worrying about getting the department
their share of Federal money to think about computer security.

And if you've *ever* put in a temporary firewall rule because something had to
work *this afternoon*, you're just as guilty as that social worker's manager,
who OK'ed putting stuff on laptops because work had to get done *this week*.
More so, because you should know better...

Attachment: _bin
Description:

_______________________________________________
privacy mailing list
privacy () whitestar linuxbox org
http://www.whitestar.linuxbox.org/mailman/listinfo/privacy