Re: Home laptops on a corporate network

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2007-05-08 christopherkelley () hotmail com wrote:
> I'd recommend NOT doing this. Especially if you are trying comply with
> HIPAA. Keep in mind that you will have little to no management
> capability over these personal laptops, which means you have no ability
> to verify patch level and AV update on these machines that may have EPHI
> on them. Not to mention the fact that these employees are probably
> taking them home and plugging them into their home networks, where they
> (or their kids) are running bearshare, gnutella, grokster, bitorrent,
> and surfing to unfiltered web sites. Not only does this mean that they
> are potentially exposing critical data in this manner, it also means
> they are bringing potentially infested computers into the soft chewy
> center of your network.
>
> Whenever you have an employee with a laptop, you create a liability to
> your network, allowing them to use personal laptops presents an even
> bigger liability. IMHO, this level of risk is unacceptable, especially
> from a HIPAA compliance standpoint.

I wholeheartedly second that recommendation. Allowing corporate data on
private computers (or private computers on a corporate network) is a
bad, BAD practice. Never EVER do that. You really want to do the exact
opposite: establish a policy that *prohibit* employees from transferring
corporate data to private computers, and have it signed by each
employee.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq