RE: Truecrypt

["Wicks, James (NBC Universal)" <James.Wicks () nbcuni com>]

When it comes to information security in certain companies, sometimes the
best approach is to demonstrate benefit instead of explaining it.  Set up a
test to encrypt the laptops of people that you are friendly with.  If all
goes well (no performance hits, no user complaints), then go to your
leadership team with a deployment plan as well as a cost/benefit analysis.
Explain how the loss of data of one laptop could lead to increased cost for
the company.  The cost associated with the loss of a laptop can include the
man hours associated with having to notify customers that their data was
lost and the possible need to buy credit protection for those affected
(depending on what state you are in).  This does not include the
immeasurable costs associated with the loss of confidence that comes with
having to publically report the loss of sensitive data.

Remember that you manager has to answer to another manager or director, so
give him/her all of the information that they need to sell your idea to
upper management.  Also remember that the company is in business to make
money, and that any I.T. initiative that does not save money or increase
profits has to be presented effectively just to make it past the first round
of consideration.  Even though TrueCrypt is free, there are man-hour costs
associated with configuring each system as well as the manual management of
encryption keys.  If key management is going to be a challenge for a mobile
workforce, you might want to go with a more enterprise-friendly encryption
system like CheckPoint, PGP, Safeboot or Utimaco.  Make sure that you have
all of that cost information available before going to your manager.

Bottom line, you have a lot of homework to do before you go to your manager.
Gather all of your test and cost data.  Consider testing your case in front
of another IT specialist before presenting it to your manager.  That person
may be able to challenge you with questions that you can address before your
presentation to management.  It sounds like a lot of work for what seems to
be an easy answer, but in these challenging economic times, every penny
counts.  Present an iron-clad case, and your efforts might be more than just
getting approval for a good idea.  It might lead to good leadership position
down the line.
 
 
James Patterson Wicks
Senior Security Analyst - Technology Governance Group - NBC Universal 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Douglas Duckworth
Sent: Thursday, November 13, 2008 2:22 PM
To: security-basics () securityfocus com
Subject: Truecrypt

I've been using Truecrypt on my personal laptop for two moths.  The 
entire drive and boot sector are encrypted and I've noticed 
insignificant performance decreases.  I am going to approach my manager 
regarding the benefits of this since we have many sites across our 
Enterprise.  We're also in the transportation industry therefore many of 
our users travel frequently.  Given the number of stolen laptops per 
year, citing the Dell Study, I believe this is a wise decision. 

My question regards how best to approach my manager since the culture 
amongst our IT department tends to shirk security for continence or 
under the naive assumption that we don't hold the most sensitive data!  
We do not even encrypt our public FTP traffic.  This drives me nuts.

Anyway any advice would be appreciated.

Best,
Doug

Attachment: smime.p7s
Description: