Security Basics mailing list archives
RE: Truecrypt
From: "Wicks, James (NBC Universal)" <James.Wicks () nbcuni com>
Date: Fri, 14 Nov 2008 09:34:00 -0500
When it comes to information security in certain companies, sometimes the best approach is to demonstrate benefit instead of explaining it. Set up a test to encrypt the laptops of people that you are friendly with. If all goes well (no performance hits, no user complaints), then go to your leadership team with a deployment plan as well as a cost/benefit analysis. Explain how the loss of data of one laptop could lead to increased cost for the company. The cost associated with the loss of a laptop can include the man hours associated with having to notify customers that their data was lost and the possible need to buy credit protection for those affected (depending on what state you are in). This does not include the immeasurable costs associated with the loss of confidence that comes with having to publically report the loss of sensitive data. Remember that you manager has to answer to another manager or director, so give him/her all of the information that they need to sell your idea to upper management. Also remember that the company is in business to make money, and that any I.T. initiative that does not save money or increase profits has to be presented effectively just to make it past the first round of consideration. Even though TrueCrypt is free, there are man-hour costs associated with configuring each system as well as the manual management of encryption keys. If key management is going to be a challenge for a mobile workforce, you might want to go with a more enterprise-friendly encryption system like CheckPoint, PGP, Safeboot or Utimaco. Make sure that you have all of that cost information available before going to your manager. Bottom line, you have a lot of homework to do before you go to your manager. Gather all of your test and cost data. Consider testing your case in front of another IT specialist before presenting it to your manager. That person may be able to challenge you with questions that you can address before your presentation to management. It sounds like a lot of work for what seems to be an easy answer, but in these challenging economic times, every penny counts. Present an iron-clad case, and your efforts might be more than just getting approval for a good idea. It might lead to good leadership position down the line. James Patterson Wicks Senior Security Analyst - Technology Governance Group - NBC Universal -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Douglas Duckworth Sent: Thursday, November 13, 2008 2:22 PM To: security-basics () securityfocus com Subject: Truecrypt I've been using Truecrypt on my personal laptop for two moths. The entire drive and boot sector are encrypted and I've noticed insignificant performance decreases. I am going to approach my manager regarding the benefits of this since we have many sites across our Enterprise. We're also in the transportation industry therefore many of our users travel frequently. Given the number of stolen laptops per year, citing the Dell Study, I believe this is a wise decision. My question regards how best to approach my manager since the culture amongst our IT department tends to shirk security for continence or under the naive assumption that we don't hold the most sensitive data! We do not even encrypt our public FTP traffic. This drives me nuts. Anyway any advice would be appreciated. Best, Doug
Attachment:
smime.p7s
Description:
Current thread:
- Truecrypt Douglas Duckworth (Nov 13)
- RE: Truecrypt Wicks, James (NBC Universal) (Nov 14)
- Re: Truecrypt Roscoe (Nov 17)
- Re: Truecrypt Viktor (Nov 17)
- Re: Truecrypt Alexander Klimov (Nov 19)
- Re: Truecrypt Viktor (Nov 17)
- <Possible follow-ups>
- Re: Truecrypt rohnskii (Nov 14)