Re: [privacy] 26 IRS Tapes Missing in Kansas City

[Shyaam <shyaam () gmail com>]

Thanks a lot for listing Mr.Vladis. I really did not  think of these cases
when listing. I am lacking in looking at every aspect. My knowledge is
limited, but I really do understand the different ways to look into things
from different angles, from your response. Well, yes, it is always a trade
off and nothing has a perfect answer on such scenarios. I wouldn't agree
that I gave the "best" list after seeing your response that had scenarios
that I did not even consider :-).

Thanks a lot once again.
Kind Regards,
Shyaam

On 1/22/07, Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu> wrote:
> On Sat, 20 Jan 2007 21:06:57 EST, Shyaam said:
> > forensics". So best is to avoid people storing CONFIDENTIAL data on
> portable
> > devices no matter what their security clearance level is. The other best
> > thing is to use always track data that goes in and out of the network.
> The
> > next is to not let people whom you dont know into the building
> > itself(perimeter) and to restrict people from moving from one department
> > floor to the other or something of that sort(perimeter protection). Cant
> > these be simple for people to take action on ?
>
> The problem is that it's all about *tradeoffs* - yes, you've enumerated
> the
> "best" way to do all that stuff.  The problem is that in trying to
> *enforce*
> that, you end up hitting all these corner cases where implementing proper
> security gets in the way of actually getting work done.
>
> For instance - security-wise, it would be "best" if the files that Social
> Services has on their clients stay on the central servers.  However, what
> do
> you do if you have a case worker that makes house calls, and having the
> files
> on a laptop where they can reference them while at the site would make
> things
> a lot easier?
>
> What do you do if you have a valued employee who has legitimate reasons to
> telecommute?
>
> And so on, in a twisty little maze of corner cases, all different....
>
> And it gets worse - that social worker doesn't understand computer
> security,
> and they don't want to.  They have a Master's in Psychology or some social
> science, and *their* job is to make sure that these kid's mom is staying
> off
> crack.  That worker's manager isn't interested either - he's responsible
> for making sure as many client moms stay off crack as possible.  You go up
> the org chart food chain, and by the time you hit somebody that *might*
> care
> about security, it's probably somebody who doesn't even *know* that social
> worker is on the payroll, and is too busy worrying about getting the
> department
> their share of Federal money to think about computer security.
>
> And if you've *ever* put in a temporary firewall rule because something
> had to
> work *this afternoon*, you're just as guilty as that social worker's
> manager,
> who OK'ed putting stuff on laptops because work had to get done *this
> week*.
> More so, because you should know better...


--
Thank you in advance for your time and consideration.
Shyaam Sundhar R.S., GREM, GHTQ, GWAS

_______________________________________________
privacy mailing list
privacy () whitestar linuxbox org
http://www.whitestar.linuxbox.org/mailman/listinfo/privacy