Protecting IT assets............................................................................
As the means to carry information have evolved to include devices such as
cell phones, BlackBerries, laptops, jump drives, and so on, controlling whether
someone can walk away with sensitive information is something of a whole
new world. It’s not enough to simply restrict access to the building, but to
consider that even a properly credentialed employee could load work-related
information onto a jump drive or laptop and have it stolen or misplace it.
In a perfect world, every access point in the network would recognize when a
foreign device has been connected to it. This may be accomplished when a
device is connected directly to the network, for example the system would
recognize a jump drive has been connected and would issue a report and/or
require a password in order for data to be downloaded.
Also, because certain types of information have been given a high value, there
could be a lock preventing, say, CAD designs (intellectual property) or Social
Security numbers from being downloaded to any mobile device. This lock
could also prevent data from coming into a database storing this information
so that the information’s integrity would not be compromised.
However, frequently, authorized employees download information onto a
laptop. You may want them to be able to do that, but you would also want to
prevent a jump drive or other device from being able to attach to the laptop.
Further, with RFID (Radio Frequency Identification) tags, it would be possible
to monitor whether laptops leave their assigned workstations and even if
someone walks out the front door with them. It could also be possible to place
a chip on the laptop that wipes it clean should it move from a certain area.
As cell phones have gone from a means to communicate to data carrying and
management tools (smart phones), they also represent a risk. Therefore,
countermeasures such as requiring passwords for phones every 10 to 20 min-
utes could prevent a misplaced or stolen phone from being used for access to
all kinds of data. The same holds true for BlackBerries and any other mobile
devices employees use to do their jobs.
In general, it is important to seek out solutions that enforce guidelines no
matter what technology is in use. For example, if a foreign device is trying
to download information, it should be noticed and prevented from doing so.
Uploading information should also be monitored, so that when the next pro-
tocol arrives (like BitTorrent) or the next Web 2.0 innovation arrives (such as
wikis), data leaving the network this way is monitored as well.
Although technology can help with some of these issues, strong IT governance
must align with these goals. For example, there should be policies surround-
ing the use of passwords, restrictions on USB usage, restricting where assets