Author: admini

“In many cases, it’s an unrecognized security problem,” says Jack Gold, founder of J. Gold Associates, an IT consulting firm. “Think about compliance issues if an insurance company employee downloads a couple of thousand customer records onto a flash drive and then loses the device,” he says.

While relatively few companies are addressing the issue, some have tried solutions ranging from total network lockdowns to requiring the use of encrypted flash drives to ensure that data will at least be safeguarded if it is lost. Although CHS has a “thou shalt not copy” policy regarding the downloading of sensitive information to portable memory devices, Valleau says he isn’t about to ban them, because “some people might need to carry protected medical records from one location of ours to another.” As a result, Valleau is looking at requiring employees to use only new, encrypted flash drives at the 1,000 computer workstations at the firm’s 210 offices around Florida.

Hospitals, which must closely guard patient information under the Health Insurance Portability and Accountability Act, are particularly concerned about flash drives.

Gower, vice president of information systems at Martin, Fletcher & Associates uses network-control software to limit both the type of content users can view and the time of day they can see it. Her company totally prohibits employees other than managers from copying data by limiting the network’s ability to write to portable storage devices. “The way we’ve got the network set up, employees can’t plug PDAs, smart phones, flash drives or USB hard drives into the network. “I have no doubt that, with all these portable memory devices in the workplace, there will be a federal privacy compliance breach in the next year.”

First line of defense: Establish a portable-device policy and educate users about it. Second line of defense: Network management tools, used by less than 5 percent of corporations, can restrict network access by individual, workstation or type of device. Third line of defense: Dismiss employees caught.

http://www.computerworld.com.au/index.php/id;1698947885;fp;16;fpid;0

Rather than trying to anticipate a new regulation, it’s better for companies to treat regulation as one more factor in an overall risk portfolio, Heiser said.

From its latest data, Gartner expects information security budgets to increase 4.5 percent over the next year.

Wheatman said companies have shown success in negotiations with security vendors in getting, for example, antispyware included with antispam and antivirus software instead of paying extra. Antivirus software represented 54.3 percent of the revenue, at $4 billion.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9003402