Category: Uncategorized

Sure, the extra precautions can be expensive. But they’re simply part of the cost of building a secure facility that also can keep humming through disasters.

Suggestions:
Build on the right spot.
Have redundant utilities.
Pay attention to walls.
Avoid windows.
Keep a 100-foot buffer zone around the site.
Use retractable crash barriers at vehicle entry points.
Limit entry points.
Make fire doors exit only.
Protect the building’s machinery.
Plan for secure air handling.
Ensure nothing can hide in the walls and ceilings.
Use two-factor authentication.
Harden the core with security layers.
Prohibit food in the computer rooms.
Install visitor rest rooms.

http://www.csoonline.com/read/110105/datacenter.html

I would also advise that you don’t organize related systems in nice rows (hortiontal or vertical). It might be convienent but a localized incident could take out a whole critical business solution. So distribute related systems across a data center.

Outside the control of an organisation, such applications can increase the risk of the company network being hit with malicious software, designed to steal data, or worms and viruses that can paralyse company systems.

The influence of major events on the downloading of personal email files to company PCs was also reflected in the amount of respondents -34% – who had opened attachments during this year’s World Cup. The research also highlights a number of areas where unintentionally users could be increasing security risks; 28% of the employees share files with family and friends and 25% allowed others to go online using their work computer, effectively forfeiting control over what is being used on or downloaded to their devices. Just under half said that they connect devices to their computers such as cameras, music players, mobile phone and PDA.

The research also indicates that most users are probably unaware of the risk posed by their behaviour with 90% of those surveyed believing that their work computer is either fairly or very secure, with 67% trusting that their IT department has taken the necessary measures to secure their device against threats.

http://www.it-observer.com/news/6945/security_must_focus_desktop_policy/

I mean, the company policy makes it clear that the computer and network are company property, and that we shouldn’t expect any privacy there.

However, there is a genuine divergence between what companies say and what they do. There is also a divergence between what employees regurgitate about their expectations of privacy (corporate mantra) and how they actually act.

My own answer to the question, “do I have a reasonable expectation of privacy in the workplace?” What we really need to do is better define the scope of that reasonable expectation of privacy. In the course of an average day at work, an employee leaves a great deal of “digital detritus” — a trail of activities. The ownership of these digital records, as well as an employees’ privacy rights with respect to them is not entirely clear under the law. Employers provide employees with a number of tools that leave a digital trail. This may include their computers, email accounts, Internet access, VPN access, regular phone, VOIP service, cell phone, alphanumeric pager, RSA SecurID token, not to mention the video surveillance, and records of badge entry and exit.

Complicating these issues are the questions of ownership, access and rights. For example, an employer may purchase a cell phone for an employee and retain ownership of the phone. Or it may allow the employee to buy the phone, but register it on a corporate plan for service. It may reimburse the employee for all telephone calls made or require the employee to demonstrate the business nature of calls reimbursed. Employees may telecommute from home using either employer or employee supplied equipment.

The Internet connection to the office may be paid for by the employee or the employer. When logging on remotely, does the ISP have any right to monitor content? When a VPN connection is made, who may monitor what happens on the VPN? May your employer burst into your home, seize your personal computer (that you own, but store some of their files on) and take it?

Privacy in the workplace extends beyond the electronic workplace. For example, can your employer read your personal mail, sent to your office address — even if it is marked “personal and confidential — addressee only?” Can your employer videotape you in the office? What about in the restrooms, lounges, parking lots, or in your car?

It’s easy to say that employees have no expectation of privacy, and even to post corporate policies and notices to that effect.

The electronic workplace is no longer just the cubicle, desk or office.

Lance Corporal Jennifer Long was issued a government computer to use on a government military network. DoD computer systems may be monitored for all lawful purposes, including to ensure that their use is authorized, for management of the system, to facilitate protection against unauthorized access, and to verify security procedures, survivability and operational security. Use of this DoD computer system, authorized or unauthorized, constitutes consent to monitoring of this system. It noted that while the government said it could monitor, it rarely did. It also noted that the case was initiated when the Marine Corps Criminal Investigative Division (CID) — essentially a law enforcement agency, simply decided to inspect the servers to look for evidence of criminal activity.

You may expect privacy for some purposes (police searches) and not for others (your boss). You don’t leave the laptop lying around in the reception area because, after all, there is noting “private” there. You expect that e-mail will be read by people you send it to, and by others they send it to, by network administrators when necessary in the course of their work, and possibly by counsel or others when needed for business purposes.

It creates some privacy rights, but not with respect to the provider of the network. A SWAT officer named Jeff Quoin sued his former employer for reading the contents of his government supplied alphanumeric pager. This was the same officer who, several years before, successfully sued the same police department for placing video cameras in the showers and locker rooms as part of an investigation of a missing flashlight.

http://www.securityfocus.com/columnists/421?ref=rss

In many enterprises today the task of system management has been outsourced, including the installation and provisioning of employees workstations, with the result that these administrative passwords are controlled by third parties. They can retrieve any file that the end user is working on, and since office documents set up local temporary files, when the user opens a file, it can be accessed by the intruder.

Now you may be reading this and saying “this is just a re-hash of commonly known hacking risks”, and you would be right. But in this case the risk is not the outsider but the insider who is trusted and whose job it is to actually look after your workstation and administer the network. Access to a shared account must be logged so that the individual who requires a particular password should be required to provide a reason, and this request should be authorized — dual control. This is simply common sense advice to any enterprise that values its confidentiality, and is not in the business of unnecessary risk.

The figures showing a decrease of 83% in burglaries in Cleveland, identified that the decrease was a direct result of people taking the advice of the police about proper security measures.

http://www.net-security.org/article.php?id=954&p=1

It was the annual crunch time between Thanksgiving and the new year, and Nuala O’Connor Kelly had just sent to the printer the first-ever report to Congress by a chief privacy officer. This was it, the historic report—a 40-page description of what O’Connor Kelly had been doing during her first year as the first CPO of the U.S. Department of Homeland Security. Like addressing concerns about DHS’s policies with privacy officers from other countries. Examining the department’s growing use of biometrics. And reading irate e-mails from the public about controversial initiatives like the Transportation Security Administration’s passenger screening program. If O’Connor Kelly was nervous about the grilling she was likely to get once members of Congress got their mitts on her report, she wasn’t letting on. “It’s actually a great moment for the [privacy] office to sit back and take stock of where we are now and where we’re going for the next two, three, four, five years,” says O’Connor Kelly, dashing from one meeting to the next with one of her staff members. “We’re helping fine-tune programs to make better decisions for privacy, and to make better programs themselves. We can be enhancers of the business,” says Nuala O’Connor Kelly, chief privacy officer at the Department of Homeland Security.

At the time, O’Connor Kelly was the only federal government CPO whose position was mandated by law and who was required to file an annual report to Congress. Congress’s consolidated 2005 appropriations bill, signed by President Bush in December, contains a provision that—depending on how the White House’s Office of Management and Budget interprets it—would create a handful or more of CPOs at federal agencies. These new CPOs would be charged with protecting privacy within their own agencies, evaluating proposed laws and regulations, training employees about privacy policies and ensuring compliance with applicable laws.

In the private sector, government demand for privacy expertise is expected to lead to greater awareness, more stringent certifications and stricter standards around privacy. “There are some conflicts between the philosophical approaches to the two positions,” says Lynn Mattice, vice president and CSO at Boston Scientific. “The CSO’s responsibility is to ensure that the business enterprise is safeguarded, and the privacy officer is primarily concerned with safeguarding the individual’s privacy.

The new position was hailed as a sign that corporate America was going to start paying attention to the privacy of both employee and customer information. That’s because the emergence of the CPO has much in common with that of the CSO. Hiring a CPO became either a regulatory necessity or a way of sticking a flag in the ground that said, “Customer data protected here.” Growing concern about identity theft is bringing privacy to the forefront, and lawmakers are responding.

Meanwhile, the International Association of Privacy Professionals (IAPP), created when Westin’s group merged with another privacy association, has issued the profession’s first certification. Now, she says, “You can add CIPP after my name.” Of course, not all the people earning this certification or serving as privacy officers are true strategic privacy executives—just as not all those with CISSPs, CPPs or the “security officer” moniker are true strategic security executives.

“Nobody yet that I’m aware of is planning the widespread use of these RFID tags on any consumer products, but you still see the concern about tracking consumers by satellite,” says Sandy Hughes, global privacy executive at Procter & Gamble. Hughes is spending a lot of her time these days talking about radio frequency ID tags, or RFIDs.

At E-Loan, an Internet startup that sold $153 million in loans in 2003, CPO Tess Koleczek says she is focused on solutions, not problems. “If something comes up that might compromise our policy, I can’t go in and say, ‘You can’t do that,'” Koleczek says. As with the CSO, the success of the CPO depends on his or her ability to make a business case for the protection of information. “There have been some CPOs who have really done a very good job in showing how privacy affects the bottom line,” says Ari Schwartz, associate director of the Center for Democracy & Technology, a consumer advocacy group.

“You get into a lot of discussions,” acknowledges Boston Scientific’s Mattice, after posing the preceding scenario as an example of the kind of conversation he might have with his legal department over privacy issues. (His inclination, by the way, is that if employees are using company resources, why shouldn’t the company be able to monitor what they’re doing?) “These are business issues, and there’s certainly nothing personal,” he says. I hope they’re not contentious discussions—although I’m very passionate about what I do, and I love to debate.”

But it would be naive to think that such relationships are always harmonious. The fact is: CSOs and CPOs come from very different cultures. While many CSOs have a background in law enforcement, CPOs tend to come up through marketing. The two don’t always see eye to eye. “Security officers are a bit like lawyers in that there’s no piece of information they don’t think they should have,” EPIC’s Perrin says. “They want to know what’s going on. If they have video surveillance tapes, they just want to keep them in case they need to know what’s going on. A privacy person will look at those videotapes more from the individual’s point of view. Security goes in the opposite direction of privacy in many respects.”

Yet many in the privacy community are trying to find common ground between security and privacy, even in these murky spaces. This is especially true in the government, where CPOs find themselves under a steady barrage of attacks from observers who believe that the government is trampling on citizens’ privacy in the name of national security. For instance, much of O’Connor Kelly’s attention in the past year has been on DHS’s controversial US-Visit program, which uses biometric identifiers to screen foreign visitors to the United States.

One thing is certain: going forward, the two executives will continue to be dependent upon each other—however that future may look. “It’s my contention, frankly, that the role of the CPO will transition, and we won’t recognize the CPO of the future in the way we will today,” says Richard Purcell, a former CPO of Microsoft who went on to found a consultancy, the Corporate Privacy Group. “Security and information management and legal compliance will combine into a differently structured role than we see today. This may happen under the umbrella of emerging risk management departments.”

http://www.csoonline.com/read/020105/fivethings.html

Mark Nadeau, director of CRM, explains that APC’s culture is geared toward avoiding failure because its business is selling uninterruptible power supplies. Uninterruptible customer satisfaction–that’s a business every company should be in.

You know customer impact is critical to your company’s strategy, but how do you get there? Force the IT department to take on high-impact projects. Vanguard plots each IT project in one of nine boxes on a grid, with low, medium, and high ratings for client impact and operational impact, meaning increased revenue or lower cost.

Heller sets a goal for what percentage of spending falls in each box and gets a warning on his dashboard if he’s not spending on projects with high client impact.

Knowing that, CIO Catherine Boivie can make a business case to expand the e-claims system by comparing the costs for a system upgrade with the personnel costs for handling claims manually.

EMC wanted to see what effect near-shore contractors would have on an internal project to deploy Automatic Data Processing’s general ledger applications at the company’s offices in Brazil. “The knowledge of local needs, challenges, obstacles are key to the overall success of territory-specific projects,” he says. The lessons learned there are helping determine the mix of in-house and outsourced staffers for other IT initiatives.

Avnet business unit and IT managers jointly prioritize IT projects based on how quickly they can save money or deliver value to the company.

Stuart Madnick, a professor of IT at MIT’s Sloan School of Management, and associates are developing a methodology that compares IT security measures taken by an organization and the perception that employees and managers have of the current state of security. One survey showed a gap of 0.78 on people’s awareness of good security practices and a gap of 1.08 on whether they followed those practices.

Before implementing CMMI, the interface development team’s performance in meeting the model’s best practices was inconsistent. This is a critical issue for Vanguard Group, since the mutual fund company does about 80% of its interactions over the Web. So when it adds a feature, Vanguard tracks how many people start using the feature, how many get through the process, and how many drop out and where.

At Global Crossing, IT staff now accompany salespeople when meeting with customers and prospects. The rationale is that no one is better prepared to explain the company’s IP-based services than the IT experts who are responsible for managing its network. And CIO Dan Wagner isn’t making this some high-minded, fuzzy goal. The tally after the first three quarters of the year: Developers have attended 175 sales calls; operations people, 125 sales calls; and security staffers, 75 sales calls. Global Crossing CIO Wagner calls the new stuff “strategic software development”; Hewlett-Packard CIO Randy Mott refers to it as innovation.

http://www.informationweek.com/shared/printableArticle.jhtml?articleID=193401034