Category: Uncategorized

With the blessing of top management, security looked at the entire supply chain and made some discoveries that were not apparent to individual managers.

Voice of the Customer (VOC) VOC is the process used to determine the needs of the customer, aimed at improving the customer experience and increasing loyalty. “Voice of the Customer forces you to leave the ivory tower and reach out and interface with your customers,” explains Greg Avesian, vice president of enterprise IT security at Textron. Following VOC’s directives to interface directly and frequently with the customer (Avesian meets formally with business unit CIOs every quarter, for example) ensures that security’s focus is on servicing the business units rather than guarding the bits and bytes, he says.

Failure Modes and Effects Analysis (FMEA) The FMEA procedure aims to identify every possible way in which a process or product might fail, rank on a scale of one to 10 those possible failures and probable causes, and prioritize solutions. “For security, the twist would be to say not just how could a given step fail, but how can we make it fail, how can we force it to fail?”

http://www.csoonline.com/read/120106/fea_six_sigma.html

This Information Security Handbook provides a broad overview of information security program elements to assist managers in understanding how to establish and implement an information security program.

http://csrc.nist.gov/publications/nistpubs/800-100/sp800-100.pdf

Sure, the extra precautions can be expensive. But they’re simply part of the cost of building a secure facility that also can keep humming through disasters.

Suggestions:
Build on the right spot.
Have redundant utilities.
Pay attention to walls.
Avoid windows.
Keep a 100-foot buffer zone around the site.
Use retractable crash barriers at vehicle entry points.
Limit entry points.
Make fire doors exit only.
Protect the building’s machinery.
Plan for secure air handling.
Ensure nothing can hide in the walls and ceilings.
Use two-factor authentication.
Harden the core with security layers.
Prohibit food in the computer rooms.
Install visitor rest rooms.

http://www.csoonline.com/read/110105/datacenter.html

I would also advise that you don’t organize related systems in nice rows (hortiontal or vertical). It might be convienent but a localized incident could take out a whole critical business solution. So distribute related systems across a data center.

Outside the control of an organisation, such applications can increase the risk of the company network being hit with malicious software, designed to steal data, or worms and viruses that can paralyse company systems.

The influence of major events on the downloading of personal email files to company PCs was also reflected in the amount of respondents -34% – who had opened attachments during this year’s World Cup. The research also highlights a number of areas where unintentionally users could be increasing security risks; 28% of the employees share files with family and friends and 25% allowed others to go online using their work computer, effectively forfeiting control over what is being used on or downloaded to their devices. Just under half said that they connect devices to their computers such as cameras, music players, mobile phone and PDA.

The research also indicates that most users are probably unaware of the risk posed by their behaviour with 90% of those surveyed believing that their work computer is either fairly or very secure, with 67% trusting that their IT department has taken the necessary measures to secure their device against threats.

http://www.it-observer.com/news/6945/security_must_focus_desktop_policy/

I mean, the company policy makes it clear that the computer and network are company property, and that we shouldn’t expect any privacy there.

However, there is a genuine divergence between what companies say and what they do. There is also a divergence between what employees regurgitate about their expectations of privacy (corporate mantra) and how they actually act.

My own answer to the question, “do I have a reasonable expectation of privacy in the workplace?” What we really need to do is better define the scope of that reasonable expectation of privacy. In the course of an average day at work, an employee leaves a great deal of “digital detritus” — a trail of activities. The ownership of these digital records, as well as an employees’ privacy rights with respect to them is not entirely clear under the law. Employers provide employees with a number of tools that leave a digital trail. This may include their computers, email accounts, Internet access, VPN access, regular phone, VOIP service, cell phone, alphanumeric pager, RSA SecurID token, not to mention the video surveillance, and records of badge entry and exit.

Complicating these issues are the questions of ownership, access and rights. For example, an employer may purchase a cell phone for an employee and retain ownership of the phone. Or it may allow the employee to buy the phone, but register it on a corporate plan for service. It may reimburse the employee for all telephone calls made or require the employee to demonstrate the business nature of calls reimbursed. Employees may telecommute from home using either employer or employee supplied equipment.

The Internet connection to the office may be paid for by the employee or the employer. When logging on remotely, does the ISP have any right to monitor content? When a VPN connection is made, who may monitor what happens on the VPN? May your employer burst into your home, seize your personal computer (that you own, but store some of their files on) and take it?

Privacy in the workplace extends beyond the electronic workplace. For example, can your employer read your personal mail, sent to your office address — even if it is marked “personal and confidential — addressee only?” Can your employer videotape you in the office? What about in the restrooms, lounges, parking lots, or in your car?

It’s easy to say that employees have no expectation of privacy, and even to post corporate policies and notices to that effect.

The electronic workplace is no longer just the cubicle, desk or office.

Lance Corporal Jennifer Long was issued a government computer to use on a government military network. DoD computer systems may be monitored for all lawful purposes, including to ensure that their use is authorized, for management of the system, to facilitate protection against unauthorized access, and to verify security procedures, survivability and operational security. Use of this DoD computer system, authorized or unauthorized, constitutes consent to monitoring of this system. It noted that while the government said it could monitor, it rarely did. It also noted that the case was initiated when the Marine Corps Criminal Investigative Division (CID) — essentially a law enforcement agency, simply decided to inspect the servers to look for evidence of criminal activity.

You may expect privacy for some purposes (police searches) and not for others (your boss). You don’t leave the laptop lying around in the reception area because, after all, there is noting “private” there. You expect that e-mail will be read by people you send it to, and by others they send it to, by network administrators when necessary in the course of their work, and possibly by counsel or others when needed for business purposes.

It creates some privacy rights, but not with respect to the provider of the network. A SWAT officer named Jeff Quoin sued his former employer for reading the contents of his government supplied alphanumeric pager. This was the same officer who, several years before, successfully sued the same police department for placing video cameras in the showers and locker rooms as part of an investigation of a missing flashlight.

http://www.securityfocus.com/columnists/421?ref=rss

In many enterprises today the task of system management has been outsourced, including the installation and provisioning of employees workstations, with the result that these administrative passwords are controlled by third parties. They can retrieve any file that the end user is working on, and since office documents set up local temporary files, when the user opens a file, it can be accessed by the intruder.

Now you may be reading this and saying “this is just a re-hash of commonly known hacking risks”, and you would be right. But in this case the risk is not the outsider but the insider who is trusted and whose job it is to actually look after your workstation and administer the network. Access to a shared account must be logged so that the individual who requires a particular password should be required to provide a reason, and this request should be authorized — dual control. This is simply common sense advice to any enterprise that values its confidentiality, and is not in the business of unnecessary risk.

The figures showing a decrease of 83% in burglaries in Cleveland, identified that the decrease was a direct result of people taking the advice of the police about proper security measures.

http://www.net-security.org/article.php?id=954&p=1