Overseeing Compliance of Security Operations ◾ 163
© 2011 by Taylor & Francis Group, LLC
oppy disks, DVDs, CDs, etc. ere are valid business uses for all these devices, and
policy should enumerate valid business uses and restrict all others. Many portable
devices have the potential to record and store vast amounts of data. ese porta-
ble devices are also easily lost or stolen. is policy is a dicult balance between
empowerment, well-intentioned productivity, and the restriction of use to avoid
being tomorrow’s national news headline for disclosing sensitive customer data.
e valid business use of portable media may include the use of portable devices
to store sensitive data. Policy may require the use of encryption to protect data in
the event of loss or theft and the secure removal of sensitive data from these devices,
which are procedures beyond the standard delete command.
Personal Property Use Policy
A supplement to the portable media policy, as well as other policies, is the use
of personally owned technology versus organization-issued technology. e use of
organization-issued USB devices, portable hard drives, tapes, CDs, oppy disks,
etc., may be ne. However, the use of personally owned devices may be restricted
or prohibited. Personal devices include everything in the previous list plus PDAs,
iPods, iPhones, ash pens, digital audio recording devices, portable storage devices
like USB thumb drives, cameras, PCs, and laptops. ese devices are capable of stor-
ing electronic les, and even under the best of intentions pose a threat to disclose
proprietary or sensitive information. e use of personal devices may disclose data
because personal devices may not have the same security software and devices.
e use of personal devices on enterprise networks may introduce malware, also
from the lack of the same security software installed on enterprise-issued equip-
ment. Many of these devices initiate an automated startup procedure when con-
nected to a PC. If these personal devices connect at any time to enterprise PCs and
the personal device contains malware, that malware has now been introduced to
the enterprise environment. For example, a thumb sucker attack is the installation of
malware on a USB thumb drive and leaving that thumb drive lying about. A person
picks up the thumb drive and wanting to know what is on it or whom it belongs
to, plugs it into a PC. e automated startup software initiates and installs the
malware on that PC … and the enterprise network is now compromised. Cameras
may take pictures of sensitive areas like data centers and data center security. Cell
phones may be tracked via global positioning (GPS). PDAs can store large amounts
of data as can USB storage devices. Personal laptops are often not as secure as
enterprise PCs.
Enterprise policy governing the possession and use of personal property should
reect the sensitivity of the data and the environment. Legislative compliance
requirements that require the protection of personal information or nancial infor-
mation should inuence these policies. Moreover, the enterprise competitive envi-
ronment should also inuence the details of policy. Corporate espionage is not
just an interesting dramatic movie plot. ere are real dollars at stake in a globally