Security's Everyman

Security's Everyman

Tuesday, April 03, 2007

It's 9:00 AM. Do you know where your PC is? has a story that expands on the DOE PC loss. If you haven't heard the DOE has lost at least 20 PC's many of which contained classified data.

In the article they talk about how many large corporations would be glad to be able to account for all but 20 of their PC's. Workers move around in building from desk to desk or often they move from office to office. In some companies when a worker moves, even to a new office, their PC goes with them. When this happens often IT never knows about the move.

There are plenty of things that can be done to mitigate the risk from this. Policies about moving equipment and such have their place. Of course there is technology available that will both prevent a moved PC from connecting to the network and also alert you if a system connects on a different port. Much of the technology is expensive, time consuming to implement and requires the personnel to manage it.

Personnel moves can cause your inventory and asset tracking to go awry, but what other ways can it cause "real" security problems? The first one that comes to mind for me is when the equipment "disappears". It gets taken home or sold. What happens to the data then? What about when the PC does make it to the new location often the data is then exposed to new threats. People in the new office now have the potential to gain access to data on that PC that they are not authorized to view.

Asset tracking is a miserable responsibility that can have direct impact on a companies security posture. Not having adequate policies, procedures, controls and monitoring in place can allow the unauthorized access, loss and transmission of data. So like it or not it is an important part of Information Security that we have to keep an eye on.


LonerVamp said...

I'm a big supporter of inventory systems. It's little drudgery things like that (and log reading, et al) that too many IT persons dismiss or simply don't want to do, but they make the biggest differences.

Sadly, I think one of the problems with lost equipment is not necessarily equipment that disappears or is stolen, but does anything happen when Salesman Eric goes out to a location and leaves his laptop in a cab. What happens to Eric? Does he have to pay anything? Does he just get issued a new one with a pat on the back? Do you actually take his word for it that it was "left in a cab" as opposed to stolen or sold off?

That simple illustration can make or break an entire device security initiative, or at least point it over towards protecting the data and/or encryption. Kudos to any company that will put Eric over the fires for losing that sort of equipment, but I suspect those companies are very rare when the loss is hushed up and quiet.

Personally, any inventory system should be tied closely to the hire/termination process. If someone is issued mobile equipment, they should sign off on an inventory sheet that is kept by HR or IT and reclaimed either when needed or upon termination.

assettrac said...

Supporter of inventory systems, -me too, as we sell them! Imagine a unique barcode tag on an asset, and another on the door of the space where it usually is kept to represent the location (or shelf, vehicle, warehouse etc). Take a barcode scanner and scan each location tag followed by each asset tag and our software will tell you what's found, what's missing, and what's moved from your office to mine! Because this is so much quicker and more accurate than going round with a paper checklist you can afford to do it more often, thus discovering missing items more quickly. Everyone will see you are taking security seriously and things won't go missing quite so often.
Imagine how many different types of asset this could apply to, not just IT. Imagine how you can link all the software records to values for balance sheet, insurance, depreciation, purchase costs, then the links to maintenance records, hand held pda inspections, import and export to XL. Imagine revenue producing assets being checked in and out, example a microchipped oxygen bottle is scanned out to a van, off at the hospital, and empty cylinders scanned on to the van, all movements gprs back to HQ and invoices produced for renting the system. Overall a neat practical low cost approach for getting paper away from all those administrative procedures slowing down many firms. Very 'green' too.
As far as Eric goes, make any one taking corporate property off site pay for the theft insurance policy excess in the event of loss! Also create Eric as a 'location' in the software through the barcode on his employee ID card then scan the equipment out to him and back again, software program keeps track.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.