Security's Everyman

Security's Everyman

Thursday, January 17, 2008

Asking the right questions?

Tom Olzak has a post on his ITToolbox blog "Adventures in Security" about the theft of equipment, including 2 laptops with voter PII, from the Davidson County Tennessee Election Commission Office.

It's obvious that they didn't take "reasonable" security precautions by keeping them in an office that was only minimally secured. The next thing is the fact that the laptops contained PII and especially Social Security Numbers of the voters. I like the question that Tom asks.

The first question the election commission should ask is whether information like social security account numbers is actually required on a laptop.
Too often this simple, basic question is not asked. IMHO this question should be answered before ANY data is put on a mobile device. Actually it should be answered before any data is allowed to be stored on any device, even desktop PC's. If the data is stored anywhere but on devices that are controlled by the IT staff (servers, SANs, etc) then there needs to be a valid "business need". Allowing this because it is easy or keeps the users quiet is not a good reason. Office politics are not a valid reason to allow this.

We have to ask the right questions about what we allow and don't allow the users to do. I get lots of request every week from users who want us to forward their email to their personal devices such as their IPhone, Blackberry, Palm, etc... The first question I ask is "What is the business need for you to get your email on your phone?" Usually they say "So I can get my email while in meetings." That is not a valid business need. Unless your job requires immediate response or action to email then you don't need immediate access to your email in meetings.

The other thing is that if there is a valid business need then at least 2 things should happen. First, your manager should request that your email be sent to your phone. Second, the company should provide you with a email enabled phone. The IT department should not be responsible for supporting personal devices. Not to mention the security and legal implications around allowing company data on personal devices that are not managed by corporate IT.

So, we need to learn what the right questions are and start asking them and requiring that they be answered satisfactorily before we allow users to have control of data.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.