Attend the likes ofInfoSecto ensure you are up to date
with the latest products and then seek the advice of an expert
consultant to help in cutting through the snake oil and
implementing a solution that is both fit for purpose and addresses
end-user issues without encouraging circumventory behaviour,
writes Andrea Simmons is a consultant forum manager
forBCS
Security Forum.
There are all sorts of tools available:
- laptop locks
- hard-disc encryption
- USB encryptors
- privacy screens
- anti-spyware, and so on
At the Lion's Den session at InfoSec, technology suppliers
insisted that their systems should be deployed on the basis of
distribution of agents across the network. In spite of concerns
about increasing the number of agents that require management from
an operational point of view, some suppliers believed their own
marketing speak that their product would be able to address all
"unknown risks" that might confront an organisation. Such misjudged
boasts do little for understanding risk management or operational
management pressures and the need to ensure that the end-user is as
aware as possible about externalities and the likelihood of
malicious code attacks.
A natural sequence of actions can help achieve the protection
required:
Step 1
Undertake an information audit that identifies all the
information assets: hardware, software, electronic information and
manual records (the latter two particularly need to address both
remote end-users and customers, identifying both personal data and
sensitive corporate data).
Step 2
Apply the appropriate product that reduces the risk to the
pre-identified corporately accepted level (there is no such thing
as 100% protection in the online, all-connected world).
Step 3
Provide a programme of information security awareness that
addresses concerns end-users may have about managing the data on
their laptops and USBs (by way of encryption, passwords, privacy
screens, and so on) as well as the simplest of instructions to not
leave such items in taxis, on back seats of cars, under tables in
Starbucks, and so on.
Step 4
Undertake an audit programme to review the elements identified
in step 1 to ensure these are as expected, and controlled in a way
that is compliant with organisational policies and procedures.
Andrea Simmons is a consultant forum manager forBCS
Security Forum
Mobile security balancing act >>
Read more expert advice from the Computer Weekly Security Think
Tank >>