[privacy] 26 IRS Tapes Missing in Kansas City
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Mon Jan 22 14:35:24 CST 2007
On Sat, 20 Jan 2007 21:06:57 EST, Shyaam said:
> forensics". So best is to avoid people storing CONFIDENTIAL data on portable
> devices no matter what their security clearance level is. The other best
> thing is to use always track data that goes in and out of the network. The
> next is to not let people whom you dont know into the building
> itself(perimeter) and to restrict people from moving from one department
> floor to the other or something of that sort(perimeter protection). Cant
> these be simple for people to take action on ?
The problem is that it's all about *tradeoffs* - yes, you've enumerated the
"best" way to do all that stuff. The problem is that in trying to *enforce*
that, you end up hitting all these corner cases where implementing proper
security gets in the way of actually getting work done.
For instance - security-wise, it would be "best" if the files that Social
Services has on their clients stay on the central servers. However, what do
you do if you have a case worker that makes house calls, and having the files
on a laptop where they can reference them while at the site would make things
a lot easier?
What do you do if you have a valued employee who has legitimate reasons to
telecommute?
And so on, in a twisty little maze of corner cases, all different....
And it gets worse - that social worker doesn't understand computer security,
and they don't want to. They have a Master's in Psychology or some social
science, and *their* job is to make sure that these kid's mom is staying off
crack. That worker's manager isn't interested either - he's responsible
for making sure as many client moms stay off crack as possible. You go up
the org chart food chain, and by the time you hit somebody that *might* care
about security, it's probably somebody who doesn't even *know* that social
worker is on the payroll, and is too busy worrying about getting the department
their share of Federal money to think about computer security.
And if you've *ever* put in a temporary firewall rule because something had to
work *this afternoon*, you're just as guilty as that social worker's manager,
who OK'ed putting stuff on laptops because work had to get done *this week*.
More so, because you should know better...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.whitestar.linuxbox.org/pipermail/privacy/attachments/20070122/185da77b/attachment.pgp
More information about the privacy
mailing list