Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Data Policies - Do we need them? SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Data Policies - Do we need them?

Corporate IT departments spend millions of dollars to secure the perimeters of their networks. Firewalls, gateway filtering, intrusion detection systems and monitoring services are some of the methods used to keep hackers and malicious code exploits out. Yet their data may still be getting compromised and they don't know it.  In today's age of mobile technology the data maybe leaking out unintentionally. 

In the past the policy was pretty simple: everyone uses VPN and two factor authentication. Today many corporations use Intranet's and Internal Web Pages to store and access data.  This makes it handy for the worker who travels and works on the road.  However, if the employee isn't thinking about the security of the company data, if the employee hasn't been trained in the methods needed to secure the data, the company can experience a data leak. For instance,  if the employee checks their email or accesses these internal websites from a public terminal in an airport, Internet Cafe, Hotel, etc, what data is left behind? Who could be "shoulder surfing" and watching them work?  What about programs planted on these machines that can track all of the information entered (including userid and password information)? If you look at programs like WebWatcher and Spector Pro, you see how easy it may be to capture everything from a public terminal.  Because of programs such as these, should corporations have policies against use of public terminals to access company information?

What about the information posted in public tech support sites or blog sites?  Is too much information being revealed online in insecure locations?  Many self help tech support sites are available on the Internet.  There is a wealth of information available and a huge community of "experts" available online.  This can be a great thing.  However, is proprietary or critical company information being posted in these sites?  It is interesting to see the amount of information about their company, systems and network people are willing to share in these exchanges without even realizing that they have just given the bad guy the "key to the door". 

Do corporations/companies, (large and small) have policies and procedures in place to minimize the amount of information leakage their company experiences?  How do we educate and train our employees to think about what they are doing and how it will impact the company? 

SANS Institute has a significant number of resources and templates available for you to start the process of identifying and developing Policies and Procedures.  This is a good starting place and has some really good templates for a number of security related concerns.

We would like to know if you have a particular policy or procedure that you would like to share with us or if you have good online resources you can recommend.


279 Posts
ISC Handler
Nov 23rd 2007

Sign Up for Free or Log In to start participating in the conversation!