So Many Portables, So Few Rules

All manner of sensitive company data floats around on employees’ portable devices. Without proper procedures, there’s no telling where it might land.
Posted September 25, 2006

George Spafford

George Spafford

(Page 1 of 2)

Knowing the greatly increased productivity that results from a mobile workforce, companies buy a plethora of laptops, ultra-portables, PDAs, cell phones, and personal storage devices. They also invest heavily in upgrading existing portable systems – anything to offer greater functionality to on-the-go staffers.

However, companies are often in such a rush to expand that they don’t put sufficient thought into their policies for managing the risks associated with decommissioning such devices.

This creates a problem with data leakage. The uncontrolled transfer of a firm’s data to unauthorized individuals presents a major enterprise security hole. Notebooks and PCs have data. USB drives have data. Even cell phones have contact lists, with newer phones storing text messages, emails, and proprietary files.

Groups need to investigate how to securely remove data from these systems before these units move beyond their control. As Oliver North found out in the Iran-Contra affair years ago, using an operating system’s delete command to remove files typically doesn’t destroy all the data. In some cases, the file is flagged for deletion yet remains in either a waste bin or system folder. The data can remain until the formerly allocated space is re-used.

The Ghost in the Machine

While we fret over external leakage, even the uncontrolled movement of data within a firm can be detrimental. Imagine a person getting access to sensitive data because they receive a thumb drive that used to belong to a VP, or salary data from a PC that HR used to use. Many groups recognize this and re-image drives, or do a secure wipe before re-using equipment.

Often, it's the devices that are going to be thrown out, sold, or donated that don't have effective controls – especially the mobile devices, such as PDAs and cell phones. Organizations should review risks and determine what policies and procedures they need to safeguard company information.

Part of this must include deciding what is “good enough." In other words, management teams need to identify reasonable controls that reduce the risks to an acceptable level, as the risks are virtually impossible to totally eliminate.

For devices in the data center, companies can readily develop and enforce policies for securely wiping drives, non-volatile RAM, backup media, and other units. In cases where a device has failed and the data isn’t accessible to wipe, the storage unit should be physically destroyed so that the data is unrecoverable should the unit be removed and placed in an operative device. This includes methods such as shredding, puncturing, melting, degaussing and so on.

For mobile devices where the risks merit higher security levels, users need to return the units to a depot, centralized or decentralized, which is tasked with properly decommissioning the device. This serves two purposes: to account for devices as well as to take reasonable safeguards to prevent the loss of data.

Next page: Should This Data be Traveling?

Page 1 of 2

1 2
Next Page

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.