Security Manager's Journal: Security Crashes Into Productivity
Our manager didn't tell users that they could have laptops, but she's the one who has to tell them that they can't.
Computerworld -
Trouble Ticket
At issue: A department is letting some staffers use wireless laptops.
Action plan: Pull them back, explain why, and get on the stick to address security concerns.
Security can sometimes come crashing up against productivity, and when it does, security must prevail. Thats because my state agency is a maintainer of records covered by HIPAA rules. One blunder, and were front-page news. Not on my watch, thanks.
Given the consequences of jeopardizing client data, I think my obsession with security is good for the agency. But for our users, it can seem as if were living in the Dark Ages. Many technologies that are commonplace in the corporate world and even in other government agencies havent won my approval yet, and they wont until I am thoroughly convinced that they wont undermine our security efforts.
Still, things can slip through, since determined users dont always go through proper channels. When that happens, I have the unenviable job of rolling back the technological timeline for the wayward users. They thought it was the 21st century ha! Get back to the Dark Ages with the rest of us.
So it was that I had to tell our agencys program manager that the four productivity-enhancing laptops with Wi-Fi that his group was using were leaving us vulnerable to a serious breach. Sorry, but the Wi-Fi capability is going to have to be disabled, the laptops configured with our standard image and the hard drives encrypted. Users can check out a laptop when needed. Otherwise, the laptops stay put, connected directly to the network so they can be patched and updated. No working at home for them.
Naturally, this put a kink in his plan. What good are laptops if we cant go wireless, work on the road and work at home? he asked. He had transferred from another agency, where he had carried a laptop. I explained that we have different security constraints and since we dont yet have a foolproof way of securing mobile devices, we dont want to put our data at risk.
We allowed laptops until last year, when one news story after another told about laptops that had gone missing. They often held data such as patients names and Social Security numbers. The case of the missing Veterans Administration laptop alone was enough to curl your hair if youre in charge of securing similar information.
The Lucky Few
Now, only systems administrators and a few chiefs trained in laptop security have laptops. Even then, they cant synchronize their My Documents folders from the network drive to the laptop. Protected data remains within the protected network.
I am one of those people with a laptop, and I take it everywhere. But I am extremely cautious. I never use Wi-Fi. Instead, I have a broadband wireless card, which eliminates the risk of a hacker sniffing my wireless traffic or hijacking my wireless session. My laptop has host-based intrusion prevention and a firewall, and it is set up for automatic patches and updates.
When I travel, my eyes never leave my laptop. At airports, I have a set order for putting my belongings on the conveyer belt so that when my laptop emerges, I am already at the other end to retrieve it. Even my purse is a lower priority. I use a small laptop case that slides under the seat no overhead compartments. I try not to leave it in a hotel room, but if I must, I hang out a Do Not Disturb sign and put the laptop in the room safe. I refuse housekeeping services. Someone from the hotel could still enter my room, but I eliminate as much risk as possible.
Would our employees have this same level of I guess you would have to call it obsessive caution? Those news headlines give me my answer.
Luckily, the program manager didnt let his disappointment blind him to the sincerity of my goals. I assured him that overcoming these security concerns is on our agenda.
This weeks journal is written by a real security manager, C.J. Kelly, whose name and employer have been disguised for obvious reasons. Contact her at mscjkelly@yahoo.com.
Read more about Security in Computerworld's Security Topic Center.



- Excel 2010 Cheat Sheet
- Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.
- Overcome Top 7 Admin Challenges of Active Directory
- As Active Directory's role in the enterprise has drastically increased, so has the need to secure the data. Gain insight on creating repeatable,...
- Insiders Can Ruin Your Company. Take Action.
- Did you know that 80 percent of threats to an organization come from the inside? The threat from insiders is often overlooked in...
- Top Solutions and Tools to Prevent Devastating Malware
- Custom malware frequently goes undetected. According to Forrester Research, the best way to reduce risk of breach is to deploy file integrity monitoring...
- X-Ray of the PCI Process-4 Proactive Steps
- This white paper from Forrester Research Inc., helps break PCI into understandable components. Security and risk professionals will gain knowledge and insight into...
- Identity Governance: The Business Imperatives
- This white paper describes the business challenges and opportunities that are driving interest in Identity Governance while discussing considerations your organization should make... All Security White Papers
- Live Webcast
Playing Defense: Staying on Top of Your Disaster Recovery Game - When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing...
- Introduction to VMware vCenter Site Recovery Manager 5
- Traditional disaster recovery solutions are often too expensive, complex and unreliable to meet business requirements. As a result, IT departments are hesitant to...
- The Top Ten Secrets to Avoiding SAN Performance Problems
- Maintaining peak performance while simultaneously addressing the root cause of SAN errors is challenging. Learn the most common SAN problems and explore new...
- Deduplication Without Compromise
- Go inside Quantum's scalable, high-performance, multi-protocol new DXi deduplication appliances, designed to make backup much more effective. Discover how the new future-proof DXi6700...
- Director of Disk Products Discusses DXi6700
- Discover how the new DXi 6700 series of deduplication appliances provide investment protection and a future-proof feature set, all while delivering fast, scalable,...
- Playing Defense: Staying on Top of Your Disaster Recovery Game
- When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing... All Security Webcasts