Security Manager's Journal: Security Crashes Into Productivity

Computerworld -

Trouble Ticket

At issue: A department is letting some staffers use wireless laptops.

Action plan: Pull them back, explain why, and get on the stick to address security concerns.

Security can sometimes come crashing up against productivity, and when it does, security must prevail. Thats because my state agency is a maintainer of records covered by HIPAA rules. One blunder, and were front-page news. Not on my watch, thanks.

Given the consequences of jeopardizing client data, I think my obsession with security is good for the agency. But for our users, it can seem as if were living in the Dark Ages. Many technologies that are commonplace in the corporate world and even in other government agencies havent won my approval yet, and they wont until I am thoroughly convinced that they wont undermine our security efforts.

Still, things can slip through, since determined users dont always go through proper channels. When that happens, I have the unenviable job of rolling back the technological timeline for the wayward users. They thought it was the 21st century  ha! Get back to the Dark Ages with the rest of us.

So it was that I had to tell our agencys program manager that the four productivity-enhancing laptops with Wi-Fi that his group was using were leaving us vulnerable to a serious breach. Sorry, but the Wi-Fi capability is going to have to be disabled, the laptops configured with our standard image and the hard drives encrypted. Users can check out a laptop when needed. Otherwise, the laptops stay put, connected directly to the network so they can be patched and updated. No working at home for them.

Naturally, this put a kink in his plan. What good are laptops if we cant go wireless, work on the road and work at home? he asked. He had transferred from another agency, where he had carried a laptop. I explained that we have different security constraints and since we dont yet have a foolproof way of securing mobile devices, we dont want to put our data at risk.

We allowed laptops until last year, when one news story after another told about laptops that had gone missing. They often held data such as patients names and Social Security numbers. The case of the missing Veterans Administration laptop alone was enough to curl your hair if youre in charge of securing similar information.

The Lucky Few

Now, only systems administrators and a few chiefs trained in laptop security have laptops. Even then, they cant synchronize their My Documents folders from the network drive to the laptop. Protected data remains within the protected network.

I am one of those people with a laptop, and I take it everywhere. But I am extremely cautious. I never use Wi-Fi. Instead, I have a broadband wireless card, which eliminates the risk of a hacker sniffing my wireless traffic or hijacking my wireless session. My laptop has host-based intrusion prevention and a firewall, and it is set up for automatic patches and updates.

When I travel, my eyes never leave my laptop. At airports, I have a set order for putting my belongings on the conveyer belt so that when my laptop emerges, I am already at the other end to retrieve it. Even my purse is a lower priority. I use a small laptop case that slides under the seat ­ no overhead compartments. I try not to leave it in a hotel room, but if I must, I hang out a Do Not Disturb sign and put the laptop in the room safe. I refuse housekeeping services. Someone from the hotel could still enter my room, but I eliminate as much risk as possible.

Would our employees have this same level of  I guess you would have to call it  obsessive caution? Those news headlines give me my answer.

Luckily, the program manager didnt let his disappointment blind him to the sincerity of my goals. I assured him that overcoming these security concerns is on our agenda.

This weeks journal is written by a real security manager, C.J. Kelly, whose name and employer have been disguised for obvious reasons. Contact her at mscjkelly@yahoo.com.

Read more about security in Computerworld's Security Knowledge Center.