Security Manager's Journal: Security Crashes Into Productivity
Our manager didn't tell users that they could have laptops, but she's the one who has to tell them that they can't.
By C.J. Kelly
August 27, 2007 12:00 PM ET
Computerworld -
Trouble Ticket
At issue: A department is letting some staffers use wireless laptops.
Action plan: Pull them back, explain why, and get on the stick to address security concerns.
Security can sometimes come crashing up against productivity, and when it does, security must prevail. That�s because my state agency is a maintainer of records covered by HIPAA rules. One blunder, and we�re front-page news. Not on my watch, thanks.
Given the consequences of jeopardizing client data, I think my obsession with security is good for the agency. But for our users, it can seem as if we�re living in the Dark Ages. Many technologies that are commonplace in the corporate world and even in other government agencies haven�t won my approval yet, and they won�t until I am thoroughly convinced that they won�t undermine our security efforts.
Still, things can slip through, since determined users don�t always go through proper channels. When that happens, I have the unenviable job of rolling back the technological timeline for the wayward users. They thought it was the 21st century � ha! Get back to the Dark Ages with the rest of us.
So it was that I had to tell our agency�s program manager that the four productivity-enhancing laptops with Wi-Fi that his group was using were leaving us vulnerable to a serious breach. Sorry, but the Wi-Fi capability is going to have to be disabled, the laptops configured with our standard image and the hard drives encrypted. Users can check out a laptop when needed. Otherwise, the laptops stay put, connected directly to the network so they can be patched and updated. No working at home for them.
Naturally, this put a kink in his plan. �What good are laptops if we can�t go wireless, work on the road and work at home?� he asked. He had transferred from another agency, where he had carried a laptop. I explained that we have different security constraints and since we don�t yet have a foolproof way of securing mobile devices, we don�t want to put our data at risk.
We allowed laptops until last year, when one news story after another told about laptops that had gone missing. They often held data such as patients� names and Social Security numbers. The case of the missing Veterans Administration laptop alone was enough to curl your hair if you�re in charge of securing similar information.
The Lucky Few
Now, only systems administrators and a few chiefs trained in laptop security have laptops. Even then, they can�t synchronize their My Documents folders from the network drive to the laptop. Protected data remains within the protected network.
I am one of those people with a laptop, and I take it everywhere. But I am extremely cautious. I never use Wi-Fi. Instead, I have a broadband wireless card, which eliminates the risk of a hacker sniffing my wireless traffic or hijacking my wireless session. My laptop has host-based intrusion prevention and a firewall, and it is set up for automatic patches and updates.
When I travel, my eyes never leave my laptop. At airports, I have a set order for putting my belongings on the conveyer belt so that when my laptop emerges, I am already at the other end to retrieve it. Even my purse is a lower priority. I use a small laptop case that slides under the seat � no overhead compartments. I try not to leave it in a hotel room, but if I must, I hang out a �Do Not Disturb� sign and put the laptop in the room safe. I refuse housekeeping services. Someone from the hotel could still enter my room, but I eliminate as much risk as possible.
Would our employees have this same level of � I guess you would have to call it � obsessive caution? Those news headlines give me my answer.
Luckily, the program manager didn�t let his disappointment blind him to the sincerity of my goals. I assured him that overcoming these security concerns is on our agenda.
This week�s journal is written by a real security manager, �C.J. Kelly,� whose name and employer have been disguised for obvious reasons. Contact her at mscjkelly@yahoo.com.
Read more about Security in Computerworld's Security Topic Center.
Free Insider Guide