Security Manager's Journal: A rougher week than usual

Computerworld - It was a rough week, and if you've been following my tale of layoffs and budget cuts, then you know it takes a lot for me to say that these days.

My first bad news of the week came from the lead engineer for our BlackBerry Enterprise Server, who told me that there was no way to configure the rules for Research In Motion's BlackBerry Mobile Data System to restrict access to our internal network.

My policy states that mobile devices should be able to access only our corporate intranet home page, and we had assumed that RIM would have adequate mechanisms within the BlackBerry Enterprise Server to restrict access. We were wrong. We contacted RIM, which advised us to either install a third-party proxy server or push policies to restrict the applications that run on BlackBerries. With over 2,000 devices in use at our company, pushing application restrictions would be a nightmare. A third-party proxy server is logistically easier to deal with, but that would take money and resources, two things that are in short supply right now.

Next, I got pulled aside by one of my analysts, who told me that he had made a startling discovery while troubleshooting an issue related to one of our data leak prevention sensors: The device was powered off, and the power cord was missing. These sensors are connected to span ports on our switch, and they monitor network traffic for about 3,500 employees. It's all part of our effort to ensure that our intellectual property isn't being transmitted outside the company.

The sensors are kept in a cage in our data center with other security devices. The cage has a very strict access-control list and is fitted with a proximity badge reader. All access is logged, and cameras are fixed on the cage. So, armed with camera footage and a list of people who recently accessed the cage, we should be able to find out what happened.

Squeaky Clean

We recently upgraded our content filtering, switching to Webwasher devices from Secure Computing, which has allowed us to expand our ability to prevent employees from accessing sites prohibited under our acceptable-use policy.

Unfortunately, some of the newly blocked sites had been used for business purposes, and now the users are complaining. To whom? You guessed it. Now I have to determine which Web sites can be placed on an exceptions list. The problem is that the requests are becoming fairly frequent, and I'm not making any friends. Attending to these types of requests has made this week especially busy. Today, a couple of my decisions were escalated to the CIO, and I had to spend time defending my position.

To make my bad week complete, my CIO asked me to validate our backup policy. We operate under a mandate from our general counsel's office to refrain from systematic destruction of data -- the residual fallout from a stock-option grant investigation at the company several years ago. In line with that mandate, we back up certain data daily, and the tapes are stored off-site indefinitely. I'm not sure why we still need to adhere to this requirement, since the investigation is finished and we are spending upward of $30,000 a month in backup tapes and storage fees. Believe me, that's a lot of backup tapes to store indefinitely! What I learned, though, is that some backups are being overwritten.

The CIO freaked out when he heard this news, and we had to act fast to get back into compliance. Fortunately, the lost data may not be "in scope" for the investigation, so we may be off the hook. Still, it was just something else to go wrong during the week.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com.

Join in. To join in the discussions about security, go to computerworld.com/blogs/security.

Read more about Security in Computerworld's Security Topic Center.