Computerworld - The other day, I found out that an executive in my company was leaving. Normally, that wouldn't be a big deal. After all, in a large company people come and go all the time. But this executive's employment contract included a clause that lets him keep his laptop. As a security manager, I find this alarming, but it's a common practice when hiring executives here.
While executives have always departed with their computers, until now no one has bothered to erase the sensitive programs and data on those machines. Computers in the sales and marketing group, for example, contain customer contact lists, confidential price lists, e-mail correspondence, and merger and acquisition information.
The executive in question was part of an inquiry a few months ago that required obtaining an image of his laptop's hard disk drive. A member of the legal department, hearing of his planned departure, remembered that inquiry and called me. This person was leaving the company under good terms, he said.
Nonetheless, I asked for his laptop right away so that we could take another mirror image, wipe the drive and then install the standard baseline image on it. To my surprise and dismay, my request was met by a considerable amount of resistance from management. But in the end, less than 24 hours before the employee's departure, I finally received his laptop.
In the wake of this episode, the CIO established a policy that any laptop leaving with an employee must have its disk wiped. The policy statement will be included in future offer letters whenever retention of any company-issued computer equipment is part of the employment agreement.
With that problem behind me, I turned my attention to another pressing issue. Except for certain enterprise-class applications, such as PeopleSoft, Oracle and Siebel, my company develops in-house almost all of the software it uses. Prior to deployment, any application we develop must enter our project life cycle, which includes many reviews. Most of the items I am concerned with relate to access control, encryption, server and application security, and proper network segregation.
Unfortunately, this process is fairly new and is always being refined. We've only recently mandated IT security representation at the various stages of projects. Now, someone in my group attends the project planning meetings and all technical and critical design review boards. But sometimes smaller programming projects can slip by.
A few months ago, I encountered an application that lets a user create and publish surveys. Since the program was designed for a group that
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
