Handbook of Information Security Management
(Publisher: CRC Press LLC)
Author(s): Hal Tipton and Micki Krause, Consulting Editors
ISBN: 0849399475
Publication Date: 01/01/98

Previous Table of Contents Next


Other Forms of Data Disclosure

The sharing of computers introduces not only threats of contracting viruses from unprotected computers, but also the distinct possibility of unintended data disclosure. The first instance of shared computer threats is the sharing of a single company-owned portable computer. Most firms don’t enjoy the financial luxury of purchasing a portable computer for every employee who needs one. In order to enable widespread use of minimal resources, many companies purchase a limited number of portable computers that can be checked out for use during prolonged stays outside the company. In these cases, users most likely store their data on the hard disk while working on the portable and copy it to a diskette at the end of their use period. But they may not remove it from the hard disk, in which case the portable computer’s hard disk becomes a potential source of proprietary information to the next user of the portable computer. And if this computer is lost or misplaced, such information may become public. Methods for protecting against this threat are not difficult to implement; they are discussed in more detail later in this chapter.

Shared company portables can be managed, but an employee’s sharing of computers external to the company’s control can lead to unauthorized data disclosure. Just as employees may share a single portable computer, an employee may personally own a portable that is also used by family members or it may be lent or even rented to other users. At a minimum, the organization should address these issues as a matter of policy by providing a best practices guideline to employees.

DECIDING TO SUPPORT PORTABLES

As is the case in all security decisions, a risk analysis needs to be performed when making the decision to support portable computers. The primary consideration in the decision to allow portable computing is to determine the type of data to be used by the mobile computing user. A decision matrix can help in this evaluation, as shown in Exhibit 1. The vertical axis of the decision matrix could contain three data types the company uses: confidential, sensitive, and public. Confidential data is competition-sensitive data which cannot be safely disclosed outside the company boundaries. Sensitive data is private, but of less concern if it were disclosed. Public data can be freely disclosed.


Exhibit 1.  Decision Matrix for Supporting Portable Computers

The horizontal axis of the matrix could be used to represent decisions regarding whether the data can be used for portable computer use and the level of computing control mechanisms that should be put in place for the type of data involved. (The data classifications in Exhibit 1 are very broad; a given company’s may be more granular.) The matrix can be used by users to describe their needs for portable computing, and it can be used to communicate to them what data categories are allowed in a portable computing environment.

This type of decision matrix would indicate at least one data type that should never be allowed for use in a mobile computing environment (i.e., confidential data). This is done because it should be assumed that data used in a portable computing environment will eventually be compromised even with the most stringent controls. With respect to sensitive data, steps should be taken to guard against the potential loss of the data by implementing varying levels of protection mechanisms. There is little concern over use of public data. As noted, the matrix for a specific company may be more complex, specifying more data types unique to the company or possibly more levels of controls or decisions on which data types can and cannot be used.

PROTECTION STRATEGIES

After the decision has been made to allow portable computing with certain use restrictions, the challenge is to establish sound policies and protection strategies against the known threats of this computing environment. The policy and protection strategy may include all the ideas discussed in this chapter or only a subset, depending on the data type, budget, or resource capabilities.

The basic implementation tool for all security strategies is user education. Implementing a portable computing security strategy is no different; the strategy should call for a sound user education and awareness program for all portable computing users. This program should highlight the threats and vulnerabilities of portable computing and the protection strategies that must be implemented. Exhibit 2 depicts the threats and the potential protection strategies that can be employed to combat them.


Exhibit 2.  Portable Computing Threats and Protection Measures


Previous Table of Contents Next