Just when we start to think our recovery plans are complete—mainframes, LANs, physical facilities, and telecommunications—we get something new added to our list. The equipment this time is small, but increasingly critical. I’m speaking of workstations, laptops, and even things like personal digital assistants (PDAs). Sometimes, when it comes to the need for information security, size doesn’t matter.
Every now and again we read a news story that brings this issue home. It usually begins with an announcement that a laptop or desktop computer has been stolen. This in and of itself is not newsworthy, unless of course the device contains proprietary or sensitive information. A few years back, for example, a server containing 316,000 credit card numbers was stolen from a major bankcard company. This incident caused the company the embarrassment of having to contact all of these customers and cancel their credit cards. A more recent story surfaced only recently, when a major university had to write letters of apology to thousands of students when their grades, transcripts, and other sensitive information disappeared along with a laptop computer. Such stories are the nightmares of auditors and information technology managers alike. The fact is that critical, proprietary, or sensitive information has in many cases migrated from the relatively secure "computer room" environment to desktops, laptops, and in some cases PDAs. Personally, I believe it’s only a matter of time before high-end wireless phones are capable of harboring the same kinds of data, at least to the extent that the loss of such data could be a serious breach of personal privacy.
Has "mission critical" data in your organization migrated onto these less-proven (and more transportable) platforms? The answer might come as a cruel surprise some day, unless you take precautions and develop operating and security standards for this equipment now.
Hey Mister, Wanna Buy a Mainframe?
Unlike the traditional mainframe environment, many servers and other Intel-based client/server components have aftermarket value in pawnshops. Many companies therefore already sponsor well-managed security organizations that help preclude thefts of such equipment. Nobody pawns mainframes. You do, however, find laptops and other equipment in pawnshops, on eBay, and from a variety of other sources. Most of these source are legitimate—but not all.
It’s prudent to look at a few common vulnerabilities with regard to such small equipment in the typical organization’s environment. This article makes a few specific recommendations to mitigate these vulnerabilities. We also recommend a few operating and security standards you can employ that are not prohibitively expensive, but go a long way toward keeping your company focused on its business and out of the evening news.