Data Security Policies

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 715107

    Comments posted to this topic are about the item Data Security Policies

  • Yet Another DBA

    SSCarpal Tunnel

    Points: 4299

    Does your organization have some policy around data security on mobile devices?

    Only 1 company in the last 10 has. Others have pretended

    Do your fellow employees care about data security?

    Totally the opposite.

    Developers see data security as an anti-requirement.

    Bosses dont want to understand or dont want to upset their bosses

    And a pseudo dba is the worse abuser of privacy

    And a previous dba was partially responsible for a large data breach cos he was following orders and data security was not his thing!

    And people wonder why I'm sceptical...

  • Gary Varga

    SSC Guru

    Points: 82166

    Most clients of mine start off with a default policy of no devices allowed. They all seem to move through locked down VPN-enabled laptops and Blackberrys for email. Most are still at this stage. Occasionally, I have been allowed either VPN access from non-company equipment or access to services over HTTP (HTTPS to be more accurate) such as source control systems.

    As more and more services are getting to be hosted remotely, and sometimes by third parties, and accessed allowed via anywhere on the Internet, I expect that more and more non-company supplied hardware access to be utilised. The security will be more and more based on secured creditials rather than secured hardware.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • Skanker

    Hall of Fame

    Points: 3059

    It is the threat of a fine that seems to push security work in my organisation. Not the proactive aim of actually looking after data because it is the correct thing to be doing. 🙂

  • Cody Konior

    SSCarpal Tunnel

    Points: 4827

    Yet Another DBA (4/7/2014)


    Only 1 company in the last 10 has. Others have pretended

    And people wonder why I'm sceptical...

    You have all my feels. I feel like we're kindred spirits. Can we be friends?

  • jay-h

    SSCoach

    Points: 18808

    Personally I keep my devices and company devices completely separate. Better for both parties.

    ...

    -- FORTRAN manual for Xerox Computers --

  • Gary Varga

    SSC Guru

    Points: 82166

    jay-h (4/7/2014)


    Personally I keep my devices and company devices completely separate. Better for both parties.

    Works for employees but not necessarily for consultants, contractors, freelancers and other 3rd parties who, sometimes, use their own equipment. I used to find that freelance work was always simply on site and with that company's hardware and software over their own network. In recent years it varies from client to client.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • phegedusich

    Ten Centuries

    Points: 1342

    When it comes to PCI and financial data, there can be no compromise in data security S&P. BYOD is not a player here. Consultants' devices must be configured to our standards to connect, or no dice.

  • Gary Varga

    SSC Guru

    Points: 82166

    phegedusich (4/7/2014)


    When it comes to PCI and financial data, there can be no compromise in data security S&P. BYOD is not a player here. Consultants' devices must be configured to our standards to connect, or no dice.

    That is certainly a variant of one of the reasons one can expect it to vary client to client e.g. I cannot imagine that the DoD (or any other equivalent agency) would be any different from the UK's MoD in that all devices must be left in external car parks (not brought on-site) and that all MoD devices must stay exactly on-site (not taken off-site).

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • Freddie-304292

    Mr or Mrs. 500

    Points: 589

    We have to download an app that encrypts our data and means that IT can wipe our phone if we lose it if we want to get our email and GDocs on it. Worth the hassle of typing a pin to open the phone every time. VPN is great for working at home.

    But most users care little for security, so you do have to impose it from on high.

  • jay-h

    SSCoach

    Points: 18808

    That is certainly a variant of one of the reasons one can expect it to vary client to client e.g. I cannot imagine that the DoD (or any other equivalent agency) would be any different from the UK's MoD in that all devices must be left in external car parks (not brought on-site) and that all MoD devices must stay exactly on-site (not taken off-site).

    It even applies to eyeballs. There were reports that during the Snowden articles, US military sites were blocking the Guardian, lest some service personnel accidently see something outside their security clearance.

    ...

    -- FORTRAN manual for Xerox Computers --

  • Gary Varga

    SSC Guru

    Points: 82166

    jay-h (4/7/2014)


    That is certainly a variant of one of the reasons one can expect it to vary client to client e.g. I cannot imagine that the DoD (or any other equivalent agency) would be any different from the UK's MoD in that all devices must be left in external car parks (not brought on-site) and that all MoD devices must stay exactly on-site (not taken off-site).

    It even applies to eyeballs. There were reports that during the Snowden articles, US military sites were blocking the Guardian, lest some service personnel accidently see something outside their security clearance.

    Now that is hilarious. Talk about closing the stable door after the horse has bolted!!!

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • Eric M Russell

    SSC Guru

    Points: 124993

    I hate to say it, but the only way we're every going to see any industry wide application of standard data security policies is through government regulation and oversight. For an organization to adopt their own internal security policy and then publicly state their own self compliance is worthless.

    We need 3rd party oversight of data security for the same reasons we need 3rd party oversight of food processing, pharmacuitical manufactoring, and public aviation. Building a data warehouse for the purpose of handling credit card numbers and other personal information is conceptually no different than transporting explosive chemicals on a busy interstate highway, if it's not regulated, then there will routinely be spills the public is at risk.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Jim P.

    SSCrazy Eights

    Points: 8725

    Eric M Russell (4/8/2014)


    I hate to say it, but the only way we're every going to see any industry wide application of standard data security policies is through government regulation and oversight. For an organization to adopt their own internal security policy and then publicly state their own self compliance is worthless.

    This is the same government that created the IRS, Social Security, the <un>ACA, and the EPA?

    No, thank you.

    And when you say "industry wide" which industry are you talking about. I previously worked for a bank. I am now working for a healthcare SW company. What if my next employers are credit cards or auto manufacturing? What standard other than things like payroll are common?



    ----------------
    Jim P.

    A little bit of this and a little byte of that can cause bloatware.

  • jay-h

    SSCoach

    Points: 18808

    Eric M Russell (4/8/2014)


    I hate to say it, but the only way we're every going to see any industry wide application of standard data security policies is through government regulation and oversight.... Building a data warehouse for the purpose of handling credit card numbers and other personal information is conceptually no different than transporting explosive chemicals on a busy interstate highway, if it's not regulated, then there will routinely be spills the public is at risk.

    Highly regulated industries (banking, pharma, etc) have plenty of failures. So, in fact, do government agencies.

    The problem with trying to clamp down tighter and tighter is that as long as there is a leak somewhere, there will be failures. We need to rethink the process EXPECTING occasional failures and minimizing the harm. One approach might be tokenizing data (credit card info etc) so that the actual data is never stored on site, only a token. With proper encryption, the tokens can only work from the system to which they were issued. Store A can use your token only from their authenticated system (Store B's token would be different) for a card purchase, if someone else gets the token it's useless.

    Not a complete solution by any means, but we need to start thinking that information WILL leak, and work to control the damage done.

    ...

    -- FORTRAN manual for Xerox Computers --

Viewing 15 posts - 1 through 15 (of 22 total)

You must be logged in to reply to this topic. Login to reply