Industry View

Stopping Off-Network Losses: Practical Suggestions

Redemtech CEO Robert Houghton provides practical tips for robust off-network security.

By Robert Houghton, Redemtech CEO

May 15, 2008 —

Why are data breaches so persistent despite our best efforts? One answer from the Ponemon Institute study National Survey: The Insecurity of Off-Network Security is that 70 percent of all breaches result directly from the loss or theft of a data-bearing asset. Yet the study of 735 security professionals also revealed that most organizations have failed to define the fundamental operational controls and regular mechanism for governance necessary to manage data security for the period of time during moves or asset retirement when an asset is removed from active production - taken "off the network," and literally off the radar for many organizations.

Robust off-network security relies on a combination of effective asset management, inventory management, encryption policy and operational governance. Those rely on a level of executive and budgetary support in competition with many other security priorities. Luckily, there are some straightforward, affordable measures available to those who want to take quick action to mitigate off-network security risks.

First, if your asset management system cannot identify which data-bearing assets contain sensitive data, you must assume that they all do. Second, understand your legal obligations under privacy laws, as those establish the greater part of corporate liability in the event of a breach. It is Redemtech's experience that corporate counsel often does not have thorough knowledge of privacy law, or the costs of a breach. Therefore, it is usually advisable to seek specialized outside counsel with expertise in privacy compliance at the state, federal, and if applicable, international levels. Then take the following practical steps:

Don't delay. Unsecured data-bearing assets that are temporarily decommissioned or staged for later processing or disposition are at great risk. Ensure that processes are defined to immediately control and secure data-bearing assets as soon as they are taken "off the wire."

Establish a chain-of-custody and inventory accountability. Reliable chain-of-custody is the most difficult discipline to establish, and the most valuable in off-network security terms. It is, in essence, a discipline of lists. For each move, assets must be identified by scanning their serial and/or asset numbers into a list. Writing or keying serial numbers by hand is reliably inaccurate. Use scanners. Each list of assets should be assigned to a secure physical location. If your organization has an asset management system, each change of location for each asset must be uploaded there to update perpetual inventory records with each scan. If lacking asset management capabilities, then maintain an accurate list of inventory assigned to each secure location. Anytime any asset is moved for any reason, re-scan and reconcile against the original list or the perpetual inventory numbers. If any variance is noted, it should be resolved before proceeding, and resolution should include a requirement for supervisory approval. If the lot of equipment changes hands, e.g., consignment to a logistics carrier, inventory should again be scanned, and both parties should verify the accuracy of the lists with their signatures.

• Email
• Print
• Comments
• Digg This
• SlashDot

• No More Lost Backup Tapes: Chain of Custody Security Measures
• How to Keep a Digital Chain of Custody
• Safe Document Transfer: How to Secure the Paper Chain