Letters

Is Your IP Thumbing a Ride?

Your article “How to Keep Portable Data from Escaping” in the May issue provided a good overview of some of the technology that could be used in protecting data (primarily on laptops) from being stolen. However you failed to mention the even bigger threat from lost or stolen devices such as USB thumb drives. The data capacity of these devices gets bigger and bigger (up to 4GB now), but the devices themselves are so small that they can be lost in a public place as easily as a pen. Even if your organization does not issue laptops or USB drives, there is often nothing stopping employees from bringing in their own. And often these devices are used to transfer “working” documents and spreadsheets between home and the office. Controlling these devices and encrypting them should also be a priority for protecting portable data.

Brian Found, CISSP, CCSP

IT Security Specialist

Elytra Enterprises

Senior Editor Sarah D. Scalet responds: CSO made the tactical decision to focus this particular article on portable computing devices, not portable storage devices like thumb drives. We will certainly keep Mr. Found’s thoughts in mind for future coverage.

A Case for Cleanliness

These are excellent security procedures [“Messy Desks Spill Secrets,” April]. We use a checklist with these features outlined in more detail to use at the end of every day.

We also practice the “clean desk” policy when working with sensitive information. The desks should be clutter-free before, during and after the work. That way, if you have to leave your desk for a break, you will be more aware to lock up the information. This practice will eliminate opportunities for accidental disclosure of information you are required to protect.

Jeff Bennett

Security Administrator

Dynetics Inc.

So Trendy…So Risky

Excellent article by Dr. Garfinkel [“Attack of the iPods!” May]. I applaud his efforts to educate the public about these growing risks related to the proliferation of cheap USB and firewire devices (for example, iPods).

Abe Usher

Security Engineer, Sharp Ideas LLC

All Fired Up

I would like to compliment CSO on the courage to take on this vitally important topic [“Safe at Work,” April]. Dr. Park Dietz suggests that these types of cases should be handled gingerly to avoid escalation. I could not disagree more and say that the decision is situational and based on circumstances.

In the eight years I held a Workplace Violence Interdiction assignment with the Postal Inspectors in New York, I conducted hundreds of workplace violence prevention investigations and threat assessments with the U.S. Postal Service. During that same period, I never encountered a situation where the perpetrator was angered at the system for my active intervention as much as they were angry at management for other reasons affecting their actions. While perpetrators insinuated threats to managers and victims, no aggressive retaliatory response ever ensued.

In fact, the direct opposite happened, having a positive and calming effect on the workplace, the victims and the witnesses who all knew the extent of the case during the unabated behavior. If the intent is to create a zero tolerance impression, then management cannot afford to drag its investigative feet.

Felix P. Nater

Security Management Consultant

Nater Associates

Editor’s Note: A longer audio version of the Q&A with Park Dietz is available online at www.csoonline.com/podcasts .