1. Home
  2. Articles
  3. Employment Career Feature
  4. Computer-Removable Media Quantifying and Managing the Threat







Supports PDF, DOC, DOCX, TXT, XLS, WPD, HTM, HTML files up to 5 MB

Category
Employment Career Feature(44,024)
Employment Job Profile(2,368)
Employment News(912)
Employment Star(464)
Employment Resume Tips(179)
Employment Career Tips(116)
Tags
employers(212)
problem(110)
job market(109)
industry(90)
organizations(88)
United States(75)
EmploymentCrossing(73)
salary(73)
job searches(71)
economy(69)
resumes(65)
websites(65)
managers(64)
businesses(63)
careers(63)
job openings(62)
workers(55)
attorneys(52)
environments(52)
plans(52)
recession(50)
methods(48)
professions(48)
Harrison Barnes(44)
New York(43)
new jobs this week On EmploymentCrossing

499

jobs added today on EmploymentCrossing

103

job type count

On EmploymentCrossing

Healthcare Jobs(342,151)
Blue-collar Jobs(272,661)
Managerial Jobs(204,989)
Retail Jobs(174,607)
Sales Jobs(161,029)
Nursing Jobs(142,882)
Information Technology Jobs(128,503)
top 5 job searches
devops jobs
paralegal jobs
engineer jobs
Tech jobs
sales jobs
back to all articles

Computer-Removable Media Quantifying and Managing the Threat

1 Views      
What do you think about this article? Rate it using the stars above and let us know what you think in the comments below.
Computer Removable Media (CRM) has become ubiquitous in both the consumer electronic marketplace and the modern office. The threat of “information leakage” associated with these devices is tangible and demonstrable. Devices such as USB flash drives, digital music players, and smart phones are now seen as posing significant security threats, yet most security managers admit to not actively monitoring or preventing their uses. At the same time, most information security policies and practices do not directly address these new technologies, which are capable of storing and transporting large amounts of data in very small physical packages. Consider that when the first consumer flash drives appeared in 1999, their capacity was around 8MB. Today, a digital camera can easily store 4GB or more, and an iPod holds up to 80GB of data. On the immediate horizon are smaller, faster devices with even greater capacities.

Increased legal and regulatory requirements such as the Data Protection Act and the Payment Card Industry (PCI) Data Security Standard require organizations to exercise due care in safeguarding certain personal information. Comprehensive security measures have already been implemented by many financial institutions—in some cases, “locking down” the use of USBs without authorization and/or monitoring in a bid to mitigate this growing risk. Recent incidents such as the massive compromise of more than 45.6 million credit card numbers at TJX from July 2005 through January 2007 illustrate that this threat is quite real. TJX recorded a $118 million charge in its second-quarter financial report to cover costs related to the incident. TJX also said it expects to incur at least an additional $21 million related to the breach.

An effective security architecture incorporates a combination of technical and procedural elements to provide effective countermeasures to emerging threats posed by removable media. The rapid pace of technological change demands a security strategy that is both flexible and adaptable.



The following areas should be considered to mitigate the threat posed by CRM:
  • Device Hardening: Implement baseline security configurations at the operating system or hardware level that restrict or prohibit the use of devices such as USB flash drives. Disabling the USB port(s) at either the physical or logical level can provide an additional layer of security. Many security software products in the rapidly evolving area of USB control can also provide very granular logical control over USB devices.

  • Policies & Procedures: Manage the use of removable media and communicate the policy to all staff members. Policies and procedures should be part of the organization’s overall security policy and be aligned with appropriate Human Resources policies.

  • Awareness: Employees who handle sensitive information should be made aware of the security implications of removable media. Creating a security-aware workforce will improve monitoring, oversight, and compliance at the grassroots level.

  • Encryption: Consider implementing strong encryption for both data in motion and data at rest. Centrally administered schemes based on a Public Key Infrastructure and/or digital certificates provide enterprise-level key management, and integration has been proven to be effective in medium to large organizations. Smaller organizations can take advantage of a number of commercial packages to provide similar functionality.
Building an effective security program that considers emerging threats such as CRM requires a complete understanding of relevant legal and regulatory considerations affecting the industry and organization. Regulations such as HIPAA, Sarbanes-Oxley, and GLBA can serve to clearly delineate risk while at the same time providing guidance as to what steps must be taken to achieve compliance.

Technology’s rate of change will continue to present new control challenges. In an environment of increasing regulatory constraint, organizations must carefully assess and manage technology risk. However, the basic tenets of security and risk management—people, process, and technology—continue to be relevant as the foundation for managing current and future risks.

About the Author

John Rostern is the director of technology risk management for the Jefferson Wells New York-area offices. He has more than 25 years of experience in all aspects of information technology, including information security and IT audit. He can be reached at (212) 823-8600 or via email at john.rostern@jeffersonwells.com.

Jefferson Wells is a global provider of professional services in the areas of internal audit and controls, technology risk management, tax, and finance and accounting. It serves clients, including Fortune 500 and Global 1000 companies, from more than 50 offices across North America and Europe.
If this article has helped you in some way, will you say thanks by sharing it through a share, like, a link, or an email to someone you think would appreciate the reference.

Popular tags:

 security policies  packages  management  policies and procedures  data  devices  public key infrastructure  January 2007  technological changes  usage


Related articles

 Information Leaks? Blame Your Office Photocopier and Your Local FedEx Kinkos
 Backup Facility and Data Security
 The Problem with End User Security Training: Part One
 Database Archiving for Tomorrow
 Behold the EncryptaKey-per!
 Information Technology Jobs
 The Problem with End User Security Training, Part Two: The Personal Privacy Angle
 Database Auditing: Who Did What, to Which Data, When?
 How the Rise of SaaS Relates to SOX, SAS 70, and Your Legal Contracts
 Picky About Passwords: From Retina Scans to Password Audits, Tips to Keep Your Computer Secure
What I liked about the service is that it had such a comprehensive collection of jobs! I was using a number of sites previously and this took up so much time, but in joining EmploymentCrossing, I was able to stop going from site to site and was able to find everything I needed on EmploymentCrossing.
John Elstner - Baltimore, MD
  • All we do is research jobs.
  • Our team of researchers, programmers, and analysts find you jobs from over 1,000 career pages and other sources
  • Our members get more interviews and jobs than people who use "public job boards"
Shoot for the moon. Even if you miss it, you will land among the stars.
EmploymentCrossing - #1 Job Aggregation and Private Job-Opening Research Service — The Most Quality Jobs Anywhere
EmploymentCrossing is the first job consolidation service in the employment industry to seek to include every job that exists in the world.
Copyright © 2024 EmploymentCrossing - All rights reserved. 169