1. Home
  2. Information Technology Articles
  3. InformationTechnology Career Feature
  4. Computer-Removable Media Quantifying and Managing the Threat







Supports PDF, DOC, DOCX, TXT, XLS, WPD, HTM, HTML files up to 5 MB

Category
InformationTechnology Career Feature(44,024)
InformationTechnology Job Profile(2,368)
InformationTechnology News(912)
InformationTechnology Star(464)
InformationTechnology Resume Tips(179)
InformationTechnology Career Tips(116)
Tags
industry(85)
organizations(59)
employers(54)
Internet(53)
computers(52)
customers(52)
businesses(50)
managers(48)
engineering(43)
methods(37)
United States(36)
management(33)
projects(30)
careers(28)
degrees(28)
information technology(28)
security(28)
certifications(27)
knowledge(27)
plans(27)
programming(27)
data(25)
websites(25)
costs(24)
experts(24)
total jobs On InformationTechnologyCrossing

269,836

new jobs this week On InformationTechnologyCrossing

18,410

total jobs on EmploymentCrossing network available to our members

1,475,729

job type count

On InformationTechnologyCrossing

Programmer (106,637)
Software Engineer (70,626)
Lead Programmer Analyst (61,618)
Senior Programmer (59,363)
Senior Software Engineer (32,366)
HTML Developer (22,418)
Network Analyst (21,016)
top 5 job searches
senior jobs
project jobs
data jobs
information security jobs
Information Architect jobs
back to all articles

Computer-Removable Media Quantifying and Managing the Threat

1 Views      
What do you think about this article? Rate it using the stars above and let us know what you think in the comments below.
Computer Removable Media (CRM) has become ubiquitous in both the consumer electronic marketplace and the modern office. The threat of “information leakage” associated with these devices is tangible and demonstrable. Devices such as USB flash drives, digital music players, and smart phones are now seen as posing significant security threats, yet most security managers admit to not actively monitoring or preventing their uses. At the same time, most information security policies and practices do not directly address these new technologies, which are capable of storing and transporting large amounts of data in very small physical packages. Consider that when the first consumer flash drives appeared in 1999, their capacity was around 8MB. Today, a digital camera can easily store 4GB or more, and an iPod holds up to 80GB of data. On the immediate horizon are smaller, faster devices with even greater capacities.

Increased legal and regulatory requirements such as the Data Protection Act and the Payment Card Industry (PCI) Data Security Standard require organizations to exercise due care in safeguarding certain personal information. Comprehensive security measures have already been implemented by many financial institutions—in some cases, “locking down” the use of USBs without authorization and/or monitoring in a bid to mitigate this growing risk. Recent incidents such as the massive compromise of more than 45.6 million credit card numbers at TJX from July 2005 through January 2007 illustrate that this threat is quite real. TJX recorded a $118 million charge in its second-quarter financial report to cover costs related to the incident. TJX also said it expects to incur at least an additional $21 million related to the breach.

An effective security architecture incorporates a combination of technical and procedural elements to provide effective countermeasures to emerging threats posed by removable media. The rapid pace of technological change demands a security strategy that is both flexible and adaptable.



The following areas should be considered to mitigate the threat posed by CRM:
  • Device Hardening: Implement baseline security configurations at the operating system or hardware level that restrict or prohibit the use of devices such as USB flash drives. Disabling the USB port(s) at either the physical or logical level can provide an additional layer of security. Many security software products in the rapidly evolving area of USB control can also provide very granular logical control over USB devices.

  • Policies & Procedures: Manage the use of removable media and communicate the policy to all staff members. Policies and procedures should be part of the organization’s overall security policy and be aligned with appropriate Human Resources policies.

  • Awareness: Employees who handle sensitive information should be made aware of the security implications of removable media. Creating a security-aware workforce will improve monitoring, oversight, and compliance at the grassroots level.

  • Encryption: Consider implementing strong encryption for both data in motion and data at rest. Centrally administered schemes based on a Public Key Infrastructure and/or digital certificates provide enterprise-level key management, and integration has been proven to be effective in medium to large organizations. Smaller organizations can take advantage of a number of commercial packages to provide similar functionality.
Building an effective security program that considers emerging threats such as CRM requires a complete understanding of relevant legal and regulatory considerations affecting the industry and organization. Regulations such as HIPAA, Sarbanes-Oxley, and GLBA can serve to clearly delineate risk while at the same time providing guidance as to what steps must be taken to achieve compliance.

Technology’s rate of change will continue to present new control challenges. In an environment of increasing regulatory constraint, organizations must carefully assess and manage technology risk. However, the basic tenets of security and risk management—people, process, and technology—continue to be relevant as the foundation for managing current and future risks.

About the Author

John Rostern is the director of technology risk management for the Jefferson Wells New York-area offices. He has more than 25 years of experience in all aspects of information technology, including information security and IT audit. He can be reached at (212) 823-8600 or via email at john.rostern@jeffersonwells.com.

Jefferson Wells is a global provider of professional services in the areas of internal audit and controls, technology risk management, tax, and finance and accounting. It serves clients, including Fortune 500 and Global 1000 companies, from more than 50 offices across North America and Europe.
If this article has helped you in some way, will you say thanks by sharing it through a share, like, a link, or an email to someone you think would appreciate the reference.

Popular tags:

 usage  Sarbanes-Oxley Act  technological changes  security policies  policies and procedures  marketplace  management  Payment Card Industry  devices  packages


Related articles

 Information Leaks? Blame Your Office Photocopier and Your Local FedEx Kinkos
 Backup Facility and Data Security
 The Problem with End User Security Training: Part One
 Database Archiving for Tomorrow
 Behold the EncryptaKey-per!
 Information Technology Jobs
 The Problem with End User Security Training, Part Two: The Personal Privacy Angle
 Database Auditing: Who Did What, to Which Data, When?
 How the Rise of SaaS Relates to SOX, SAS 70, and Your Legal Contracts
 Picky About Passwords: From Retina Scans to Password Audits, Tips to Keep Your Computer Secure
I was very pleased with the InformationTechnologyCrossing. I found a great position within a short amount of time … I definitely recommend this to anyone looking for a better opportunity.
Jose M - Santa Cruz, CA
  • All we do is research jobs.
  • Our team of researchers, programmers, and analysts find you jobs from over 1,000 career pages and other sources
  • Our members get more interviews and jobs than people who use "public job boards"
Shoot for the moon. Even if you miss it, you will land among the stars.
InformationTechnologyCrossing - #1 Job Aggregation and Private Job-Opening Research Service — The Most Quality Jobs Anywhere
InformationTechnologyCrossing is the first job consolidation service in the employment industry to seek to include every job that exists in the world.
Copyright © 2024 InformationTechnologyCrossing - All rights reserved. 21