Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Do You Deal With Sensitive Data?

Posted by ryuzaki0 on from the just-turn-off-db-access-for-everyone dept.

imus writes "Just wondering how most IT shops secure sensitive data (customer records). Most centrally managed databases seem to be monitored and maintained very well and IT workers know when they are tampered with or when unauthorized access occurs. But what about employees who do legitimate selects from these databases and then load CSV files and other text files onto their laptops and PDAs? How are companies dealing with situations where the database is relatively secure, but end-use devices contain bits and pieces of sensitive business data, and sometimes whole segments? Does anyone use sensitive data discovery software such as Find_SSNs or Senf or other tools? Once found, how do you deal with it? Do you force encryption, delete it or prevent extracts?"

11 of 226 comments (clear)

  1. Easy by pak9rabid · · Score: 3, Insightful

    Pay your employees enough to make protecting your company's data on their computers/PDAs worthwhile.

    1. Re:Easy by QuantumRiff · · Score: 4, Insightful

      Try having well written, very clear policies that that kind of action is forbiden. Of course, a piece of paper means crap to most employees, but the first time you fire someone for violating that policy, the grapevine and water cooler will provide more training than a dozen hour long meetings could convey..

      --

      What are we going to do tonight Brain?
    2. Re:Easy by techno-vampire · · Score: 5, Insightful
      Try having well written, very clear policies that that kind of action is forbiden.

      It's all well and good having policies like that, but if your employees either don't know about them or can plausibly claim they don't know, they won't do any good. Every employee who has, or even might have access to sensitive data should be required to sign a copy of that policy and it should be part of their records. That way, if anything happens, they won't be able to pretend they didn't know they were violating company policy. Depending on local laws, this might help you avoid (or defend) a suit for wrongful termination.

      --
      Good, inexpensive web hosting
    3. Re:Easy by syousef · · Score: 4, Insightful

      but the first time you fire someone for violating that policy

      Another one that thinks the solution is to fire employees, and gets modded insightful. You know what I get the impression that most slashdotters would make piss poor bosses. Firing employees randomly when they violate a policy to set an example isn't exactly smart.

      Do you know what it costs to hire an employee, and get them up to speed doing their job well? Never mind the fact that the next person you hire to fill the roll might be a dud, or that the job market may mean the position goes unfilled for quite some time. Do you know what it does to morale? That gossip around the water cooler gets people updating resumes and looking for work elsewhere before they're fired for some other petty reason to set an example. Then there's the legal aspect - if you're wanting to avoid unfair dismissal claims providing clear guidelines is just one step - you have to show that the on the spot firing was justified. Then there's the human aspect - unless you're a soul-less piece of shit that cares not a jot about destroying a family's livelihood you may want to look for actions that don't leave people jobless.

      --
      These posts express my own personal views, not those of my employer
  2. 12345 by lazycam · · Score: 5, Insightful

    The strength of your encryption means nothing in the face of a user who insists on using their birthday as a password or keep a post-it on their computer monitor. Unless you are able to force individuals to use strong or randomly generated passwords you are at a loss. In the end, human behavior will circumvent our best security.

    --
    my mom posts on slashdot.
  3. Send letters by chinakow · · Score: 3, Insightful

    From what I can see, most companies wait until the sensitive data is lost or stolen then they send every customer a letter telling them it is gone and offering to pay someone to keep an eye on their credit. Other than that, I think the policy must be, "ignorance is bliss." That is just my two cents.

  4. Um by Mateo_LeFou · · Score: 4, Insightful

    Isn't the point of GP that when you pay the proper amount, you can often count on -- gasp -- *competent people coming to work.

    --
    My turnips listen for the soft cry of your love
    1. Re:Um by magpie · · Score: 3, Insightful

      Since when have pay and competence had anything to do with each other?

      Look in your average board room if you want evidence of the lack of a link.

  5. Legitimate selects? by MartinG · · Score: 4, Insightful

    What about employees who do legitimate selects from these databases and then load CSV files and other text files onto their laptops and PDAs?

    What kind of employee? General users shouldn't be doing selects directly anyway, but should be using software that limits what they can query to the minimum information they need, preferably not in a general purpose form like csv. On the other hand the developers of that software need to do all and any kinds of selects for a whole range of reasons. They however, should not be let anywhere near the actual production databases.

    This is how we do it anyway.

    --
    -- MartinG To mail me: echo kewyjlcxyzvjfxbqwh | tr bcefhjklqvwxyz .@adgimnoprstu
  6. Re:Policies by aztracker1 · · Score: 4, Insightful

    Personally, I can't see *ANY* instance where a full set of SSNs for more than a handful of people should *EVER* be needed on a laptop... I mean, if you are entering data, sure... but WTF should anyone be carrying around some of the information that gets leaked.

    I think *IF* such information is needed for lookups, then a 1-way hash is a necessity. If you aren't responsible for dispatching to customer locations on a weekend, then you shouldn't need street addresses. I can see needing some information for customers, but SSNs, or CC data should *NEVER* be on anything outside of the office, or a backup storage facility.

    It's that simple. No SSNs leave the office... No CC information leaves the office... no street addresses leave the office, unless absolutely necessary.

    I've seen smaller companies that have the entire database in the "on call" laptop, that gets copied from the server friday, and to the server monday.. I shudder every time I think about it...

    --
    Michael J. Ryan - tracker1.info
  7. How about $10,000 per SSN? by rueger · · Score: 3, Insightful

    It seems like most of these stories involve some boob carrying data away on a laptop or USB key then losing it or having it stolen. Sure you want to acknowledge and deal with boobishness, but you also really need to address why the boob found it necessary to carry data away from the workplace in the first place, and why management encouraged and/or endorsed that action.

    If employees can complete work during a regular work day then there is no reason to take it home with them.

    If management insists that data security matters, it is possible to set up systems so that it's not possible for employees to copy of chunks of data and remove them.

    The solution likely is to nail these companies to the wall, and make it more expensive to let data out of the workplace that it is to hire more or better employees and develop secure internal systems to protect data.

    As it stands now a company can usually get by with firing one employee and saying "Oh my God! We promise this will never ever happen again!"

    For a start, how about a penalty of $10,000 for every SSN or credit card number released to the wild, no matter what the reason or excuse? Suddenly losing a laptop with 100,000 customer files will become a VERY big deal.

    --
    Three Squirrels