Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Do You Deal With Sensitive Data?

Posted by ryuzaki0 on from the just-turn-off-db-access-for-everyone dept.

imus writes "Just wondering how most IT shops secure sensitive data (customer records). Most centrally managed databases seem to be monitored and maintained very well and IT workers know when they are tampered with or when unauthorized access occurs. But what about employees who do legitimate selects from these databases and then load CSV files and other text files onto their laptops and PDAs? How are companies dealing with situations where the database is relatively secure, but end-use devices contain bits and pieces of sensitive business data, and sometimes whole segments? Does anyone use sensitive data discovery software such as Find_SSNs or Senf or other tools? Once found, how do you deal with it? Do you force encryption, delete it or prevent extracts?"

8 of 226 comments (clear)

  1. Sensitive Data by cheebie · · Score: 5, Funny

    I try not to talk loudly around it, and make sure it's emotional needs are met.

  2. Our hospital records are strongly protected by Anonymous Coward · · Score: 5, Funny

    we use a robots.txt file and a strongly worded "keep out - private data" header on all important records

  3. Unless of course, you're.. by Channard · · Score: 5, Informative

    .. The UK Government. 600 lost laptops over the last ten years! Including two from the MOD with very sensitive data on them. And that's just electronic data. Despite the public being told how important shredding documents is, some commercial enterprises seem to be just chucking sensitive data out in the bin, unshredded.

  4. Once found, here's what you do by bugnuts · · Score: 5, Interesting

    Once found, how do you deal with it? Do you force encryption, delete it or prevent extracts?

    First off you need to have a policy on who is allowed to extract it, and how they should handle the data (be it encryption, keeping the data on-site, etc).

    But here's the trick: If you find data kept in violation of the policy, you send EVERYONE to training. I'm talking mandatory training where they lose computer access (and thus, don't get paid) until they do the training. All new hires have to do it, too. Make it really boring, and administered after normal work hours.

    After the first time everyone is sent to training for some poor schmuck being careless, I guarantee nobody will ever violate policy again.

  5. 12345 by lazycam · · Score: 5, Insightful

    The strength of your encryption means nothing in the face of a user who insists on using their birthday as a password or keep a post-it on their computer monitor. Unless you are able to force individuals to use strong or randomly generated passwords you are at a loss. In the end, human behavior will circumvent our best security.

    --
    my mom posts on slashdot.
  6. Enforce Strict Naming Conventions by jaguth · · Score: 5, Funny

    I name all of my sensitive files, databases, tables, and fields with names that nobody would want to touch, such as "Smashing Pumpkins Discography DB", "tblPeeWeeHerman", "Oprah.txt", ect.

    And for storage, I burn them all to DVD and put them inside empty "Aerosmith" jewel cases. Keeps them nice and safe from prying eyes.

  7. Re:Easy by techno-vampire · · Score: 5, Insightful
    Try having well written, very clear policies that that kind of action is forbiden.

    It's all well and good having policies like that, but if your employees either don't know about them or can plausibly claim they don't know, they won't do any good. Every employee who has, or even might have access to sensitive data should be required to sign a copy of that policy and it should be part of their records. That way, if anything happens, they won't be able to pretend they didn't know they were violating company policy. Depending on local laws, this might help you avoid (or defend) a suit for wrongful termination.

    --
    Good, inexpensive web hosting
  8. Start at the top by Anonymous Coward · · Score: 5, Interesting

    The main problem usually happens at the top - or the legal department.

    I worked at a place with a clear and documented policy against transmitting sensitive information over insecure networks - including the old text pagers from RIM (prior to the GSM blackberry). It was routine for me to receive sensitive/proprietary information on my pager from legal counsel. When I pointed out their failure to secure that data, they simply said I was paranoid - not that I'd misinterpreted the policy. They were too busy to worry about that. I documented every instance and handed 1 copy to the CIO, another to the secretary of the Chief Counsel and the final with the CEO's secretary since I couldn't get in to see either of them. I did this on my last day working there - left for a better job.

    Turns out the new job wasn't any better with important data - they wanted me to recover data from a desktop where they escorted the contractor out of the building. I don't know why. Seems he didn't really use the machine and remoted into his home server and a colo server for almost everything. The contract didn't ensure he placed all the code into the corporate SCS weekly or that he would document it or write manuals. 6 months of hourly cash paid and basically nothing to show for it. I did find a password protected ZIP file full of stuff - took 3 days to brute force it, but it was over 3 weeks old and the code didn't run.

    The company didn't even have a $20 background check performed before giving him access to the network. I would have liked a clean drug test too.

    Also, being tight at the start of a company is easier than after the barn doors are already open. Most of us start ups don't have the willpower to do this - or the technical expertise.