View From The Bunker
A blog about security and availability by Guy Bunker at Symantec

• Home
• About
• RSS

• Recent Posts

  • Me, Me, Pick Me…
  • Halt. Who Goes There?
  • Transformational Government 2008
  • Tape Glorious Tape, There’s Nothing Quite Like It
  • Not Waving But Drowning

• Categories

  • announcements
  • Application
  • Availability
  • Complexity
  • Compliance
  • Consumerization
  • data-loss
  • Education
  • Information Policy
  • Insider
  • IT equipment
  • Miscellaneous
  • Regulation
  • Reputation
  • SaaS
  • security
  • Spam
  • Speaking
  • Uncategorized

• Tags

  Bank & Finans BERR CEO CNI Compliance data-gain data-loss data destruction Education email encryption financial loss fix fraud Identity theft information cost InfoSec ISTR IT department Las Vegas new process no data-loss PCI DSS People Phishing pictures policy PricewaterhouseCoopers Regulation Reputation RUSI SaaS SLA security security breaches sensitive information social networking Software as a Service Spam Speaking strangers usability USB virtual machine Vision Work practice

• Blogroll

  • Bruce Schneier’s Blog
  • Get Safe Online (The Blog)
  • Gizmodo Gadget Blog
  • Jonathan Schwartz’s Blog
  • Phil Windley’s Technometria
  • Toby Stevens’ Data Trust Blog

Vote for me in
IT Security Blogs

Don’t Read The Interesting Stuff

It emerged that more than 600 HMRC staff have been disciplined for reading information about UK citizens that they shouldn’t have - unless they have a specific need to do so. I wrote about the decline of implicit trust a while ago and this is just another example. Of course it is impossible for people to avert their eyes if there is something sensitive on the screen - and human nature is always drawn to things that are interesting (just think of surfing the web and the tangents you follow). There is technology that can help in this instance…

Automated redaction technology has been around for a while - in essence this ‘hides’ interesting information from unauthorized eyes from within a document. For example it might hide names and addresses, or bank details - or tax return information.

With a database application, it is the application that need to be altered so that sensitive information is not displayed. Not only is it time to revisit who has access to applications but also exactly what information they have access to - and is it really necessary.

In the cases where information is needed to be viewed on occasion, then a well communicated corporate policy coupled with an on-screen question / warning followed by an audit trail works… That way people won’t be tempted to look at the interesting stuff that’s out there.

comments

• Subscribe

  

  Enter your email address:

  Delivered by FeedBurner

• Podcasts

  
  Detach Player
  

   

• Symantec Security Response Weblog

• Links, downloads and other resources

  Symantec UK
  Symantec Podcast Directory
  Symantec Security Response