Narrowing The Search…

Yet more unencrypted data has been lost… well, no surprise there to be honest. At least they know where the data is - somewhere between London and the Isle of Wight, except it could be anywhere because it was en route with a courier.

There were two process failures here. The first was the fact that it was unencrypted data - which was making two trips, one to the third party and then one back to the owners. The other was that it took more than a week to know it was missing.

So, what to do… revisit old policies! If it involves confidential customer information and it’s going offsite then it should be encrypted. [Full Stop!] Backup products today can encrypt the information - so there is really no excuse. There should also be an effective tracking mechanism for data that is traveling with or being stored whether it is with a 3rd party or even by internal personnel. That way, even if the data is encrypted and lost the disaster recovery plan won’t be a disaster itself because the data isn’t where it was expected.

The good news, well piece of process, which we should all take heed of in this case was that the data was being verified as readable / usable. Frequently backup data is not checked and you get to the point of needing it and it is inaccessible, or not complete. I remember a case a few years ago when the data was required and there wasn’t any on the tape - except the header. The reason… the data had changed mount point on the system and the backup policy hadn’t been altered. So it regularly backed up ‘nothing’… and was always successful! So, checking the data integrity on a regular basis is a great habit to get into.

May 24, 2008 | Filed Under Availability, Information Policy, data-loss | Leave a Comment 

Don’t Send The Password With The Data

It emerged this week that one organization had to send out a memo to its staff reminding them not to send out encrypted documents with the password! I won’t mention which organization it is - as I have a feeling there are quite a few with this problem. The other one I have seen very recently, is the yellow sticky with the password attached to the laptop!

TheseĀ are great examples of where the people, process and product story has broken down. In both cases encryption is the technology - and that works to protect data. The process is in place - encrypt sensitive data if it might get lost (so, on a laptop, or in an email going out of an organization, or on a CD, or on a mobile phone, or … you get the picture) but the process is incomplete - what do you do with the password, how do you communicate it, if required. Finally there is a lack of education to the staff (or in this latest case the education is retrospective and reactive rather than proactive) - why are we doing this… to protect individuals’ information, or corporate information… and so if you send the password at the same time you may just as well have not encrypted it. Of course, there is some irony here - in the US with its disclosure laws if the data was encrypted when it was lost, then that is the end of it - no disclosure - even if the password was on a note!

Education needs to happen from the top to the bottom of an organization and processes need to reflect every step which includes how to communicate passwords when needed.

How do you send a password… well that just depends… in many cases you can just phone the person up and tell them, or you could send it by SMS text message… or… well you decide - it’s your organization. Just make sure that there is a policy and people know what it is.


Your Password Here

May 9, 2008 | Filed Under Information Policy, data-loss | Leave a Comment 

Eat In And Take-Away

It was reported this weekend that a member of the military popped into a MacDonald’s and while there an opportunist took his laptop from under his chair. Bad News. However, the laptop was encrypted and password protected. Good News. The laptop apparently contained no sensitive information. Strange News.

It’s good to hear that government laptops are now being protected appropriately, although if there is no sensitive data, then why does it need to be encrypted - perhaps a little overkill? Maybe, the definition of sensitive is different, or perhaps it might contain sensitive data in the future? When it comes to laptops full disk encryption is the best bet - that way you can be sure the data is reasonably well protected - and if you happened to be in the US then you wouldn’t have to disclose the fact it was lost. Perhaps this was disclosed over here to start re-building confidence in the government’s data handling policy?

April 15, 2008 | Filed Under Reputation, data-loss, security | Leave a Comment