- Policies and Procedures. Organizations need to evaluate their needs and create policies that address what devices should and should not be connected to corporate systems. To be effective, these policies must be enforced.
File Rights Management. Organizations should provide access to only those files an employee needs to perform his or her job function. For example, a data entry clerk does not need access to marketing materials, design plans or merger and acquisition information. Keep in mind that if everyone in your organization has free access to all electronic data, it is very difficult to convince a judge and jury that you actually have trade secrets.
Digital Rights Management. Digital rights management takes file rights management one step further. While file rights management determines who has access to data, digital rights management controls what can be done with data by those authorized to access it.
The Information Rights Management capabilities built into Microsoft Office 2003 are an excellent illustration of this concept. Other products that provide the same functionality include
- Access Control Software. Access control software programs can control access to floppy drives, CD and DVD drives, and USB and FireWire devices. Some examples include
- DeviceWall from Centennial Software. Be sure to download their excellent white paper, "The Threat of Lifestyle Computing in the Enterprise."
- Sanctuary Device Control from SecureWave
- GFI LANGuard Portable Storage Control 2 from GFI Software
- DeviceLock from SmartLine Inc.
The threat of portable data storage devices is real and significant. It is time for businesses to defend against this threat, before their proprietary information ends up in the hands of a competitor.
John Mallery is a managing consultant for BKD, LLP, one of the 10 largest accounting firms in the United States. He works in the Forensics and Dispute Consulting unit and specializes in computer forensics. He is also a co-author of Hardening Network Security, which was recently published by McGraw-Hill. He can be reached at firstname.lastname@example.org.