I fight this issue a lot here. Disgruntled employees who have access to important data. There are a million ways for this stuff to get out. Hell they have to have access because it is there job. So it is a tightrope walk on what to do.
I also have the opposite. Data that people have access to a piece at a time. Giving them a quick spreadsheet of all of it will make there job 300000X easier. But I'm not allowed to because the info put together in such a way could be lost, or stolen or whatever. But they have access to the same info one piece at a time. Drives me insane! :) Internal security is definitely different, and very gray. > -----Original Message----- > From: Chris Travers [mailto:[EMAIL PROTECTED] > Sent: Saturday, February 22, 2003 10:00 PM > To: [EMAIL PROTECTED] > Subject: Re: "It's ok we're behind a firewall" > > > My own perspective is this--- > > Internal security is just *different.* This is one of the > reasons for the > firewall. If a company didn't have a firewall, I am still > convinced that > they would be at *far greater* risk to external rather than internal > threats. But that doesn't address the following issues: > > 1: Many companies have sensitive documents that need to be > protected-- > controlling access to these minimizes the chance of leaks. > > 2: Would any executive want everyone in the company to have unlimited > access to sensitive information like corporate bank account > numbers, credit > card numbers, etc? > > So we can establish the need for internal security. My own > preference is to > divide up areas into security zones and determine how each > zone (logically > or preferably physically) is to be secured. Are ethernet ports in > conference rooms a good idea? Is the risk that they bring in > acceptible? > What about wireless LAN? What are the business benefits? > What are the > risks? > > Also it is extremely important to remember that the > entrepreneurs or execs > are the ones responsible for defining acceptable risk. It > never hurts to > keep people thinking about that-- and rather than saying "you have a > security problem." I usually say "Is this risk acceptible? > How does ___ > benefit your business? Whould ___ work for you as well?" > > Anyway, this is my $.02 worth. > > Best Wishes, > Chris Travers >
