I wish to thank you all for your informative responses. It doesn't appear that there is any easy way to effectively police something like this but like a lot of vulnerabilities, the goal isn't to eliminate but to minimize by making it extremely difficult for someone to exploit.
In a world where worms/viruses and external attacks garner most of the attention, I feel that an equal amount should focus on the protection of information through implementation and use of good physical security policy and procedures. I also think that one key strategy is education and involvement at all levels through the use of an effective security awareness program. Thanks again.. -D On Wednesday 12 March 2003 08:13 pm, discipulus scribbled: > Hi, > > I've read a lot of posts on this list and others and a good deal of > security related articles on this site and others like http://www.sans.org > and http://www.cert.org Most of what I have read focuses on network > and/or computer security but I haven't found very much information that > focuses on physical security, specifically in the area of protecting > confidential proprietary company information. > > Here's a scenerio that should clarify what I'm trying to explain: > > Bob who works as a developer for StealOurStuff inc. tells Mary in > the next cube that he's had a job offer from a competitor, plans to > quit soon but hasn't told anybody. In the afternoon the following day, > Mary notices Bob loading up a box with CDs, floppies and other media, > including reams of documentation. She also notices Bob loading this > box into the trunk of his car at the end of the day. > > What can be done to keep this type of potential compromise from > happening? From my perspective, even if you have armed > security guards that check bags & boxes going in and out of a > building, people can still find creative or not so creative ways to > get it out. A standard CD isn't that big and flash cards are even > smaller. Are there ways to keep someone from getting the information > in the first place or at least record what they've obtained? How > do you do this when they haven't yet provided notice they are > leaving and still have access to loads of confidential information? > > I've read about corporate espionage cases where a perpetrator > at one company busts into the network of another company and > stumbles into a directory named "Proposals" of all things but > employees who walk out the front doors carrying protected information > seems just as damaging or more so to me. > > Any insight would be appreciated. > > Thanks