Re: Physical Security & Protecting Information

[discipulus <discipulus () attbi com>]

On Thursday 13 March 2003 05:42 pm, Todd scribbled:
> I would make sure that HR and Legal have armed themself with a signed
> confidentiality agreement from all employees, vendors, and
> contractors(include something about intellectual property rights). Ensure
> they make it part of the new employee orientation process and a reminder
> upon the termination/exit of an employee.

Yes, I agree and believe this is standard practice with a lot of corporate HR
and Legal departments.

> Also, confirm existence of copyright notices in source code,

Agreed, this should be standard with most commercial software companies.

> clear audit
> trails and custodial efforts for any media in hardcopy of paper or disc are
> a standard policy and part of regular auditing.

Do you mean mechanisms and/or procedures used to conduct audits on
copy activity, i.e., via printing, floppy or CD burning?  How would one
go about this?  How could I find out what files Bob secretly copied to
a floppy or CD?


> Try to get this in your
> security policy and endorsed by upper management to keep line managers as
> sole heirs of responsibility in this task.

This sounds logical and I also think the endorsement you speak of should
include a "get out of jail free" card for security personnel tasked with 
conducting the audits.

> Finally, keep a good awareness program.  Remind end-users that security is
> best served through their diligence and reporting of suspicious activities.
>  Also, try to remind upper management by sending them occassional articles
> on same.
>
> Hope that gives you somewhere to start.

Yes, thanks for the informative response.  I personally feel that awareness 
and employee/management involvement is a very important part of this.