My standard response...
If you are worried about users absconding with information on USB drives,
please don't forget about several other methods that are also
available:
* corporate e-mail
* web-based free e-mail
* instant messengers
* peer-to-peer file sharing utilities
* USB drives that install their own drivers
* digital cameras and MP3 players
* 1394 firewire drives
* CD and DVD recorders
* parallel port hard drives
* floppy disks
* infrared port or network transfer to other computers
* print outs
* digital photographs and screen captures
* telephone dictation
If someone wants to make off with data from your computers or network and
they've got access, generally they will be able to accomplish their goals. A
product like Rights Management Services can be very helpful here, but even
RMS won't stop what we call "analog attacks," like for instance placing the
monitor face on a photocopier and pressing the print button.
My recommendation: rethink the focus of your security policy. What risk is
the policy trying to mitigate? Usually it isn't a good idea for a *policy*
to mention specific pieces of technology. Policies describe acceptabe
behavior and the consequences for violation. If removing confidential
information is a violation of policy, address it at the management level
(terminate the violator's employment), because it's really the only way you
can.
Steve Riley
(e-mail address removed)
