Page 1296 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1296
Offsite Challenges to Security
The constant threat of theft and vandalism is the bane of
information security professionals worldwide. Personal identity
information, proprietary or trade secrets, and other forms of
confidential data are just as interesting to those who create and
possess them as they are to direct competitors and other
unauthorized parties. Here’s an example.
Aaron knows the threats to confidential data firsthand, working as
a security officer for a very prominent and highly visible computing
enterprise. His chief responsibility is to keep sensitive information
from exposure to various elements and entities. Bethany is one of
his more troublesome employees because she’s constantly taking
her notebook computer off site without properly securing its
contents.
Even a casual smash-and-grab theft attempt could put thousands
of client contacts and their confidential business dealings at risk of
being leaked and possibly sold to malicious parties. Aaron knows
the potential dangers, but Bethany just doesn’t seem to care.
This poses the question: How might you better inform, train, or
advise Bethany so that Aaron does not have to relieve her of her
position should her notebook be stolen? Bethany must come to
understand and appreciate the importance of keeping sensitive
information secure. It may be necessary to emphasize the potential
loss and exposure that comes with losing such data to wrongdoers,
competitors, or other unauthorized third parties. It may suffice to
point out to Bethany that the employee handbook clearly states
that employees whose behavior leads to the unauthorized
disclosure or loss of information assets are subject to loss of pay or
termination. If such behavior recurs after a warning, Bethany
should be rebuked and reassigned to a position where she can’t
expose sensitive or proprietary information—that is, if she’s not
fired on the spot.
