Tuesday, June 06, 2006

Physical security within employer premises and when working at home

Recently there have occurred sensational media reports about loss of or theft of data cd’s or diskettes or laptop computers containing live production data about consumers, including their social security numbers. The most sensational of these reports concerned the Veterans Administration, with loss of data of upwards of 26 million veterans, from a laptop computer from a private home that was burglarized. Both government agencies and private companies have been involved. Sometimes data has been lost in shipment.

It has become common for workers to telecommute and work from home, which in some cases could mean live data residing in caches on personal computers. In such cases, it is becoming clear that employers should always provide a company owned computer for such company use only. But probably only employees whose homes meet certain physical security standards (such as no sliding glass doors and deadbolt locks) should be allowed to work from home this way.

Likewise, employees often take paperwork home, and this can contain confidential information. That may have been all right in the 1980s and 1990s, but it would not be all right today. One problem was that quality assurance testing was often based on extracting and loading large amounts of production data. Production parallel “beta test” runs often involved full parallels on full production data for weeks at a time, with all output reports checked. Today such tests must be done in a much more secure manner. For financial systems implementations, companies will have to invest much more in adequate test data design with non-live data. Possibly randomizing scrub routines could be used.

Still, if credit grantors were forced to be much more careful in validating the identities of consumers, such as in succeeding entries on this blog, the problem would be much less serious.

It is probably not a good idea for small businesses to do their own credit card and merchant account processing, giving liability concerns if their servers were compromised. It is probably safer to outsource such processing to companies with enough scale to secure personal data properly. But large companies, as we know, have not always been reliable.

1 comment:

Askinstoo said...

Hi, i was looking over your blog and didn't
quite find what I was looking for. I'm looking for
different ways to earn money... I did find this though...
a place where you can make some nice extra cash secret shopping. Just go to the site below
and put in your zip to see what's available in your area.
I made over $900 last month having fun!
make extra money