Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Policy VALUE versus Policy COST | Main | Great New Risk Management Document From The U.S. GAO »

Privacy and Security Lost And Found

Today I've been participating in a very interesting discussion on the Security Catalyst Community about a very interesting project that Scott Wright is doing with Honey Sticks at his site.

Part of the discussion led to the possibility that one of the Honey Sticks that Scott had planted in a hotel, and had been "activated," may have been turned in to the hotel's lost and found.

The lost and found considerations reminded me of the March, 2006 article I wrote for the CSI Alert, "Lexus Laptop Lockers." Here's the relevant excerpt...

>"I did a little experiment a month or so ago. While at the movie theater I asked if they had a lost and found. Without so much as a blink or question about what I lost, the helpful employee reached under the counter and set it in front of me. Inside, along with mittens and gloves, was a Blackberry, a couple of cell phones, a Swissbit with USB drive, and another type of portable computing device I had not seen before. "If you see what's yours, take it." No, I took nothing, but it was interesting to see how easily I could have."

{I'll post the full article on my site sometime in the next several days.}

I love doing these little human experiments, and I've done similar lost and found experiments at grocery stores, bookstores and restaurants. Each time the staff helping me were more than happy to show me their lost and found box and let me take whatever I told them was mine, no questions asked.

Which got me to thinking about any type of organization's lost and found policies...

What is your organization's lost and found policy?

What would your organization do if someone turned in a laptop, cell phone, USB drive, or any other type of computer or storage device? Would the Information Security area be notified?

Have you worked with the area that handles lost and found...typically in the Facilities Management area, but sometimes the Physical Security area...to establish tighter controls around computers and electronic storage devices?

What would happen if someone went to your organization's lost and found, said they lost something, and wanted to look through the lost and found box to find it? Would the folks set the box in front of them to look through and take whatever they wanted?

Or, if the folks asked the person what they lost, and the person said something vague like, "my computer," "my data storage device," or something similar, would the folks give them any of the objects that came close to that description?

Just think about the types of information that could be walking our your door via your lost and found box...and lack of proper policies and/or procedures.

Do an experiment; go to your lost and found area and ask this similar question. Or, if the folks there know you, get someone they don't know to go ask the question. What do they do?

You could find a way in which information is walking out your door...security lost and...and later privacy breaches found...probably by somebody outside your organization!

Tags:                        
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on April 14, 2008 8:31 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/702

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.