"MI5 laptop snatched"

[Joe Dauncey]

Hi,

I'm afraid that for some reason or other I didn't get to see the reply from Ian,
but I assume I have read most of it as forwarded on by Barney.

Yes, within the large corporates there are often corporate security guidelines
pushed down from on high that are not adhered to, but it is often (from my
experience) a different thing with commercial deals between those corporates and
their customers. Where liability is seen in the $million/billion there is enough
concern at the grassroots level (first line management) to make sure that those
guidelines are adhered to. In cases I have worked on they have been exceeded.
Apart from anything else, corporate security standards are often not applicable
in commercial contracts where the security policy is separately negotiated.

Admittedly there is often some disparity between standards and reality for the
corporates internal systems, but that is not where the problem of liability
comes in. It is in the commercial arrangements whereby supplier promises
customer that they can sleep easy at night for the modest cost of X $million
that liability becomes a concern and those oft-ignored security standards have
the dust wiped off them.

There is a difference between a lazy organisation that rolls solutions out and
pays lip service towards security and standards and an organisation that
implements over and above those standards and has a particularly keen eye for
the finer detail. My experience is being amongst the latter, and dealing with
the former. It also comes from working for two of the larger multinationals
(definitely not small or medium enterprise).

Joe

Barnaby Prendergast wrote:

> >From: Ian G Batten <I.G.Batten@ftel.co.uk>
> >Reply-To: ukcrypto@maillist.ox.ac.uk
> >To: ukcrypto@maillist.ox.ac.uk
> >Subject: Re: "MI5 laptop snatched"
> >Date: Tue, 28 Mar 2000 14:18:28 +0100 (BST)
> >
> >You write:
> > > The problem is that the business chaps understand the legal/financial
> > > liability that lies upon them and so takes measures to secure those keys
> >
> >I beg to differ.  You're looking at things from the perspective of a
> >small to medium enterprise.  I've seen some horrors surrounding security
> >in telco environments, large manufacturing environments and so on, where
> >security is devolved as a purely rote function which is then pushed down
> >as a book of rules to be blindly followed.  A lot of corporate security
> >guidelines are followed without any understanding of their function,
> >either tactically (``why is it a bad idea to write your passwords
> >down'') or strategically (``why is it a bad idea to have random users
> >using your machines'').  We have endless trouble convincing users that
> >sharing passwords is a bad idea, for example.
>
> Agreed, and this is a particular nightmare of mine in my current position.
>
> >
> > > respective to that liability. If PC Plod then takes those keys, for
> > > which they have no liability, then they are not so motivated to
> > > implement appropriate security.
> >
> >Does a random employee of a multi-national have the aforementioned
> >``motivation''?
>
> We have made it a disciplinary offence (ultimately a dismissable one) for a
> user to reveal their password to anyone but authorised IT personnel (and
> then only in exceptional circumstances), and although this has still not
> solved the problem, it has reduced it by a significant degree (a few people
> simply do not care).
>
> >
> > > Cases like this do not suggest the entire physical security
> > > infrastructure of the intelligence services is rubbish, but it does
> > > little to inspire confidence.
> >
> >Ask an IT manager how many laptops they lose a year.  They probably
> >won't tell you, but it won't be zero.
>
> Again I concede that there is more bad practice going on in the bright world
> of commerce than you can shake a stick at, but this is, IMHO, largely a
> different issue to the one whereby security is compromised by parties other
> than those over whom one has some degree of supervision and control.
>
> What the RIP Bill leaves, I think, is a situation whereby *theoretically*
> no-one's security can be better than the *theoretical* lowest level of
> security provided by the investigating powers and their agents. You'll
> notice that I'm not offering any solutions to this problem, just
> highlighting it, for which I offer my apologies.
> :o)
> Barney
>
> ______________________________________________________
> Get Your Private, Free Email at http://www.hotmail.com


__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com