[Fed-Talk] Physical security question
[Fed-Talk] Physical security question
- Subject: [Fed-Talk] Physical security question
- From: "Jerry L. Blackmon II" <email@hidden>
- Date: Tue, 06 Oct 2009 11:14:33 -0400
- Thread-topic: Physical security question
Title: Physical security question
Here’s a question I’m sure some of you in more secure environments have probably addressed, and I’m interested in hearing your solutions.
I work for Treasury in a role where I have access to original data for everything needed to produce currency, from design through printing. This entire process is run from start to finish on Macs, and our IT Security division has no idea how vulnerable the existing process is to leaking, like a swiss cheese battleship, not only the data needed to create the very same currency notes the government produces, but also every counterfeit security safeguard there is, undetectably. Most of this data should be considered top secret, in my opinion, but the BEP only requires a high sensitivity Public Trust clearance to do tech support. Fine for the PC side, I guess, since it’s not likely that a tech will have access to enough of this information to be considered a risk, but woefully inadequate on the Mac side, as you can see. On an almost daily basis I’m asked to support projects that the government employees engaged in them can’t talk to me about. But I take their machines for reimaging, and there’s all the sensitive data laid out for me to copy as I please. Obviously a problem.
So my question is: what do you do in other environments to physically secure your machines? The drives in the latest Mac Pros can be removed and reinstalled without a screwdriver. An iPod could store gigs of data undetectably and be taken from the building without anyone’s knowledge. An iPhone could be used to connect directly to the outside world obviating any network security Treasury has in place. How do you handle data stored on local drives when you image them? You have to make a copy of the drive in order to restore the user’s data — what happens to that data during and after the imaging process, and how do you ensure the policy has been followed?
I’m going to brief IT Security on these risks and they will expect me to propose solutions, so I want to see what else is going on out there before I decide on an approach that will likely become the standard moving forward.
Any advice/suggestions y’all can give would be greatly appreciated.
Thanks,
--
Jerry L. Blackmon II <email@hidden>
Senior Systems Administrator
Open Technology Group (Contractor)
OITO, Bureau of Engraving and Printing
"The more I learn about computers, the more I like my pencil." -- Susan Katz
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden