| Art Alexion on 2 Oct 2008 10:00:51 -0700 |
|
On Thursday 02 October 2008 12:10:33 pm JP Vossen wrote: > > Date: Thu, 2 Oct 2008 11:07:58 -0400 > > From: Art Alexion <art.alexion@gmail.com> > > > > Knowing my users, I am considering two problems. > > [...] > > > Second involves the password itself. It can take up to a month to > > teach our users that their VPN password is different from their NT > > password, and that their UID and PWD are different on these shared > > laptops from their desktops. When the laptops come back, the UID/PWD > > is usually on a post-it on the wrist rest area of the keyboard. I can > > only assume that the encryption password will be stuck there as well. > > That's a really good point, and I don't think you'll find a technical > solution for it short of two-factor authentication, which I doubt is > feasible for this project. Is there a chance you can get upper > management's support though? I almost literally rolled on the floor laughing on that one. They are the worst offenders. > If no, then fully document the issue and > forget it, but if yes, have them create and enforce a policy that > requires encryption and forbids keeping the password anywhere near the > device. (I know, easier said than done.) > > What I mean is, your users are going to write it down anyway, so don't > fight it. Since the ID and password are different anyway, fine. Give > them a laminated card with the UID, password and encryption password on > it. Per upper management policy, *require* that the card be kept in > their wallet or on their key chain and never, ever, stored with the > laptop or left in the car, or elsewhere. This is a really great idea. It may not always work, but it is better than any idea I have read or considered for solving this issue. > Anyone found in violation will > be etceteraed. Change the card every time the device is issued if you > want too. Give them a printout of stuff from http://datalossdb.org/ if > you think it would help. > > > I really don't care about their data, and our only concern would be > > HIPPA. > > Right, and that's a stick to use with management. I don't like selling > security using fear, but if nothing else will work... :-( I often feel like I work in a company where auditors who suggest "annoying security measures" are replaced with new auditors the following year. Not really, but it feels that way. > http://datalossdb.org/ might be of use. Or, they might decide they > would be in good company and let it go. :-/ > > > You know your users and management better than I do, so I hope this is > useful or at least sparks some ideas... I really like the wallet card idea. Instead of fear and threats, it is just easy. The people I work with respond better to easy than threats and fear. Attachment:
signature.asc ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|