Tuesday, June 12, 2007

SANS loses it

I subscribe to SANS Newsbytes, one of the best mailing lists for security news around. Many of the news articles come with brief commentary by the editors, which usually adds value to the original articles.

I've noticed many recent articles about missing laptops (of course). This is a major security issue that requires a combination of technical and administrative countermeasures.

One measure I've seen SANS advocates indicates they have lost all sense of proportion, and any consideration of the secondary consequences of excessively severe policies. Yes, they are advocating that companies "make automatic termination the consequence of losing the laptop" (comment by Kreitner in May 8 2007 Newsbytes).

Knowing most organizations, I'm sure that terminating an otherwise diligent productive employee for a missing laptop will not faze them in the least. Losing a laptop is a likely consequence of carrying one. Given the nature of business travel, the difficulty of keeping a laptop in your possession at all times, and the determination of thieves, it is inevitable that the most diligent employee will find their laptop missing. Too bad - you lose your job. I assume termination would result that if the laptop were stolen from your vehicle or home as well.

Let's also look at the unintended consequences of such a policy. If my company had a policy of automatic termination for a missing laptop, I would keep my company laptop in a safe at home (after all, theft from autos is common) and use my personal laptop for my day-to-day work. The company asset would be protected, I would not be at risk from termination, and I could get my work done. If the laptop is stolen or lost, I pay the cost. The end consequence is that sensitive information is even less protected than before, because I no longer use a controlled company asset for my work. Other less severe work-arounds include employees using their personal PDAs for work, or just doing without a computer on some business travel. If you need to access email, well you can do that from a kiosk, right? And we all know how secure Webmail from a public kiosk can be.

The sad part about this poor advice from SANS is that many organizations will end up adopting this policy, based on SANS' reputation. They will find their overall security degraded as employees come up with creative ways to keep their laptops theft-free at the expense of greater information security goals.

There is a general point here as well. Severe, draconian punishments may discourage the santcioned behavior, but usually encourage other sorts of mis-behavior that are far worse.