Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Important Device Policies
Quick Take
On this episode of Compliance Unfiltered, The CU guys wax poetic about everything from fruit salads to mainframes in this Important Devices Policies edition of the podcast.
This often-overlooked topic can be the undoing of the even the most secure organizations. Curious how device policies should play in to your team’s approach? Wondering about mobile devices and external storage?
Adam addresses all these topics and more, on this episode of Compliance Unfiltered.
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the watermelon to your compliance fruit salad, Mr. Adam Goslin. How the heck are you, sir? I am doing good. I made a homemade fruit salad over the holiday season, as you mentioned it. Bet you there was watermelon in that bad dog. Got that right. Well, listen, you know, for any of those who had the opportunity to listen to last week’s episode, you may have heard about the different attacks that are coming to individuals’ devices.
And this week, we’re going to talk about something that’s extremely important, and that is device policies. Now, do you often find that organizations will gloss over their device policies as a whole, Adam? Yeah, I mean, it’s funny because a lot of folks, you know, just go, ah, well, you know, whatever the device policy is in an area that needs a lot of thought, you know, etc. But, you know, I often will encounter clients that have major gaps in their device policies. If you don’t take the time to get down and dirty with your device policies, then you’re running the risk of exposing the organization to data breaches, etc. it doesn’t take much to create a dangerous scenario, where a device is used with innocent intent, without the proper policies and precautions in place, you’re inviting employees to take those kinds of risks every day. So, it is definitely a good practice to think anew, shall we say. Indeed, now that being the case, how should organizations rethink their… inventory management approach specifically? Well, the notion of inventory isn’t as cut and dry as people think. You know, it really should include everything from their physical equipment to virtual devices, such as virtual firewalls, virtual servers. It should get down to the services running on those devices. The physical equipment, you know, you’ve got laptops, tablets, you know, but, you know, you’ve got key fobs for two -factor external hard drives and USB sticks. And, you know, and, you know, a lot of organizations will, you know, kind of limit their inventory, the notion of inventory to their production environment.
And, you know, it’s important to expand, you know, that notion of inventory management. It really needs to be more all -encompassing. The purpose of the inventory management is to understand and control the various elements of hardware and software across your organization, either directly or indirectly involved in the movement of sensitive information. And this could include everything from names, addresses, phone numbers, socials, the intellectual property, medical, credit card, you know, all sorts of different types of information. You know, if it’s directly involved in the movement of sensitive data, then we need to get it, need to get it tracked and managed on the inventory. So, you know, the little RSA token doesn’t store any sensitive information, but, you know, it’s used to gain access to the environment that houses, you know, critical data. So it’s supporting the movement of the data. So it’s a critical piece that you want to make sure that you’ve got control over, and thereby including it in your inventory. You know, one of the elements of authentication that could be leveraged to access that sensitive data. So constantly, you should be asked… in yourself, you know, what are the elements of the hardware and the software, you know, within your environment that, you know, that you ought to be controlling.
The other side of, you know, of this particular point is that if you think about it, the inventory management is, you know, kind of directly tied to the activities that should be happening during onboarding and offboarding. How do I know what all Mary has, you know, deployed to her? Well, the only way you know that is if you’re keeping track of, you know, what are the assets that have been deployed to Mary so that if Mary is no longer a thing, you know, then, you know, then, you know, you can you can go ahead and get that, get that addressed. And just for the record, Todd, as I was kind of saying that, going, going through my head was, you know, Mary, Mary. So I don’t want to tell you, man, it’s just a just a little bit of insight into what goes on over, over here.
I certainly appreciate that. Now something else that I’m sure the listeners will certainly appreciate, and that is chatting a little bit more about a hot button topic like this, which is what about the impact of mobile device management here? Well, I mean, if you think about it, right? You think through the data that exists on cell phones and various mobile devices and tablets and whatnot. I mean, each of those devices could have sensitive data stored on them. Are employees using company devices, or are they using their own devices? Do you, as the organization, have the capability or the right to take action on an employee mobile device, considering whether to deploy those devices to your employees or allowing them to use their own personal devices? If you’re allowing them to use their own devices, then what agreements do you have in place? Should you have software in place that allows you to clear sensitive data off employee devices without impacting their personal information? What happens when somebody leaves the company? How are you ensuring that sensitive data doesn’t go with them? I mean, it’s a big problem and a big challenge. And honestly, it actually takes way more thought than you would think when you start cooking up all of the various and sundry possibilities. Like, I don’t know if you haven’t thought this stuff through, and now you need to go in and try to clear things off of a device, but you don’t have any software to make sure that it’s being done appropriately. What type of a pickle are you going to be in when the extraction of sensitive data for the company, when that extraction also happened to clip, oh, I don’t know, all of that stuff? pictures of this person’s, you know, for a child’s first birthday, you know, whatever. So, you know, it’s just, it’s a, it’s a tough situation. It needs some thought and you need to think it through as an organization. How are we going to handle this? Because for a lot of, for a lot of organizations, it’s, it’s pretty loosey -goosey. So, they got, they got to put some thought into it. Well, I mean, let’s kind of take that next step. What considerations are appropriate for, like, external storage devices? Well, you know, you know, you’ve got to consider, or your advice policy is allowing, you know, external storage devices to connect to corporate machines at all. You know, have mechanism, you know, have a mechanism put in place that allows you to control those external storage devices, such as external hard drives or USB sticks. Maintaining the inventory of any devices that that exists within the organization and who they’re deployed to You know for for a lot of you know for a lot of organizations you know, it’s important for them to be able to control their technology manager the external devices that can be plugged in and You know the putting technology in place to make sure that the device is approved It’s in your inventory and that is controlled where you know where it is If you are allowing external storage devices to be connected, you know, then you need additional policies, right? You know, how do we define the types of data that can be transferred at the very least making sure that the data is Encrypted when it gets put on to those devices, you know We don’t want a device falling into the wrong hands with unencrypted data on it you know, otherwise the the issue is one that poses substantial risk to the organization and there have been Multitudes of breaches where Somebody you know, he had something that was either portable or you know paper in the clear, you know Whatever whether it was physical paper or you know Or electronic data where it was in the clear that’s caused massive issues for you know for those organizations.
So it’s a big deal indeed now, how can organizations help ensure the availability and use of secure storage locations Well, you know what you want to do is you want to figure out where data can Can and should be stored in the cloud? You know virtual storage options range from Google Drive to SharePoint sites to OneDrive sites and countless others So making sure that you have oversight and control over the various locations where you know That are approved for the storage of company data, you know when I’m going through and doing a doing a client assessment it’s pretty common that I’m discovering the company doesn’t have any idea that so -and -so has been storing critical files on their personal Google Drive. They needed to do some work on a Sunday, and nobody gave them a place to put the files they could get to while they were mobile, so they went ahead and just solved the problem themselves. And meanwhile, the company now has uncontrolled and uncontrolled Google Drive with no organizational oversight, no even notion that it’s over there, blah, blah, blah, blah. So, you know, setting policies in place that define where is the company information, you know, to be securely stored, giving them a place to store that, that company data, and actually, actually actively. encouraging employees to ask questions, raise their hand, if they either don’t understand what they’re supposed to be doing or if they feel like they don’t have the resources that they need, you’ve got to make sure that the overall solution is something that will suit all of the various needs of the personnel within your organization. And finally, you need to have some detection and monitoring capabilities in place. So you’ve got a fighting shot at seeing if somebody is painting outside the line, shall we say. Indeed.
Now parting thoughts and shots for the folks this week, Adam. Well, the device policies may be one of the simpler aspects of security and compliance but it doesn’t mean you can afford to take kind of a half ass approach to how you go about doing it. My hope is that a lot of the various categories that we went through today will open the eyes of the listener to areas that they need to kind of pay attention to work on and put some additional focus on, etc. It’s surprising when you start getting into the depths of how we should be doing with what we should be doing and what all do we have and who’s got it and blah. It’s amazing how many different challenging scenarios that you’re going to kind of uncover as you kind of go through that peeling back of the various layers of the reality of what you’ve got in your environment. But it will be a worthwhile exercise that heads you in the right direction for assisting and protecting the organization.
Absolutely, and that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered.
I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
