NEW YORK DISASTER RECOVERY PLANNING FOR MIXED-HARDWARE ENVIRONMENTS The Worried Executive's Guide: Disaster Recovery Planning for Mixed-Hardware Environments > How Should Your Organization Respond?:
The Worried Executive's Guide: Disaster Recovery Planning for Mixed-Hardware Environments"

WEBBLOG Editor Note............This article is a must read for anybody who wishes to fully understand the real threats that exist when a computer or device with valuable data stored, is stolen. It is the best overview that I have seen to date of an issue that is clearly in the limelight.Here are some quotes of interest from the article.

Just when we start to think our recovery plans are complete—mainframes, LANs, physical facilities, and telecommunications—we get something new added to our list. The equipment this time is small, but increasingly critical. I’m speaking of workstations, laptops, and even things like personal digital assistants (PDAs). Sometimes, when it comes to the need for information security, size doesn’t matter.

Every now and again we read a news story that brings this issue home. It usually begins with an announcement that a laptop or desktop computer has been stolen. This in and of itself is not newsworthy, unless of course the device contains proprietary or sensitive information. A few years back, for example, a server containing 316,000 credit card numbers was stolen from a major bankcard company. This incident caused the company the embarrassment of having to contact all of these customers and cancel their credit cards. A more recent story surfaced only recently, when a major university had to write letters of apology to thousands of students when their grades, transcripts, and other sensitive information disappeared along with a laptop computer. Such stories are the nightmares of auditors and information technology managers alike. The fact is that critical, proprietary, or sensitive information has in many cases migrated from the relatively secure "computer room" environment to desktops, laptops, and in some cases PDAs. Personally, I believe it’s only a matter of time before high-end wireless phones are capable of harboring the same kinds of data, at least to the extent that the loss of such data could be a serious breach of personal privacy.
Has "mission critical" data in your organization migrated onto these less-proven (and more transportable) platforms? The answer might come as a cruel surprise some day, unless you take precautions and develop operating and security standards for this equipment now.

Hey Mister, Wanna Buy a Mainframe?

Unlike the traditional mainframe environment, many servers and other Intel-based client/server components have aftermarket value in pawnshops. Many companies therefore already sponsor well-managed security organizations that help preclude thefts of such equipment. Nobody pawns mainframes. You do, however, find laptops and other equipment in pawnshops, on eBay, and from a variety of other sources. Most of these source are legitimate—but not all.

It’s prudent to look at a few common vulnerabilities with regard to such small equipment in the typical organization’s environment. This article makes a few specific recommendations to mitigate these vulnerabilities. We also recommend a few operating and security standards you can employ that are not prohibitively expensive, but go a long way toward keeping your company focused on its business and out of the evening news.

How Should Your Organization Respond?

Is there an optimal solution? Sure, but the ways you could react to this issue are as varied as businesses themselves. For example, your law firm may consist of 90% knowledge workers and 10% administrative staff. Complicating that division is the fact that your knowledge workers are also revenue producers (and hence also production workers). Or maybe your people answer calls for that little green lizard on TV that promises to save money on car insurance. The profile of such a company might be 50–75% production workers in a heads-down telemarketing operation. Easy to standardize applications, relatively speaking, and the call center clearly uses production workers—except for you, in this example. Because these are your people, you would be a knowledge worker.

Some tips transcend any kind of business and address every workstation environment:

*The value of a piece of equipment is not limited to the equipment itself, but also the application(s) residing on it.
*Even if a piece of equipment has relatively low value (such as a laptop or other PC), it must have standards for protection that represent the value of the data, not the platform. Such protection includes passwords, restriction of access, physical security (where the possibility of theft exists), regular backup schedules, and other considerations. Imagine the information that could suddenly be made publicly available to competitors and outsiders if the wrong person acquired the laptop or PDA of your company’s CEO. What kinds of standards for protecting that data can you point to at this instant?

I hope this article in some small way has helped you put standards for the workstation and desktop environment in context. I also hope that it has given you a fresh perspective on how to protect your company as mission-critical applications move to desktops, laptops, PDAs, and beyond. Best of luck in your pursuits!

WEBBLOG Editor.............full article available at link