Friday, February 01, 2008

Britons working for the UK government are now banned from removing laptops from their offices unless they are encrypted: http://www.personneltoday.com/articles/2008/01/22/44056/laptops-containing-protected-data-banned-from-leaving-public-sector-offices.html

The real question is, is this an enforceable policy? It migth be, but then it begs the question, can current productivty among civil servants be sustained? The answer is no, unless there is a effort put in place to enable civil cervants to encrypt their laptop content easily.

This issue highlights two important areas for compliance. First of all, do you have effective policies addressing your areas of risk? By effective, I mean, are they clear and understandable, and are the users governed by the policies aware of them. Second important area, is of course compliance to policy. How do you effectively enforce, monitor and audit for compliance to your policy?

The hard part is of course to balance policy/compliance with business needs. If your policy and compliance efforts impede your business, then you face loss of productivty and probably profits. So a balance between business needs and your security/compliance needs must be obtained.

The best way to achieve this, is of course to evaluate your current risk profile, and decide if the current risk is something you are willing to accept or not. If you are not willing to accept your current risk, then you must put in place mitigations that moves the risk level to where you are comfortable.

No comments: