| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 1533.1 | | ESCROW::KILGORE | I am the captain of my soul | Tue Jul 16 1991 10:41 | 23 |
|
Well, it came as a shock to me that I've been violating corporate
security policy for many, many years, but I found this:
$ VTX SECURITY_POLICY
INDEX TO POLICIES AND STANDARDS (menu #6)
P (menu #16)
PROPERTY REMOVAL PASS (5th screen, menu #5)
screen 4 of 46
"PRPs [property removal passes] or other approved documentation, are
required for the loan/removal of media, such as diskettes, tapes,
floppies, etc."
On the other hand, early on in my DEC career, I was told specifically
by some manager that I didn't need a pass for documentation or media,
although I've never seend anything in writing to that effect.
I know I've walked into and out of DEC facilities throughout New England
with media in plain sight and have never been asked for a pass. All
this leads me to believe that the free movement of media without a pass
is a DEC myth that is held as gospel by 99.44% of the company (the
0.56% being the SHR security people).
|
| 1533.2 | security a must | SWAM2::WALDO_IR | | Tue Jul 16 1991 13:24 | 14 |
| Over the years I have observed that security regulation enforcement is
at the descretion of local management. That is also true at our
customer's sites and it is seldom consistent within a given 24 hour
period (there are exceptions of course). I have also concluded that is
a waste of time and emotions to fight about it.
We are in the business of information. It is one of the company's most
important assests. Why shouldn't the company try to control/plug
possible leaks? How can security guards possibly know that YOU have
authorization to remove company assets unless you present them with
that approval? I know, I know, it is a hassel. But you WILL NOT win.
Don't waste your time. Sure you will lose some time getting the
property passes signed, etc., but after a little practice it becomes
routine and will not be a big deal.
|
| 1533.3 | Try creative solutions | PXOGUS::NEVEU | SWA EIS Consultant | Tue Jul 16 1991 16:46 | 77 |
| The concept that Security can verify that a specific tape does or does
not contain what you are authorized to be carrying out/into a facility
is extremely interesting but falacious. This does not unfortunately
invalidate the security requirement stated in the P&Ps.
Back in 1984, when a security scare forced most New England facilities
to require property removal passes for magtapes and disks, I was work-
ing in a group that moved a lot of tapes constantly. After having one
property pass signed more than 12 times as I was taking the tape in and
out of several locations, my group struck a compromise with security to
photo reduce and laminate a property removal pass which authorized me
to move non-IT tapes and Disks between Digital facilities (i.e. I was
not transferring the tape or disk from one place to another rather, the
tape or disk remained in my possession and I would generally leave with
it the same day as it arrived at the facility). This practice was only
challenged twice during a period of 14 months that I carried the lami-
nated property removal pass. Each time the guard complained that he
had no where to sign and he could not verify that the tape I was carry-
ing was the one I was authorized to be carrying. I asked him how he
thought he could verify that the label on the outside matched the
content on the tape? I also instructed him to call Mill Security who
had issued the laminated pass to validate its authenticity. One of
the security people was a complete jerk and I needed support from a
site person to force them to validate that I had proper authority (The
security person was taking it upon himself to refuse to accept the
property removal pass because of its form). The second person threw
a tantrum but decided to let me pass and did not even bother to check
if the pass was indeed valid.
Presented with the option of trying to handle hundreds of property
removal passes, or only a few property removal passes with hundreds
of names for each check-in/out sequence, security in 1984 opted for
a cleaner solution (i.e. laminate a pass small enough to fit in a
wallet, but still readable to cover the authority to move media).
We chose and security accepted a description which covered a multitude
of tapes and disks (i.e. we did not specify what was on the label
or content of the disks) so as to minimize the number of passes to
be issued. Naturally the pass specififed my name and the fact that
the tape(s) and/or disk(s) would be returned to the original location
on or before some date (I think we were allowed to use a date six
months out at the time). This satisfied the P&Ps and reduced the
paperwork for everyone involved. There is a small matter of deter-
mining at the end of six months if the tape was actually returned,
but security can't really even do that for serialized product so
this amounts to a trust me issue. Especially since what DEC should
be trying to protect is the data on the tape and not the $5.00 tape.
I do not know if the circumstance in .0 warrants creative solutions,
but the policy requiring some form of documentation to authorize
removal of disks and tapes has been in existance for at least 7 years.
Althought as noted by .2 security does not always chose to enforce
this particular regulation consistently. I have also noticed that
a number of people are aware of the requirement but chose to ingore
it and conceal tapes in briefcases to avoid having to comply with it.
This works unless security decides on a particular occasion to search
your briefcase. Then you end up scrambling to get the proper paperwork
completed just so you can leave the building, or you check the tape in
as personal property (even with DEC proprietary labels stamped all over
it) so you can get in the building.
All of this to accomplish an objective which security can not truly
accomplish without confiscating the tape and having it mounted on a
system they do not own to verify the contents of the tape (if such a
system even exists). The protection of intellectual property is
extremely important and preventing unauthorized personnel from gaining
access to this property and walking out of the building with it is
extremely important. Preventing people who are authorized access to
information from conducting legitimate business is foolhardy and pro-
bably extremely expensive as well. You need to find a solution which
minimizes the effort required to conduct legitimate business but pro-
tects Digital's intellectual property. In 1984 my group found its
accomodation with security at Parker Street and the Mill, hopefully
yours can reach it with your security organization.
|
| 1533.4 | Operation Fido | TLE::AMARTIN | Alan H. Martin | Tue Jul 16 1991 17:07 | 6 |
| Re .0:
SHR, eh? Just flash a badge at the guards containing your pet dog's photo
pasted over your own. They'll get so torqued over the badge that you could walk
out with a disk pack under each arm, and they'd never notice.
/AHM
|
| 1533.5 | Just an attempt. | DCC::HAGARTY | Essen, Trinken und Shaggen... | Thu Jul 18 1991 04:46 | 6 |
| Ahhh Gi'day...�
I don't think they are trying to stop data leaving the office, but they
have to try, probably for legal reasons. I'm sure a lot of people have
modems, and you can certainly get shift enough material through X.400,
Internet gateways, and X.25 lines.
|