RECMGMT-L Archives

Records Management

RECMGMT-L@LISTSERV.IGGURU.US
Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Condense Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Mime-Version:
1.0 (Apple Message framework v619)
Content-Type:
text/plain; charset=US-ASCII; format=flowed
Date:
Fri, 18 Nov 2005 16:13:23 -0500
Reply-To:
Records Management Program <[log in to unmask]>
Subject:
Re: Risks to Computers.......and Encryption
From:
Hugh Smith <[log in to unmask]>
In-Reply-To:
<[log in to unmask]>
Content-Transfer-Encoding:
7bit
Sender:
Records Management Program <[log in to unmask]>
Parts/Attachments:
text/plain (112 lines) 
On Nov 18, 2005, at 12:00 AM, RECMGMT-L automatic digest system wrote:

> From:    "Gerard J. Nicol" <[log in to unmask]>
> Subject: Re: Risks to Computers.......and Encryption
>
> Hugh,
>
> I did not see your previous post; but people need to understand that 
> whilst
> encryption has its place in most instances encryption does not stop 
> hacking.
>
> Once a hacker has access to a system there is really little benefit of
> encryption, and from a risk management perspective most access is 
> gained not
> from the interception of unencrypted data but from various phishing
> techniques and ineffective security.
>
> If I had ever other base covered I would look at encryption, but the 
> sad
> reality is that most IT infrastructure is poorly protected and the
> money/effort would be better spent improving security in other areas.
>
> For instance, before I spent a dollar on encryption, I would be 
> looking at:
>
> (1) Running proper background checks on my employees.
> (2) Training my employees not to click every URL that confronted them.
> (3) Installing effective security on the front door and giving staff 
> ID.
>
> Gerard

I totally agree with you.  My earlier posts had to do with the fact 
that their is a huge publicity campaign by certain companies to 
encourage encryption to protect their organization from the offsite 
storage company losing the tapes.  My  feeling is that this is a red 
herring to distract people from the inefficiency demonstrated by 
several very large negative publicity events caused by lost tapes.  
Where is the discussion about utilizing a more accurate tracking 
software to avoid the lost tapes? If a trucking company can use RFID to 
track shipments and GPS to track the trucks, media is not difficult to 
track.  Why tell the entire world to switch encrypt, why not just fix 
the internal problems that keep leading to lost tapes??

Storage Magazine (November Issue)  just ran an article talking about 
the trend toward encryption, which is understandable from an IT 
oriented and IT equipment selling magazine.  But even in an article 
that started with a positive spin, every IT Manager they interviewed 
stated that software encryption slows the system down to unacceptable 
rates and there is fear that data once encrypted might become 
inaccessible as no one knows how reliable this technology 
is............and a big problem is that no one knows how to protect the 
Encryption Keys.  Losing the keys is equivalent to showing up at work 
and finding your vital records are no longer in the facility.

The great thing is that some of the RM's are now opening discussion 
with IT about this.  And I know that IT is not very happy about RM's 
sticking their nose in on this, but this is such a great entry.  Your 
points above:
> For instance, before I spent a dollar on encryption, I would be 
> looking at:
>
> (1) Running proper background checks on my employees.
> (2) Training my employees not to click every URL that confronted them.
> (3) Installing effective security on the front door and giving staff 
> ID.

are a great door opener as well.  And from what I saw at the recent 
technology summit, IT is worried enough about SOX that they are now 
more likely to want an RM to provide some input and solutions.

Peter, maybe you could provide the RAIN link for the article on Page 44 
"Storage"  entitled "Secure Your Backups"  as the article ended with a 
headline at the last page that stated "IT'S IMPORTANT TO REMEMBER THAT 
ENCRYPTION BACKUPS SHOULD ONLY BE A SMALL PART OF AN ORGANIZATION'S 
SECURITY STRATEGY."  Then Dennis Hoffman of EMC states that ".....the 
rush to encrypt backups is a massive knee-jerk reaction within the 
storage industry."

This one article could be the primer for the pump to allow records 
managers to enter the IT arena with a serious discussion.

Questions you might start with:
If the higher security encryption keys slows down the system more (50% 
estimated)  than less secure keys, how much speed do we want to trade 
off for security?
If the encryption key is stored on the system and the system is down 
how do we access the key?
If password protected files are stored on transferable, portable media, 
don't we have the same risk as losing a lap top?
Encryption slows back up, if we face a disaster such as a storm or 
hurricane, won't slowing down the back up create more risk?
If we are in disaster recovery, won't the slowness of the system create 
recovery problems?
Can't the $50 - $100,000 be spent more effectively?

As always my role on this Listserv is to open dialogs that promote 
Records Managers and increase their scope of influence.  But then the 
really good records managers start send me email poking holes in my 
arguments and I get a free education. This then makes me more effective 
in the market place.

Hugh Smith
FIRELOCK Fireproof Modular Vaults
[log in to unmask]
(610)  756-4440    Fax (610)  756-4134
WWW.FIRELOCK.COM

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance

ATOM RSS1 RSS2