Workplace Security

[bluedragon2]

I posted this in General Security Forum, but I also thought it belonged here as well...

I just recently found a thread in another forum, Thread68-710925 , in which the user was complaining about his boss's views on securtiy. I made a quick comment to him about the lack of security and what could come of it.

I thought I would start this thread to for those of you who have any stories to share or specific cases. I would like to use this thread as a reference for those in the above thread.

Blue

If I wasn't Blue, I would just be a Dragon...

 

[CajunCenturion]

Do you have a specific ethical question that you would like to discuss?

Good Luck
--------------
As a circle of light increases so does the circumference of darkness around it. - Albert Einstein

 

[bluedragon2]

It's not a "specific ethical question" that I am asking...

It is the discussion of the ethics of practicing security in the workplace (and what can happen if you do not)...

I have talked with many people that think security is not necessary since they are such a small office or don't handle (what they think) serious information.

There have been times when I could talk until I am blue in the face, but could not convince the need for some levels of protection.

I would like to see what other posters think or have encountered...



Blue

If I wasn't Blue, I would just be a Dragon...

 

[edfair]

As in a lawyer losing a computer by theft and his client's information making it onto the web when somebody bought the hard drive at a flea market?

Ed Fair
Give the wrong symptoms, get the wrong solutions.

 

[bluedragon2]

Should the client be able to sue the lawyer for not applying security to the clients information?



Blue

If I wasn't Blue, I would just be a Dragon...

 

[smedvid]

Well, I would document the risk and forward it to management to let them decide their own fate and that of the company. In the case of a small company, costs could be prohibitive to deploy a security suite of products. However, there is no reason a firewall, virus-scan and, if necessary, encryption certificates, can not be attained at a minimal cost. You can perform an internal audit during your risk analysis and research baseline standards that are curently employed in business... htwh,

Steve Medvid
"IT Consultant & Web Master"

http://www.saveourfarm.com

Chester County, PA Residents
Please Show Your Support...

 

[bluedragon2]

I agree smedvid. A risk assessment should be the concern of all business owners/managers. With IT laws changing all the time, it would be wise to know what data you have that is/is not secured/properly maintained...



Blue

If I wasn't Blue, I would just be a Dragon...

 

[mjinks61]

I am not a lawyer, but I would guess in your example of a lawyer and client, and a customers data was compromised to a hacker or rogue employee etc. without proper securities in place, then a lawsuit would be filed and won.
Provided of course, the client suffered in some way as a result of the breach.

I do believe in the duties of the firm to protect their clients information. To do otherwise is in my opinion, would be derelict of responsibility, and unethical as well.

This is not so say that "any" incident would warrant a lawsuit, but if there isn't at least basic securities in place such as a NAT router and strong admin/user relationships on the company network, then they have opened themselves up to litigation.

I would also hope they had much stronger security than my basic example, but there should be some minimal securities in place, and in my humble opinion, should be required by law to protect the consumer.

This scenario fits many business. I shudder to think of the quality of security in many of this countries small businesses. For this very reason, I usually only do business with the larger companies.

Isn't it 5:00PM yet?