Today's networks have lots of devices attached to them that have been around for quite some time. These include optical devices, removable disk and tape products and myriad storage technologies that may still serve a useful purpose but bring with them potential exposures.
IT must ask four related questions:
- Does the network to which these devices are attached have access to secure data and/or could secure data find its way to this network?
- Can data be copied by or from these devices?
- Will you know if data are copied?
- Do these devices have a USB port or other means to extract sensitive information?
When the answer to any of these questions is 'yes', IT must remediate the exposure or take other steps.
Action Item: Devices that cannot be made secure via normal practices should be considered high risk and the security threat targeted for elimination. To the extent that processes are in place but these devices still present a threat, the devices should be either removed from the network or 'zoned' off to a network that has no access to secure information.
Action Item:
Footnotes: