Common Sense IT Practices in the Wake of Wikileaks

Written by Glenn Dinetz Tuesday, 11 January 2011 17:41

The RGZ Blog

Whether you agree or disagree with Julian Assange and idea of WikiLeaks is a matter of opinion. However, most people, generally, would not want to see their company’s or their own private information anywhere near WikiLeaks! And, while risk cannot always be eliminated, it certainly can be mitigated. RGZ’s Forensic Computing and Risk Team recommends the following 8 Best Digital Communications Practices, in addition to conducting complete risk and policy compliance assessments:

1. Confidential and Sensitive opinions and feelings about people and organizations should not be put into writing. Face to face discussions work best followed by phone conversations. Yes, phones can be tapped but unless you’re law enforcement, it’s illegal in most states here in the U.S.


2. Data Analysis reports as well as confidential and forensic reports are sent encrypted. An easy way to do this is by using WinZip. The password to open the file should be sent via texting or voice phone call.


3. Disable peripheral copying devices (DC, DVD, USB) ports and drives for employees tasked with sending out cables, confidential messages, etc. Pvt. Bradley Manning copied digital files to media he brought into the workplace. In the past, people would churn the copy machine after hours and walk out with sensitive documents. While the technology may be different, the process is still the same.


4. Password Protect copy machines and other devices. Most ‘data thieves’ still do it the old fashioned way.


5. Continuous Monitoring: Monitor the websites, IP addresses etc. that your employees are visiting during the workday. Restrict those sites that are not necessary to conduct business.


6. Educate your employees about digital security. Make sure they understand the common Internet frauds including phishing, social engineering and virus / Trojan transmission.


7. Develop a comprehensive email, Internet and general computer usage policy, regardless of the size of your organization. Turn it into an on-line tutorial and make sure every employee accesses it and is tested on it. In other words: Compliance.


8. Employees should sign a confidentiality and non-disclosure agreement that should be developed by an attorney or your legal department. Without it, the first question a defense attorney will ask you is if you have such policies and agreements. If so, where are they and was it signed. The confidentiality statement should be presented and signed annually.