One fine day in Europe an American businessman was traveling by train. There was suddenly a large commotion occurring somewhere up ahead in the passenger car. The businessman set his laptop down on top of his laptop bag on the empty seat next to him and stood up to observe the commotion. There appeared to be an argument of some form between two gentlemen. As the businessman sat back down he reached over to grab his laptop, except it wasn't there. Looking all around, he didn't see anything that looked suspicious. The laptop had been stolen right out from under his nose..literally.
Upon arriving back home, the businessman alerted his IT support staff that his laptop had been stolen and that he needed a new one right away. Following policy, the IT staff member notified his security staff.
Does knowing what was on the laptop make a difference? What if you don't know what was on the laptop exactly. Can you trust that the businessman claims "there wasn't client data on there" or "There wasn't credit card information on my laptop".
Do you consider the laptop compromised automatically and look for a backup of the laptop to use as a reference point for notifying individuals? Do you ignore the fact that the system was stolen?
If a case like this gets turned over to you, how do you handle it?
Thursday, March 20, 2008
Subscribe to:
Post Comments (Atom)
1 comments:
Does knowing what was on the laptop make a difference? What if you don't know what was on the laptop exactly. Can you trust that the businessman claims "there wasn't client data on there" or "There wasn't credit card information on my laptop".
No, you can't...you never can. I can't tell you the number of PCI forensic audits I've seen where "hey, there's no CC numbers on that system...", only to find Track 1/2 data in the clear.
Do you consider the laptop compromised automatically and look for a backup of the laptop to use as a reference point for notifying individuals? Do you ignore the fact that the system was stolen?
Yes, and no, respectively.
If a case like this gets turned over to you, how do you handle it?
In the absence of any guiding policies, collect all of the information you can on the contents, and then contact the right person in your organization to make a decision. Ultimately, this issue may end up on the desk of Legal Counsel.
Post a Comment