Technical Writing

Sensitive Security Information 101

Last year, the disappearance of a laptop containing birthdays and social security numbers for millions of veterans and military personnel highlighted the need for continued vigilance in protecting sensitive information. Sensitive security information, or SSI, can be thought of as any information that, in the wrong hands, can cause potential damage to individuals or organizations. With each new advancement in technology comes the potential for abuse and also the need for organizations to reassess the strengths and weaknesses in managing sensitive security information.

In the case of the individual, sensitive information can include social security number, credit card number, information on education, financial transactions, medical history, and criminal or employment history. And while personal responsibility must be taken to restrict access to such information, new technology has exposed individuals to new risks. In addition, organizations that are privy to sensitive information must take steps to keep this information secure.

Within the organization, basic computer security can include standardizing hardware and software components of desktops and laptops by making certain that all components within the machine are the same. The compatibility issues of standardized hardware seem self-evident, but keeping all computers up-to-date with virus updates and security patches is equally important. In addition, computer access can be restricted not only with conventional password authentication prior to login, but also by using biometric devices that scan the thumb using a separate scanner. Biometric scan technology has even been developed into products such a mouse with an integrated scanner, which can further ensure that the sensitive information does not end up in the wrong hands.

Sensitive security information defined in terms of the organization can include not only inappropriate access to classified information, but also unauthorized access to computer networks and servers. Computer security for new employees includes restricting server access until the departmental processes, procedures, checklists, and security patches have been implemented. Also, the “need-to-know” rule in terms of employee access to the server is one possible way to eliminate a new employee from inadvertently uploading harmful attachments to the server and infecting networks from the inside. Lastly, careful consideration should be given to balancing the information needs of the individual with the larger concerns of the organization to keep network servers secure.

Furthermore, computer ports and drives can be disabled to limit how information is used. By disabling the USB ports on a machine, the potential threat for security breaches using USB thumb drives can be minimized. Computer networks can be mapped so that a specific port can only be used with an assigned computer; unused ports should be disabled altogether to prevent unauthorized users from literally plugging in to the network and compromising security.

One recent development in networking technology that has almost unlimited applications is that of wireless local area networks. The wireless connection of mobile computing devices such as laptops, cell phones and PDAs is possible as a result of shared interoperability standards. Wireless network connections can create unlimited sources for potential intrusion; for example, it is possible that an intruder can access the network from outside the building, unless certain steps are taken to encrypt and safeguard the connection. Bluetooth is one such connection that combines the flexibility of wireless technology with a certain level of security using authentication and encryption.

To determine potential “holes” in the physical and technological infrastructure, periodic vulnerability assessments should be performed from both inside and outside of an organization. In addition to the corporate intranet, possible areas for intrusion include physical threats to servers and data rooms, compromised alarm systems and unauthorized access to payroll and other employee records. Judicious use of fiscal and personnel resources should be applied in implementing solutions to perceived threats, for example a cost benefit analysis to determine whether recommendations are economically feasible.

Technological innovations have created an amazing potential for collaboration and sharing information. However, these new developments are not without potential challenges to keeping secret information secure. By understanding the basic challenges of sharing information within these new technologies, we can make informed decisions about how to keep our private information secure.