Security issues

[pete0045]

Thanks in advance to anybody that can help me.
I caught somebody trying to copy a company's database to a CD.
This is some very sensitive information. Everybody needs to read and write to this database. Is there any way that I grant this type of access and not allow them to copy the information?

Thanks again
Pete

 

[Mael]

Have them charged with attempted theft?
It mightnt be the software related answer you are looking for, but I think it may work.

What sort of database are we talking about?

 

[Woodchuck2000]

Unfortunately, giving someone read access allows them to make a copy. There's no permission you can set under win2k that allows people to read, but not to copy.

 

[pete0045]

The database contains over 10000 mortgage records. This includes all thei financial information. You know, stuff like your SS#, credit reports, etc.
And, yes, we have thought about bringing the Feds in and charging him with attempted theft of information. He has not yet been fired. That will be at 9:00AM today.
I know I have to go over to his house this morning to zero write his hard drive. I will probably have to go with a sherriff.
I also don't know how the Federal banking comission is going to react to this.

 

[pete0045]

Woodchuck

That is my take on the situation. We may have to go with some kind of third party software to achieve this. It would be expensive, but very much woth the cost to ensure that this cannot happen. If you know of any, please le me know.

Pete

 

[Woodchuck2000]

The only solution that comes to mind is to divide users into two security groups - People who can access the database and people who can access large removable media.

You can set permissions so that no single user can access the database and burn a CD or write a Zip disk. This would be a lot of hassle for your poor little users, as some people would then need two accounts...

 

[Santa]

Disable all CD Writing capabilities on the end user workstations and then have one central location where indiviuals will need to contact IS to get access to the CD recording resource.

The inconvience not nearly as important as your privacy and data concerns.

Lock down the end stations so they are not allowed to install devices.. and make a strick policy where if they attempt to circumvent said rules it would lead to termination.

(Most of this only works centrally controlled client server network though.. or at least using workstations that have some sort of user security built in such as Linux, Windows NT/2K ect..

 

[Garion]

Actually, before we go too far, what kind of database is this? Are we talking about a file-based system like FoxPro or Access or a client/server database like SQL or Oracle? If it's the former, there is NOTHING you can do about securing it on the server. end-user machines must have read access rights to the file to be able to retrieve data from it and there's no way to stop them from copying it. The only thing you could do to make it harder might be to monkey with the permissions to list out the contents of the directory - Doable on Novell (I think) but not on NT (again, I think).

If you're running SQL or Oracle, you're a bit better off, as users can't access the database directly. BUT, they can simply run a query to get all info from all people and probably have some way to export it to a file.

Last question - Are you sure the guy was trying to be malicious? He could be just some misguided user with a lot of know-how that figured he could get some extra work done at home by taking the database and the app home and loading them on his PC..

- G

 

[Goosemaster]

Seriously....check his story out....no sense in feelling guilty later for neutering him..and his pc

 

[Santa]

Obviously lay down the law though since I wouldn't want my SSN and personal data out there easily gotten because I dealt with a/your mortgage company.

I don't know if anyone is familar with the guidelines being laid out for the Health Industry but they are starting to protect any information that may lead back to an individual. SSN, name, address, ect..

I would find out his intent and hopfully it was misguided but make sure the policy gets placed where it is known to be unacceptable because it is data that could be used and sold very easily.