What are the purposes of these security policies?

Question

I work at an IBM lab and there are some security policies that I do not understand the point of. When I ask why we do them my boss simply says it's policy and avoids answering the question.

1. We must keep empty drawers locked
2. When we leave work we must lock up writeable media
3. We must lock any notes up and erase white boards. I don't get this one because someone during the day time could just as easily walk by and see something they are not supposed to.
4. At meetings if we want to take notes, the notebooks have to be black and have hard covers.
5. Health information is confidential to the extreme, for example even if a person's boss is sick they cannot give them any ETA on his/her return and can't even answer "is he/she getting better?"

I would really feel better given some reason, even if I don't necessarily agree with them. Any possible explanation is appreciated.

Answer 1

Here are my thoughts on this:

1. Somebody could hide something--a flashdrive with malicious content, for example--in an unlocked drawer. An employee could find that flashdrive and plug it in to his computer, putting the computer at risk of compromise. Also, it's easier to modify the locks of unlocked drawers than it is to modify the locks of locked drawers. By modifying a lock, a malicious individual could make it easier for themself to gain access to the drawer in the future.

2. If the media is blank, somebody could put malicious contents on it. If the media's filesystem is "empty" but the media has been used in the past, somebody might be able to recover fragments of old data from it.

3. It wouldn't be difficult for a janitor (or somebody posing as a janitor) on a night shift to take pictures of a white board, potentially stealing secrets. During the day, the white board is more likely to be surrounded by trusted individuals, making it more difficult to covertly take pictures of it or even get a decent look at it.

4. Black notebooks are less noticeable than white notebooks. Hardcover notebooks are less likely to lose their covers than softcover notebooks. Covers are important for notebook security. They make it just a bit more difficult to quickly and covertly obtain information from a notebook. They also prevent notebooks from flailing open when they are dropped. Hard covers are better preventers of flailing than soft covers. Also, notebooks with soft covers may be more likely to get misplaced than notebooks with hard covers.

5. Some sorts of health information are extremely valuable to social engineers. It is common for malicious social engineers to plan attack vectors around employees on leave. For example, if a certain employee is on sick leave, a social engineer might pose as a friend of the employee and gain access to the employee's office by telling somebody he has to bring his friend an item from the office.

Answer 2

This is far-fetched, but non-obvious information leaks:

1. We must keep empty drawers locked

If someone knows that there is a regular meeting discussing secret project X every Tuesday and Friday; and noticed that the drawers are always empty and unlocked on Tuesday and Friday, but locked otherwise, then it's pretty clear indication that the content of that drawer is a secret related to project X.

2. When we leave work we must lock up writeable media

Other than concerns about someone swapping or putting malicious data into the media, locking up all writeable media ensures that nobody can tell apart a writeable media that contains secret and those that contains regular data.

4. At meetings if we want to take notes, the notebooks have to be black and have hard covers.

Also the same reason with writable media, if someone noticed that you use a Hello Kitty notebook to take notes in meetings for secret project X, and the Superman notebook for other projects; people could immediately recognize the Hello Kitty notebook if you forgot about it and leave it lying around. Also, whether or not you carry your Hello Kitty notebook when you go to places could give indication on what project X is about. A uniform notebook is less conspicuous.

Also, if you have lots of nonsense rules in your security policy, they would help to cover the truly odd 'no leaving "spherical object" on the desk' policy that might have leaked the information that that green massage ball you see the team lead carrying around the office was actually a core for a nuclear reactor.

There is also a possibility that it is a situation with five monkeys, a ladder, a banana, and a water spray.

Answer 3

Items 1-4 in your question are parts of what are commonly referred to as a "clean desk policy". So I'll try to provide an answer why a clean desk policy is used in general. There are actually many reasons:

• If clients visit the workspace (which I know happens at IBM) you want to create a positive image. Clients would not like to see documents detailing their specific needs or solutions lying about for anyone to grab.
• The risk of a security incident where confidential documents get stolen is greatly reduced. If you leave your documents in the open, they can disappear, either from a cleaning lady or someone with malicious intent. Now trust me you do not want to be the person explaining to your client what happened to their < insert secret project >.
• It forces you to keep things tidy, this means you will be more organized, being organized means you will be able to work a lot more efficiently
• It also encourages reducing the amount of paper used within your company. Which, again, reduces the risk of documents being defrauded, simply because they aren't present.
• Flex Desks are the future, if I come into your office and need a desk which is littered with papers I won't be able to work there. Hence a clean desk policy enforces that you take away all your belongings from your desk so that any employee can sit there.

Regarding the disclosure of health information (e.g.: reasons for, or duration of, sick leave): It's a necessity for compliance with certain privacy laws in certain countries. Personal information is considered highly confidential, especially when that information is about health care. If you do not comply with the rules set by this country and handle the data wrongly, you can be held legally liable.

In your case I can give you the following reasons:

1. Drawers that are locked can't be accessed by unauthorized personnel, meaning confidential documents are physically secure. If it's your drawer, you still need to lock it, someone might take your locker OR someone might conclude: "Hey his locker is never locked except now, there must be something confidential in there!"
2. The same goes with writable/readable media, you don't want documents to be altered, infected or leaked out.
3. While white boards can be seen, they can't be photographed easily without someone noticing. Also note that there is always a trade-off between security and usability.
4. Easily identifiable plus you can't press through it. You don't want to start writing your text and then note that it pressed through onto a table or paper which was already lying on the table.
5. This is considered very private in some countries so it should be treated as such. If the boss wants to share when he will be back available he can communicate this if he wants, if he does not want to do that, then it's also not your problem.

Now another issue is that IBM is a global company, meaning many countries have different regulations. To have a manageable compliance policies around the world, they probably decided "one size fits all" and that would mean to have one policy which complies to the strictest rules across the globe and which has to be followed by every office in the world.

Answer 4

Unlocked drawers can be removed completely, giving access to locked drawers below (and probably above too). Of course, desk locks are completely nominal anyway, but at least a locked drawer is "tamper evident".

Answer 5

Relating these to ideas from encryption:

1. Encrypting only confidential information generally makes it easier for attackers to focus their efforts. Encrypting everything means more decryption work, and possibly much more trouble identifying exploitable information.
2. Retrieving the ciphertext is a good first step of data retrieval, and usually a simple read can't be detected afterwards.
3. An attacker reading the plaintext while the owner is using the storage is more likely to be discovered. Also, plaintext should exist only when absolutely necessary, to minimize attack surface (in both space and time).
4. Making all plaintext "containers" identifiable should make it easier to ensure they are identified as security critical and treated as such.
5. Unusual situations and corner cases are often easier to attack, since the protocol for handling them can be less well defined, or less well known/remembered.

Answer 6

Regarding #1, think of the rule as this:

• keep all drawers locked, regardless if they are full or empty.

Then people don't have to continually think "should I lock this drawer or not?" and won't make the mistake of accidentally not locking a drawer that newly was not empty.

It also makes it simpler to enforce security rules: if a drawer is unlocked, that's a violation, without having to investigate if there are things in there.

For #2-#4, the same logic can apply: do some redundant work, so that you're not having to continually having to determine/remember if the rules apply in a particular case.

For #5, that's an HR issue; the company is not allowed to give out health status information on employees.