Not Exactly

by Hforman - 2/27/13 9:27 PM

In Reply to: VERY interesting post! by Call_Me

I'm a contractor so I don't get anything. They gave me a desktop as others have but that is it. I have my own Netbook (old Acer) but that is mine but to use it, I still have to abide by the rules (most don't think they have to unless they get caught.

I work for a very LARGE county government (well over 100,000 employees). Has not much to do with "free-thinkers". It has more to do with getting anyone to operate in a "timely" manner. We still have not completely implemented suggestions from over 10 years ago (they claim it is "only" two years). Things we need right now or yesterday will probably take years.

The big issue is that any time we have even the smallest breach in security, the employees involved just shrug their shoulders and nothing much changes and those responsible are never held accountable. But every little breach means big write-ups in national newspapers. We are intrusted with contituent information and only now do some realize that the government has to provide credit-watch service and many argue against even that.

In my area, there is a federal requirement that everything we work on has to be CJIS-compliant (feds set up the criteria for security) and HIPAA-compliant (FEDS set up security for patient records). So what does this mean to tablets?

1. You can't put any data on a tablet. None. If it is a laptop, the entire hard drive (so far) has to be encrypted. This technically applies to consultants as well. If you lose a device and don't report it, you could even face criminal prosecution.

2. Cloud usage - Google has said that no public cloud is CJIS-compliant. They are wrong if you consider certain contracted clouds are CJIS-compliant but none where the employees are not certified by the U.S. government and claims that the cloud provider employees can read your stuff. Patient medical records: the "public" clouds tell you up front that they are not HIPAA- compliant. If you get caught by the feds our fines would be over $1 million. For even something tiny like one field not being properly protected (no breach) we received a $12,500 fine.

So,there is definitely a data security element to everything we do at a government site. The problem comes where a lot of the employees, especially "executives", want all the toys. They could have WiFi if they got it from the County with all of the security stuff on but they don't want to pay for it. They don't even want any security if it is inconvenient saying that they don't work with secure data but they don't realize that, if they get hit with malware, they can be used as a doorway to servers that do have that data.

Now consider this. If most of the workers NEVER travel, do they need tablets? No, they don't because tablets are really inconvenient and not productive for people who just sit at their desk all day running WINDOWS and MAINFRAME applications. I mean "All Day!" Try using a tablet constantly for 8-10 hours straight (OK, 1 hour max for lunch) and see how your wrist/arm feels if you don't have a mouse and a real keyboard. Some people think that business is all about "innovation" but in many businesses, people are just doing their job which may mean order entry (typing in names, addresses, billing information). Others are adding information to criminal records through a secure computer. Not everyone out there innovates.

How about a secretary (excuse me, "administrative assistant" who just takes dictation and types memos all day. A tablet?

What things boil down to is that some, by nature of what they do, can use tablets. Others don't have a need or use for it. I think that is what this question is all about. My recent question is, if you have high-security concerns can you give a tablet "securely" to some careless (possibly) individual who has already lost a laptop without imposing data security controls that will make the tablet less enticing to use but are necessary or federal government-mandated?

And what if the organization is slow to adopt the proper controls, maybe even knowing that many will NOT want to use them because they are 'inconvenient'?

Let me ask this. Would you like your tablet as much if every time you go to use it, you have to enter a userid and a strong password? And this login times-out avery few minutes of inactivity? And if you misplace the tablet, you must report it immediately to your office and it will be WIPED clean remotely? If you play with secure data (government, medical, credit card, human resources or anything personally identifiable, your experience will require these inconvenient controls?

This is a major concern when I hear that some government workers require tablets. Thats why there is a hesitation of some companies to use these devices and for use of the public cloud. Many still interpret "cloud" to be a public web service (Dropbox, Google, etc.) but most businesses that deal with sensitive data are working on private clouds. I mention clouds only in that some tie public cloud use to tablet use.