Stories by: Jon Espenschied

Looking over his glasses with a librarian's stare, an executive recently told me, "You IT people love the word 'governance' but it just seems too..." His voice trailed off as he searched for a way to tactfully convey his sense that "information governance" was a linguistic wedge designed to throw open the doors of board-level access for unkempt geeks and helpdesk managers. Instead of "governance," more comfortable phrases were suggested: "information policy board," "data management" or perhaps "IT steering committee."

When risk is present it calls for treatment, and security is a never-ending process... right? Yes, but as a security professional, it's easy to become focused on the hard problems (download PDF) of security -- falling into the arms race for more, more, more security controls -- and lose sight of the impact of the controls themselves.

Security assessment and deep testing don't require a big budget. Some of most effective security tools are free, and are commonly used by professional consultants, private industry and government security practitioners. Here are a few to start with.

News continues to worsen for business travelers carrying sensitive information. In a troubling ruling by the Ninth US Circuit Court of Appeals, US Customs and Border Protection (CBP) can continue its practice of warrantless searches through computer data held by US citizens and foreigners alike. With no cause or suspicion, the CBP may inspect, copy or seize data devices carried by anyone returning to the US. I'm not convinced that passive compliance is the best response to this situation.

This month marks two years of "In Security." Over the past year, some of my more popular columns have dealt with data aggregation and theft, the limits of risk management, getting along with human resources, how to spot and handle rogue security staff, encroachments on personal privacy, and the humor we find in the nonsensical things we hear from security consultants and the consulted. Sometimes it's the laugh of recognition; sometimes it's the laugh right before everyone looks away nervously and changes the subject. In either case, it's worth taking a look back before considering what's next.

The best phishing e-mail I've seen recently purported to come from none other than the head of the FBI. "Robert Mueller" was offering to ensure the safety of a money transfer from a confidential third party, if only the recipient would provide her or his bank information in an official-looking form.

Neither information technology nor security managers fire people in most organizations. That plain reality seems to escape some in the industry, where offended security administrators declare that disabling the anti-virus program is grounds for demotion or an IT manager finding unlicensed media makes arrangements for someone to make the cardboard box commute.

I can't find much difference between the Motion Picture Association of America (MPAA) members' business model and a band of large-scale ticket scalpers, but lately they and their music-industry cousins in the Recording Industry Association of America (RIAA) are exhibiting the collective cojones of a bank robber demanding change for the getaway car's parking meter.

If you're one of the many people itching to try out a certain funny-looking green portable computer, your moment is at hand. The One Laptop per Child project's OLPC XO device went on sale to the general public on November 12 at 6 a.m. ET -- albeit only for those who want to make a "buy two, donate one" deal in the process and only for a couple of weeks.

On the Internet, there's always a ghost in the room -- watching you, listening, recording your activities and interests, aggregating profiles or categorizing you, and whispering secrets and lies about you to others again and again.

When the "Exchange Ranger" came for a visit at a client site, his advice set the ball rolling for a much-needed upgrade from Exchange Server 2000.