Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsIT Pro and developersHow to handle sensitive information
Oriphix

523 posts

Ultimate Geek
+1 received by user: 32


#207366 21-Dec-2016 11:46

Just want to see if other IT pros have had a similar situation get some ideas etc.

As a normal approval process we normally CC in the change request approver & the end user so that all parties involved are kept in the loop.

Some of our customers (mainly directors and approvers) have now come back and said that hey the users shouldn't be CC'ed in the comms. The reason given for example, there could be sensitive information in the reply email. So now we need to think of a new process to accommodate this.

So my question:
How do you handle sensitive information / emails in your company?
Do you use it all inside one CRM solutions or use multiple products to achieve customers requirements.

Create new topic
michaelmurfy
meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator
ID Verified
Trusted
Lifetime subscriber

  #1693190 21-Dec-2016 11:58
Send private message

I work for a bank so we deal with confidential financial information of our customers.

 

1) The CRM is in-house designed and hosted and not available externally from the network without a device from the bank and over a VPN. "Untrusted" computers do not have CRM or network access. You do not get administrator access to the PC's and they're locked down with strict GPO's to prevent the likes of USB Flash Drives from working, full disk encryption is also used and a key is required on each and every boot for devices that leave the main buildings (eg, Laptops).
2) We use no externally hosted email solution - it is hosted internally also with no access to email except over "Good for enterprise" on bank managed devices only or via the VPN.
3) Outbound email scanning with keywords is enabled - this does mean it can often take up-to 5mins for an email to go external however information is scanned in the email. We have strict policies regarding potentially confidential email where the attachment has to be encrypted and the key verbally given to the customer to ensure only the customer can open it (and not anyone else). Potentially confidential information is flagged by the filters and sent to a team for approval before the email leaves the network and the staff member is given a warning when this happens (often false positives but can never be too sure).

 

I'm not going to state what bank this is or any other technical information as this is slightly confidential but this is for both PCIDSS compliance and also for our customers protection. It is extremly hard to get data out of the bank without somebody approving it first so rest assured our customers details are safe.




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.



networkn
Networkn
32862 posts

Uber Geek
+1 received by user: 15453

ID Verified
Trusted
Lifetime subscriber

  #1693191 21-Dec-2016 12:02
Send private message

 We do this slightly differently. 

 

We get the end user to request the change, copy an authorised person, then it's up to the director to approve it and who they copy is up to them.

 

If the end user asks, we tell them it's sitting with the director and to check with them on progress. 

 

No member of staff is given access to anything unless it's approved, NO remote access is permitted without written confirmation AND a call from the client.

 

 

 

 

Oriphix

523 posts

Ultimate Geek
+1 received by user: 32


  #1693382 21-Dec-2016 16:18

@michaelmurfy - I would expect nothing less from a bank :) Its good to know they take security seriously.

@networkn - I like that push it back on the customer. Our customers want us to facilitate that which isn't a problem just need to find the right balance. (they are a bit spoiled, but we love them).

The problem is how to keep the communication with the approver confidential so the end user isn't aware. Normally the end user would request something and we would email out of the same ticket to the approver. So the transcript is transparent.

I think the simplest solution maybe to have two tickets. One to get approval and the second one to let the end user know of the outcome. Its less transparent however achieves the end "goal".



NightStalker
327 posts

Ultimate Geek
+1 received by user: 159


  #1693406 21-Dec-2016 17:24
Send private message

Tricky....

 

Can you name your CRM system ?

 

In past situations where external CRM requested are approved a single ticket (internal) is created with attachments/other emails to it - got to keep auditing happy

 

In my personal experience/implementation of such things
1. let the user know what is going on - even if you don't know give a time frame (eg 3 days/1 week) that is consistent with not BAU request (I hope you have guidelines) - I will get back to you by date?.
2. Be honest - "I don't know" (but you need to own that answer) is a perfectly reasonable response but also say when you will update them.  This gives you time to seek an appropriate answer or escalate to someone who can answer.
3. you don't own the problem - too often I see individuals stressing about stuff that is not their problem.

 

Number 1 rule - own it but escalate.

 

In your instance I think the may be need for a sit down with the customer and define a flow process.

 

It really depends on what you systems are capable of.  Nothing is perfect but by at least establishing a basic work flow then people can work with it.

 

You may need to create a ticket/no performance metric for these requests to avoid penalties

 

 

 


 

 

 

 

 

 

 

 

 

 

 

 

 

 


 

 

 

Oriphix

523 posts

Ultimate Geek
+1 received by user: 32


  #1693502 21-Dec-2016 21:13

@NightStalker - I think you have hit the nail on the head. Just need to sit with the customer and create a flow.

It would be nice to create a process flow so that we can have it across the board rather then one thing different for a customer. Easier for the service desk / party's involved to understand and follow.

vulcannz
436 posts

Ultimate Geek
+1 received by user: 136
Inactive user


  #1695660 28-Dec-2016 09:50
Send private message

michaelmurfy:

 

"Good for enterprise" on bank managed devices only or via the VPN.

 

 

 

I once reviewed GFE for an agency, I found hacks on the internet to easily decrypt the on device database for both iOS and Android (gave access to email). I also found that emails were staged in their US datacenters despite them saying they were not (and when pushed they offered up a stock letter saying they would fully comply with DHS data requests... ie hand over your data). They offered up FIPS compliance as a feature, turns out that only applied to the military grade product and not GFE.

 

 

 

It does make me giggle when people puff their chest out and say 'we use GFE'. (not a go at you michaelmurfy, most people don't know this about GFE).

 

 

 

This was back in 2012/2013 so who knows, maybe they've changed.

 
 
 
 

Support Geekzone with one-off or recurring donations Donate via PressPatron.
SepticSceptic
2263 posts

Uber Geek
+1 received by user: 779

Trusted

  #1700519 9-Jan-2017 14:35
Send private message

GFE means different things to different people. GFE brings up something totally unexpected ...

 

They really should test their TLA's against google before touting their TLA's ...

 

 

 

 

Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright