Best Method to Protect Drawing Office Data

[Joblack]

We have a small design business and would like to sound out the best way to protect our and our consultants drawing and design information. We have on various occasions heard of designers/cad operators who have media with copies of data from previous employers.
The drawing info in our office resides on a shared server which all the workstations have access to, all the workstations have dvd drives and usb ports. All our past projects and current projects are accessible, the past projects are there for the odd reference purpose. We realize that there must be an element of trust with your employees, but on occasion there could be the more unscrupulous or ambitious employee who can easily take advantage of such a situation, especially with flash drives etc.
So what is one to do, lock down the removable media, run monitoring software, keep only current projects accessible?.
How do other design engineering offices take care of this situation amicably and in a mature way?.

 

[MiketheEngineer]

You could allow one person only "drive" (even a network drive) and they would need "permission" to get to the others. We sort of do that. I can't get to the financial drives and the financial people can't get to the engineering drives. Of course the admin can get to ALL!!

Part of their employment contract could include language that they can't reveal, steal, etc. Most contracts do. Then if they get caught - you some recourse.

Bottom line - you do have to trust people - mostly. While I am not a super geek - I am sure given a little bit of time - I could crack all of our servers.

 

[drawoh]

Joblack,

[ol]
[li]You need a security policy, and you need to make all your full time people aware of it.[/li]
[li]You need some sort of security levels, so that everyone can get at the stuff that is not security critical. [/li]
[li]Trustworthiness is an absolute requirement for your full-time employees. Didn't Ross Perot fire employees who cheated on their wives?[/li]
[li]You need to be able to construct a "sand box" for temporary and other untrustworthy people to work in. They would see only data they need to do their jobs. This should be manageable somehow with your PDM software. You can offend people by doing this, so your relationship with these people will have to be managed carefully.[/li]
[/ol]

JHG

 

[Joblack]

Too true Mike, we have all those points mentioned in place. Possibly our best option is to archive all past projects out of the shared folder (we do not have pdm) and pull it out manually when required, although this will require some careful admin so as not to write over archived files and or have duplicate data all over the place. The bottom line is to implement a system that protects the company's data without looking or being like big daddy.

 

[beej67]

Well, what exactly are you worried about them stealing?

I worked at a mid size firm for a while who used to do "Security Through Obscurity" as a simple stopgap measure sometimes. They weren't as worried about an employee stealing their standard details or notes, but were worried somewhat about access to sensitive bid information, so they'd still call that in a folder on the shared drive called "Laura's Wedding Photos" where nobody would think to look if they didn't already know what was in there.



Hydrology, Drainage Analysis, Flood Studies, and Complex Stormwater Litigation for Atlanta and the South East -

http://www.campbellcivil.com

 

[IRstuff]

You also need:
> A clean and systematic filing system on the server to make it easier to archive and retrieve data. At a previous job, we had an electronic version of how the design files were stored in filing cabinets, which included, design reports, costing, analysis worksheets, design files, datasheets, etc.

> Some means of retrieving data files that are OBE by software version changes, etc. Orphaned data files are basically useless, so the archiving process needs ensure that data is also saved in some form of STP or IGS format. While you might not want to use them as a go-from for a new project, the standardized file formats will allow you to get pertinent information.

> Likewise applies to analysis reports, etc. Matlab, Mathcad, or Excel files need to be archived so as to be retrievable when the analysis program has orphaned the older versions of the datafiles.

TTFN

FAQ731-376
Chinese prisoner wins Nobel Peace Prize

 

[berkshire]

Most cad Jockeys upon inteviewing for a job will be asked if they have a portfoleo.
Prospective employers like to see samples of an applicants work, they are usualy not impressed by college work, they want to see real world examples.
You can meet your employees half way on this, by allowing them to save, non sensitive, examples of work they do at your establishment. You vet what they have, and you, decide what they can put into their portfoleo. If they take anything else, then that, is stealing.
B.E.

The good engineer does not need to memorize every formula; he just needs to know where he can find them when he needs them. Old professor

 

[Joblack]

Just taking or stealing, it is the same thing. We have no qualms with cad guys or designers asking for samples of their work that is relevant. We work with associates who are at the top of their field internationally and therefore the data they supply us to do their work is also pretty confidential. It is hard to think that most engineering/design firms would allow cad operators/designers to pop in their 32Gig flash drive into their workstation with their music or whatever, and not raise any eyebrows with the principles. Surely there must be some guidelines/standards/procedures that firms follow to take care of such situations; or does one implicitly trust your staff and expect that they will act responsibly and like adults?.

 

[berkshire]

Joblack,
Drawoh hit it on the head, you need a security policy.

The defence industry has this pretty well down, but I suspect that you are a commercial ship builder or accessory manufacturer.

I am presuming you have contracts with non disclosure agreements.

Since it is virtually impossible to stop people using removable media devices ( I have one that folds up into a credit card.) one way would be Ronald Reagans old motto, " Trust but verify", impliment a random exit search policy.
I am afraid that for some part of that, you are going to have to look like "Big Daddy"

B.E.

The good engineer does not need to memorize every formula; he just needs to know where he can find them when he needs them. Old professor

 

[IRstuff]

There's a practical limit on any security system. If you attempt to create the "ultimate" security system, you will incur substantial inefficiencies and costs, and you'll practically need a full-time person to manage the access controls and deal with daily issues with access to files that someone needs.

With a completely isolated universe for each user, collaboration becomes more difficult, re-use and commonality become more difficult, etc. While we'd like to have complete isolation with our classified computers, we'd double or triple the hardware resources we currently employ, and I'd suspect a similar issue with other computer-based processing.

TTFN

FAQ731-376
Chinese prisoner wins Nobel Peace Prize

 

[MacGyverS2000]

Head nod to everything that has been said so far, but trust only gets you so far... once a single piece has walked out of the door, all of the trust in the world makes it irrelevant. As mentioned, I don't have access to financial info, and the accountants don't have access to my designs. If you really wanted to lock things down, don't give them a chance to transfer the data to anything they can take with them... USB ports can be disabled (not just BIOS, but physically unplugging them from inside the case), system covers can be locked to prevent access to case internals, writable DVD drives can be replaced with inexpensive read-only drives, wireless keyboards/mice can be used (or route the wires out of the case through drilled holes), etc.

Dan - Owner

http://www.Hi-TecDesigns.com

 

[IRstuff]

Just bear in mind that overt measures are easily noticed by workers, who, feeling an air of distrust, may not work as hard or as often. Loyalty cuts both ways. If you don't trust them, they won't trust you.

You might trade a short period of turmoil of one errant worker with a permanent air of mistrust and surliness from all workers.

While removing USBs is certainly possible, you still have to allow for email and internet, so USB access may just be completely moot. One can easily create an FTP site and upload entire databases. So, do you want to go that step? As I mentioned earlier, this is the line of practicality, and mutual trust, that you cross at your own peril.

TTFN

FAQ731-376
Chinese prisoner wins Nobel Peace Prize

 

[MacGyverS2000]

IR,

I agree that it may create distrust in certain environments (such as those were trust was already standard faire), but I don't agree in every case. Take, for example, the defense contractors mentioned earlier... do those employees fail to work hard because they think their employers don't trust secrets from getting out? Doubtful, or else they wouldn't work there. It's a given coming into the job that you will be scrutinized, your ability to transfer info will be severely hampered, etc. If you make it part of the corporate mentality form the beginning, one employee is no different than the next, so no feelings of mistrust (except in those predisposed to gruff feelings to begin with, and those employees will always be trouble no matter what you do).

Dan - Owner

http://www.Hi-TecDesigns.com

 

[IRstuff]

"do those employees fail to work hard because they think their employers don't trust secrets from getting out?"

No, because we don't impose the severe restrictions suggested earlier. If we did, morale would most likely nosedive, and we'd get a workforce that was just low-side compliant, which is not what we want.

TTFN

FAQ731-376
Chinese prisoner wins Nobel Peace Prize

 

[MacGyverS2000]

So you're saying you work for a defense contractor on sensitive material and they do nothing to lock down those materials from possible leaving the building? That's certainly not like the defense contractors I've ever dealt with... and I'm not sure the government would like to hear such a thing. Something is missing form this story...

Dan - Owner

http://www.Hi-TecDesigns.com

 

[MiketheEngineer]

Of course you lock everything up and have a "librarian" that only honors requests from each individual.

If you start at 8:00 am - it would probably be 10:00 am before everyone got to work??!!

And you have to hire the librarian and trust him/her??!!

Random audits might be good. Just look at the traffic once in awhile and see who is hitting what drive/folder. Any suspicious activity would surely pop up. Let people know that you doing this.

There are computer programs that will do this for you. Don't know any names but I know they exist.

 

[Joblack]

I feel that locking down is a drastic move which can compromise trust and morale to a great degree.
Archiving old projects and or keeping them in a read-only folder and then keeping track of file movement on current projects is most probably the way to go as the company knows what is happening and the cad guys only need to feel offended if they want to do file copying that is not approved of.

 

[IRstuff]

@MGS2000 No, two different topics.

While the classified material requires a certain level of handling, because it's classified, we don't necessarily take a draconian approach either. So while there is no Internet access, mainly to prevent intrusions from the outside, we do have working CD drives, so someone could potentially walk away with classified information that way.

In the case of the server-based, unclassified, design files, we likewise do not impose draconian protection levels, like stripping away Internet access, removing USBs, removing CD drives, etc.

TTFN

FAQ731-376
Chinese prisoner wins Nobel Peace Prize