Aaron Greene is a private consultant who will be graduating from the Norwich University MSIA program in June 2008. He recently wrote to me as follows:

"I read your article today about the case in Vermont. I have been particularly interested in the legal matters of this case, but you definitely provided a unique viewpoint that I think all of us in the information security field need to understand: don't take encrypted devices (including PDAs, USB drives, and other flash or disk memory) out of the country.

"I would like to know how you think this issue should be dealt with by organizations. It seems that advising people to not take company owned devices out of the country is not enough and that there needs to be a policy. I would imagine that there would need to be some exceptions to this policy, such as obtaining prior approval from company officials.

"Or would this be overkill? Some companies do so much business internationally that this would cause too much administrative overhead.

"I am currently doing some consulting work for a health system located on the southern tip of Texas at the Mexico border, so this really made me think of how many employees are probably taking company owned devices across the border. I understand that geographic location doesn't make much of a difference, but I have to say that your article really opened my eyes.... I can't believe I hadn't thought of this before, especially since I just completed the MSIA program! This might make a good discussion question!"

Here’s an updated version of my reply:

One approach is to segregate confidential information to encrypted external disk drives. The rule could then be that the portable computer can leave the country but that the encrypted disk drive cannot.

To access sensitive information, the users could enable a VPN to reach a server for files and a secure encrypted Web interface for their e-mail. Thus they would have little or no problem doing their work but low risk of having sensitive information divulged. However, even encrypted channels are potentially subject to intrusion in totalitarian dictatorships such as the People’s Republic of China (PRC), where, in my opinion, everyone should assume that all communications by foreigners are being monitored by government operatives at all times and act accordingly. When I led a delegation of security experts to China in 1994, I warned everyone on the trip never to discuss or transmit confidential information at any time while we were in the PRC.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.