Eight Best Practice Strategies for Protecting Your Information. Protecting Confidential System Information and Data
Protecting Confidential System Information and Data
Is your company at risk with data getting to the wrong people? Every organization has confidential information that they cannot afford to compromise. Today’s business environment, being highly competitive, intensifies the vulnerability and risk. With layoffs and possible disgruntled employees, global operations, and outsourcing projects, your vulnerability spreads. Increasingly popular “mobile” tools for accessing and distributing information, such as the Internet, email and mobile computing devices, increase the risk. The protection of confidential data on laptops is a top priority for both corporations and government agencies today. The impact of stolen or missing laptops is not merely about losing money. It’s about losing the unsecured customer data and intellectual property stored on the computers, which can result in the loss of millions of dollars from compliance fines, the costs of notifying customers, not to mention loss of competitive advantage and damage to your brand.
Information vulnerability and risk come from both malicious and unintentional disclosures by employees and partners; unintentional disclosures are usually the larger problem. Reducing these risks and vulnerabilities is now both a business imperative and a legal mandate as recent regulations impose obligations on organizations to protect certain types of information.
Global corporations and government organizations require more than network security and access control to guard their confidential data. They must protect the information itself, inform the behavior of those carrying the information, have visibility regarding where their confidential data resides on their network, have influence over where that data is going, and implement a policy for managing it. A strategy that balances the organization’s legal and business needs to protect information with the competing interests to share it is vital.
Eight Best Practice Strategies for Protecting Your Information
- Set up a team from various departments to evaluate and monitor your SOP.
- Asses all risks.
- Identify and classify confidential information.
- Develop information protection policies and procedures.
- Deploy technologies that enable policy compliance and enforcement.
- Conduct data audits so that employees and other stakeholders are held accountable.
- Integrate information protection practices into all your business processes.
- Communicate and educate all your employees and other stakeholders to create a compliance culture.
Recommended Steps to Information Protection Strategy Best Practices
- Identify which information should be protected.
- Locate confidential data on the network.
- Distinguish types of confidential information and apply classification(s).
- Determine perceived risks and severity of information loss and develop SOPs to mitigate the risks.
- Identify existing information protection policies, procedures, and practices.
- Determine who has access.
- Demonstrate the flow of information internally.
- Provide evidence of information being sent by and to unauthorized users.
- Identify business processes that may cause information loss.
- Document at-risk confidential data.
- Quantify risk of noncompliance.
- Provide a record of information flow from inside the network to outside the network.
- Research software that creates automated policy builders. They create policies to take advantage of software that contribute to policy compliance and enforcement. These software tools:
- Protect data wherever it is stored or used.
- Discover and protect confidential information exposed on file servers, databases, Microsoft SharePoint, Lotus Notes, web servers, Microsoft Exchange, end-user laptops and desktops, and other data repositories.
- Discover and inventory confidential data stored on laptops and desktops and data repositories.
A cross-functional information protection team works most effectively to synthesize the results of the risk assessment, management survey, and software risk assessment tools. The team typically consists of representatives from Legal, IT and Corporate Security, with involvement from representatives of business units, such as Research and Development, Marketing and Customer Engineering, and representatives from Compliance, Human Resources, Corporate Communications, Audit, Competitive Intelligence, or Risk Management, among others, depending on the contribution that they can make to the priorities of the information protection strategy.
It is not sufficient to rely on software technology to prevent information loss. An employee who does not respect and protect information will likely put it at risk by sharing it in hard copy, verbally, or in some other manner, even if the technology to prevent unauthorized electronic transmissions is in place. The function of the cross-functional, interdisciplinary team is to ensure the effectiveness of the organization’s information.