The Information Problem
Company-sensitive information is a critical resource within any business, and protecting that information throughout its lifecycle is critical to customer confidence, business information and employee privacy, among a host of other factors. Information takes three basic stages--transmittal, storage and disposal--and to reduce the risks associated with each stage adequate controls must be in place.
Transmittal of Sensitive Data
Data is transmitted from point to point through voice conversations, emails, phone calls, remote connections and by placing information on shared drives, to name just a few examples. One way to protect sensitive data during transmittal is to ensure that end users are aware of the company's policies and procedures, as well as federal requirements regarding the transmittal or disclosure of sensitive information.
Additionally, risks can be reduced through the following controls:
- Identifying the sensitivity and data classification of the information being sent
- Verifying that information is marked with legends, labels, intended recipient(s) and an improper use statement
- Ensuring that the encryption being used is commensurate with the classification of the information
Storing Sensitive Data
There are three basic media to consider when storing sensitive information: hard copy format, local area network share and portable electronic media (i.e. thumb drives, laptops, etc). Hard copies should be kept in a locked desk or a container such as a safe. Today, however, most of the information companies use is electronic and is shared over local area networks. Appropriate security controls must be instated and monitored to effectively reduce the risk of unauthorized access. Some of these controls include:
- Enforcing strong passwords (i.e., at least 10 characters, two numbers, two special characters, and two upper- and lowercase letters)
- Changing passwords every 30 days
- Using two-factor authentication where technically feasible
- Reviewing logs of successful and unsuccessful access attempts for anomalies and taking appropriate action.
Strong encryption is also critical. In the case of laptops, full disk encryption will significantly reduce risks; for thumb drives, there are many on the market that support strong encryption as well as two-factor authentication using biometrics.
Disposing of Sensitive Information
Electronic media should be overwritten using software that replaces the sensitive information with random meaningless data. It is a common misbelief that "deleting" data and emptying it from the recycle bin means that the data is gone. This is not true; data removed in this fashion is still recoverable. Proper disposal of electronically stored information is vital in cases where the media will be handled by third parties, such as vendors having to repair or dispose of a resource.
Customer data, engineering designs, marketing strategies and financial information are only a few of the areas where sensitive information has a significant presence within enterprises and should be protected with controls that are commensurate with the sensitivity of the data.
*Please visit www.MobileEnterpriseMag.com for an extended version of this article.