With constant media attention about the latest computer virus or the daily deluge of spam e-mail, most organizations have concerned themselves with what might come into an organization via its network, but they have ignored what might be going out. With data theft growing at more than 650% over the past three years, according to the Computer Security Institute and the FBI, organizations are realizing that they must prevent internal leaks of financial, proprietary and nonpublic information. New regulatory requirements such as the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act have compelled financial institutions and publicly traded organizations to create consumer privacy policies and procedures that help them mitigate their potential liabilities.
In this article, I suggest five major steps that organizations should take to keep nonpublic information private. I'll also outline how organizations can establish and enforce information-security policies that will help them comply with these privacy regulations.
Step 1: Identify and prioritize confidential information
The vast majority of organizations don't know how to start protecting confidential information. By categorizing types of information by value and confidentiality, companies can prioritize what data to secure first. In my experience, customer information systems or employee record systems are the easiest places to start because only a few specific systems typically own the ability to update that information. Social Security numbers, account numbers, personal identification numbers, credit card numbers and other types of structured information are finite areas that need to be protected. Securing unstructured information such as contracts, financial releases and customer correspondence is an important next step that should be rolled out on a departmental basis.
Step 2: Study current information flows and perform risk assessment
It's essential to understand current workflows, both procedurally and in practice, to see how confidential information flows around an organization. Identifying the major business processes that involve confidential information is a straightforward exercise, but determining the risk of leakage requires a more in-depth examination. Organizations need to ask themselves the following questions of each major business process:
- Which participants touch these information assets?
- How are these assets created, modified, processed or distributed by these participants?
- What is the chain of events?
- Is there a gap between stated policies/procedures and actual behavior?
By analyzing information flows with these questions in mind, companies can quickly identify vulnerabilities in their handling of sensitive information.
Step 3: Determine appropriate access, usage and information-distribution policies
Based on the risk assessment, an organization can quickly craft distribution policies for various types of confidential information. These policies govern exactly who can access, use or receive which type of content and when, as well as oversee enforcement actions for violations of those policies.
In my experience, four types of distribution policies typically emerge for the following:
- Customer information
- Executive communications
- Intellectual property
- Employee records
Once these distribution policies are defined, it's essential to implement monitoring and enforcement points along communication paths.
Step 4: Implement a monitoring and enforcement system
The ability to monitor and enforce policy adherence is crucial to the protection of confidential information assets. Control points must be established to monitor information usage and traffic, verifying compliance with distribution policies and performing enforcement actions for violation of those policies. Like airport security checkpoints, monitoring systems must be able to accurately identify threats and prevent them from passing those control points.
Due to the immense amount of digital information in modern organizational workflows, these monitoring systems should have powerful identification abilities to avoid false alarms and have the ability to stop unauthorized traffic. A variety of software products can provide the means to monitor electronic communication channels for sensitive information.
Step 5: Review progress periodically
Lather, rinse and repeat. For maximum effectiveness, organizations need to regularly review their systems, policies and training. By using the visibility provided by monitoring systems, organizations can improve employee training, expand deployment and systematically eliminate vulnerabilities. In addition, systems should be reviewed extensively in the event of a breach to analyze system failures and to flag suspicious activity. External audits can also prove useful in checking for vulnerabilities and threats.
Companies often implement security systems but either fail to review incident reports that arise or to extend coverage beyond the parameters of the initial implementation. Through regular system benchmarking, organizations can protect other types of confidential information; extend security to different communication channels such as e-mail, Web posts, instant messaging, peer-to-peer and more; and expand protection to additional departments or functions.
Protecting confidential information assets throughout an enterprise is a journey rather than a one-time event. It fundamentally requires a systematic way to identify sensitive data; understand current business processes; craft appropriate access, usage and distribution policies; and monitor outgoing and internal communications. Ultimately, what is most important to understand are the potential costs and ramifications of not establishing a system to secure nonpublic information from the inside out.
Stories in this report:
- Compliance Headaches
- Privacy Potholes
- Outsourcing: Losing Control
- Chief Privacy Officers: Hot or Not?
- Privacy Glossary
- The Almanac: Privacy
- The RFID Privacy Scare is Overblown
- Test Your Privacy Knowledge
- Five Key Privacy Principles
- Privacy Payoff: Better Customer Data
- California Privacy Law a Yawner So Far
- Learn (Almost) Anything About Anybody
- Five Steps Your Company Can Take To Keep Information Private