The first step is to establish a data classification framework for the information within the organization. This is not an IT exercise. This activity must be conducted with the input and participation of the data owners (the staff in finance, marketing, human resources, sales, quality assurance, risk, etc.). I would also suggest keeping those responsible for auditing (internal or external) apprised of all of the classification decisions.
There must be agreement on what level of control should be used for each level of classified information. Conduct a risk assessment based on the output from this exercise and establish a risk acceptance level. Many companies have conducted these steps as part of their regulatory compliance activities.
The next step is to deploy solutions, or configure existing solutions, that will concentrate on logging and tracking the activities focused on your company's information. With many companies tightening belts in the current economic environment, the risk assessment process will help narrow the scope of monitoring to identify exposure. This will potentially provide justification for resource allocation to this more cost-effective solution.
It is also imperative to identify resources to review the outputs of your tools in a proactive mode. Taking this on provides the flexibility needed to review information in a manageable interval. Identifying deficiencies and developing corrective actions is key. It's also vital to perform self-assessments and validate that your processes are working as planned.
And, at least annually, have an independent assessment. This could be done by an internal IT audit team. This will provide you with independent validation. As your process matures and confidence in successful process execution is established, you can reduce the frequency to reduce costs.
This is by no means the complete recipe to solving this issue. The key takeaway is to initiate, or re-initiate, this dialogue within your organization. The days of security by obscurity are behind us. You can't fix what you don't know is broken.
[sidebar]
Regulatory driver
Many companies have devoted resources toward securing the perimeters of their network, says Rushton. This effort has been driven mostly by regulatory compliance requirements or was performed in response to a breach.
Compliance benefits
These efforts have contributed to improving the security and control of computing environments. Regulatory compliance guidelines have also provided more repeatable and better documented processes, says Rushton.
A need to be proactive
However, Rushton adds, many companies not specifically governed by regulations seem to have stopped short of completely addressing the issue of information leakage. There is less of a proactive focus on this topic.
Security awareness key
Every person in your organization will need to understand these challenges in order to assist in addressing them (via security awareness programs). But, that is a topic for another article, says Rushton.
Willie Rushton was formerly director of global information security at Sara Lee.
Photo by Susan Andrews