For those of you with technical backgrounds think of applying an access list on a device in a network or deploying an intrusion sensor. Ideally you want to deploy either as close to the source of what you are trying to monitor and protect as possible. The data is on the inside, therefore we should start at the inside and work our way outward. This concept is extremely important as we start to consider technology solutions to help us better manage the information and data leakage issue.
From an organizational perspective, there is one weapon that every security practitioner has at their disposal that in many instances is not optimally leveraged. This weapon is ultimately the first and last line of defense in the protection of corporate information and data, as well as being the most variable in its ability to perform. The weapon that I refer to is the people in an organization. The people in an organization are closest to the critical data, so when it comes to data leakage they can be security's best friend or its worst enemy.
It is vitally important that information and data leakage and its potential impact to both the individual and the organization are covered fully in any new hire orientation session. It is also important to mention the protection of corporate information in any type of annual policy review acknowledgement that may exist. If neither of these vital parts of any training and awareness program currently exists, the data leakage issue may serve as a good leverage point to have them instituted in an organization.
The second important facet of people's involvement in combating information and data leakage in an organization is to have a mature and effective incident response capability. This is a very important aspect of any security program and equally important to any information and data leakage program. Incident response capability is the absolute last line of defense in this effort to protect information and data. Security practitioners should not operate under any illusions and should set expectations with senior management that no matter how well thought out a security program is, eventually there will be an incident of some type. The maturity of the incident response capability within a security program will make the difference between a complete disaster and a bad situation that can be overcome over the long haul.
If employees and associates can be trained and incented to understand the importance of this issue and how it can affect them, it will go a long way toward reducing the overall risk of leaking information and data from the enterprise.
Technology controls to protect informationWhile the organizational and people oriented elements just described are critical to the success of any program to protect data and information from abuse and improper disclosure, those elements alone are not sufficient to provide the fullest possible level of protection.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.