It is vitally important that information and data leakage and its potential impact to both the individual and the organization are covered fully in any new hire orientation session. It is also important to mention the protection of corporate information in any type of annual policy review acknowledgement that may exist. If neither of these vital parts of any training and awareness program currently exists, the data leakage issue may serve as a good leverage point to have them instituted in an organization.
The second important facet of people's involvement in combating information and data leakage in an organization is to have a mature and effective incident response capability. This is a very important aspect of any security program and equally important to any information and data leakage program. Incident response capability is the absolute last line of defense in this effort to protect information and data. Security practitioners should not operate under any illusions and should set expectations with senior management that no matter how well thought out a security program is, eventually there will be an incident of some type. The maturity of the incident response capability within a security program will make the difference between a complete disaster and a bad situation that can be overcome over the long haul.
If employees and associates can be trained and incented to understand the importance of this issue and how it can affect them, it will go a long way toward reducing the overall risk of leaking information and data from the enterprise.
Technology controls to protect information
While the organizational and people oriented elements just described are critical to the success of any program to protect data and information from abuse and improper disclosure, those elements alone are not sufficient to provide the fullest possible level of protection.
To this point we have discussed the need for a data classification policy in an organization and the need to have the proper structure, incentives and capabilities around user awareness, training and incident response to educate the community with regard to that policy on an ongoing basis.
To properly monitor and enforce those policies, there needs to be a sound implementation of appropriate technology solutions to provide the "teeth" for the policies and processes established around the protection of data and information in the enterprise.
There are several technical elements that make a good information and data protection framework. These elements include:
- Mature Identity Infrastructure
- Digital or Enterprise Rights Management
- Data Leakage Prevention
Identity infrastructure is the base on which the majority of the other tools and solution types are dependent to properly operate. Without proper identity there can be no consistent assignment of rights and privileges to information resources across the enterprise. Most organizations have many moving parts in their identity infrastructures. Invariably some parts are either missing or not working up to their full potential. Without a viable identity infrastructure, many of the tools specifically designed for monitoring and protecting information and data will have only limited success at best; at worst they could possibly be seen as a failure. Once there is a solid identity infrastructure in place with a granular set of user attributes, additional solutions can be deployed for the protection of data and information.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.