Are reports of data loss and theft just the tip of an iceberg that at best compromises growth and at worst can result in the demise of businesses? Dr. Jim Kennedy, MRP, MBCI, CBRM, gives his views.
As we all remember from our security classes confidentiality, integrity, and availability are the three pillars of data security. In my business as a security, business continuity and disaster recovery consultant, I see every day how various companies address these three areas. Some very well, some not so well, and some really poorly.
Given all the regulations and standards (like HIPAA, SOX, and PIPEDA), developed and published over the last five years you would think that we should be doing better. Based on recent events quite prominent in the press and trade journals I am not so sure.
We continue to read where companies have had data leakage, a politically correct way of saying data loss or theft. We hear about external theft of credit card and personal information and worst of all we hear of companies that have lost critical information due to a computer error, natural disaster, systems or network failure, or just poor operational and security practices.
Why the increase in data loss and theft?
How, now, with all of the rapid advance in technology and tenfold increase in knowledge about security and business continuity can corporate America still be suffering from corrupted, lost, or compromised mission critical or personal and confidential data?
For the most part companies are very complex entities and in being so they create, modify, move, and store data and critical information all over the place. Sometime in places they are not even actually sure of. These companies have such complex infrastructures that they are not exactly sure how the data they save is being stored or transported. So a loss of tapes by a carrier could be more common than is realized. They are not sure how or where exactly their data is stored, so losing critical files due to a flood or natural disaster could be more common than is realized. They are not sure where all the data is so having critical data on laptops stolen from homes or parked cars could be more common than is realized. In fact, more internal and external breaches can become more common and do seem to be on an increase. If an organization is not sure where all of the sensitive, personal, or mission critical data is, how can it possibly safeguard and protect it.
Even where the companies do have a good handle on their data and where it is physically located I have found that many companies do not know if their security and business continuity policies and procedures are implemented correctly or are actually being followed. In general there is a lack of business continuity plan exercising and literally no security awareness training in many of the Global 1000 corporations. So there is a general lack of security understanding as part of the overall corporate culture.
It is very typical for medium to large organizations, from industry sectors, such as manufacturing, petrochemical, energy, pharmaceutical, to do fairly poorly at classifying and tracking the storage and movement of confidential data and equally as badly at communicating and training employees on security and business continuity policies.
So, with the ever-increasing amounts of sensitive, personal, and mission critical data that firms are operationally required to create, move, and store, going hand-in-hand with increasing legislative retention requirements, what are companies to do?
I like to keep things very simple:
* Every company should have an information classification and handling policy in place.
* All employees should be trained in the classification and handling of all forms of company information and data.
* There should be an inventory of all critical or sensitive data that the company reviews, creates, maintains and stores. This inventory should be maintained and reviewed periodically to ensure that it is properly secured and protected.
* Further, a policy should be implemented that NO critical or sensitive data is to reside on any portable or movable device without the express permission of a senior manager responsible for that data.
* All employees should be required to attend some type of company sponsored training in information security and business continuity, especially all new hires.
If companies follow these basic ideas I believe that it is possible to maintain control and necessary oversight. I also believe that companies can use the tools available today to provide protection for the data they are responsible for. They just need to apply the tools and techniques and then make sure that proper diligence and vigilance in the handling of critical and sensitive data are continuous and never-ending!
When your faucet leaks you call a plumber almost immediately to fix it. Let’s do the same for data leakage. Call in the proper experts to identify the sources for the leaks and fix them.
Dr. Jim Kennedy is the Business Continuity Services Practice Lead and a Consulting Member of Technical Staff for Lucent Technologies. Dr. Kennedy has over 25 years experience in the business continuity and disaster recovery fields and holds numerous Master level certifications in network engineering, information security and business continuity. He has developed more than 30 recovery plans, planned or participated in more than 100 business continuity and disaster recovery tests, helped to coordinate three actual recovery operations, authored many technical articles which have been published both nationally and internationally on business continuity and disaster recovery and is a contributing author for two books, the ‘Blackbook of Corporate Security’ and ‘Disaster Recovery Planning: An Introduction’. email@example.com
•Date: 21st June 2006 • Region: US/World • Type: Article •Topic: ISM
Rate this article or make a comment - click here