Policy Workbook: Data Protection as a Process

Every business has information assets leaking out the doors. In most cases, this is acceptable use: Salespeople must have contact information with them to do their jobs, and partners need access to at least some of the data in your systems. But what about data that flows into the wrong hands, either through malicious intent or accidental disclosure?

Vendors are flooding the market with offerings aimed to stop the flow, but the fact is, they're not there yet. Fully protecting data is still more process than product. Your best defense against data loss is what it always has been: training, policy and procedure. Define "proper use," teach your employees what they may and may not do with data, and enforce the rules, with punitive measures if necessary. System owners and end users must be taught loss-reducing strategies, and how to watch for aberrant behavior. Once they understand the issues and how they can help, you may be surprised at how willing they are to avoid getting your company in the news for the wrong reasons.

The first step is defining what acceptable use of data is for any given group in the organization. IT should partner with line business-process owners to determine this information. Is it acceptable for the group in question to store customer data on their desktops? What if an employee's "desktop" is a laptop that leaves the building each night? How much customer data can employees carry out of the building and still comply with an acceptable use policy? Can users print lists of customers and/or prospects? What is the acceptable use of USB devices? Which customers do users have rights to access data for--should the Northwest U.S. regional salesperson be downloading lists of European prospects? These are the type of things you need to determine. It's not easy, but it is worth the effort in the long run.

No acceptable-use policy will ever cover every possible data-loss scenario. Rather, define guidelines and mandate that system owners be trained to understand what behavior they should be looking out for, and what types of systemic weaknesses they should be trying to fix. Provide clear direction on broad types of user actions that constitute risk and are outside acceptable use, then give them a place to report this behavior. Help them understand that a user querying for customers that are not in her area of interest--like the "Top 5 percent of revenue generators" is a possible threat to the organization, and tell them who needs to know about this activity.

System owners do not want to be the source of a data leak; they'll help you resolve issues if you help them understand the level of threat. You're competing for limited resources, but the clearer the message, the more likely they are to respond positively.

Next, you need to train staff on what is "acceptable use" and what is risky behavior. Your official policy should make clear the true cost to the company of a lost laptop or PDA. Help them to understand that the more data there is on the laptop, the greater the risk to the organization. If a user realizes that the hardware cost is the least of it, he may be less likely to leave his laptop unattended at a coffee shop, or in an unlocked car. In today's regulatory environment--as the VA has shown--thefts must be reported as if each was a malicious attempt by identity thieves, even though it's often a teenager hoping to score a new laptop.A policy that is ignored by end users is worse than no policy at all, because you have a false sense of security. Find out whether the policies you've defined are seen as intrusive to any group's ability to perform its tasks. If it is, work with them to rectify the situation. Don't let them say, "We need unlimited and unmonitored access to all data," but try to understand their view. As history has taught us, users will find ways around an intrusive policy, while well-planned security rules are easily assimilated and become just another part of doing business.

Don MacVittie is a senior technology editor at Network Computing. Write to him at dmacvittie@ nwc.com.