Company officials must first decide what information is important to keep confidential. How can the data be accessed? Who can access it? When? And for how long? Information must be assigned a value, using implicit and explicit costs. The relative threats and risks to it must be evaluated, and a cost-of-defense threshold developed. A determination must be made as to how much the company is willing to spend to protect its confidential information.
Defining the confidential and critical information, the risks to each type of information, and the value to the organization allows ILP planners to focus on mission-critical assets first. In short, a data-protection plan follows the same steps that an organization would take when developing a business continuity plan -- only the focus is different. In a business continuity or disaster recovery plan, the focus is on the infrastructure and processes, and what it takes to make a company’s mission-critical tasks operational again. A data protection policy is by contrast information-centric.
Click for larger view.
Information is power
Next, information stores and communication channels must be defined. IT must know where all the critical data is stored and how it’s communicated between hosts. Consider client computers, file servers, e-mail servers, print servers, and database servers. Information is often transmitted using HTTP and e-mail, but don’t forget instant-messaging channels or removable media such as DVDs, CD-ROMs, and USB flash drives.
Also consider third-parties if they store or have access to your data. Negotiating the right to inspect and audit their controls on a periodic basis can go a long way toward reducing risk. It’s wise to include a clause in your contract that they forfeit the job the minute they fail to ensure adequate controls.
After you’ve hypothesized where the information is, find it and monitor it. Several vendors make tools that look for confidential information. Some scan server and workstation hard drives looking for tell-tell signs of protected data. The use of predefined data formats such as XXX-XX-XXXX would be recognized as a Social Security number and send out the proper alerts, while others do the same listening on network connections.