Consider this scenario: a busy senior executive gives his PA his password to check his email, and with it all his access privileges to stored data. It’s not an uncommon event, but it does present a potential security risk. Even if a policy forbids this, the chances are it will still happen, simply because it is the most convenient way for the senior executive to fulfil his role.
When it comes to writing the policy and considering the procedures required, the business needs to answer several questions. First of all: what gets stored? Clearly it is impractical to store everything – indeed it runs the risk of breaching either the Data Protection or the Human Rights Acts. So choices need to be made. Organisations also need to ask themselves where the information will be held? If only the essential documents are stored the implication is that they will need to be retrieved at some point. Accessing it in the future is going to be much more time consuming and inefficient if their whereabouts isn’t planned and recorded – not knowing where corporate knowledge is held is just as dangerous as not having good data security policies.
Which leads to the next question: what happens to the data once it has been stored? Who is going to look at it? And, equally important, who is not? Security is all about maintaining the confidentiality, integrity, and availability of information and proving non-repudiation. All the security technology in the world come to nothing if there is no way of controlling who can access the archives. And, with the increased need for reliable audit trails in mind, the enterprise also needs to prove who has, and hasn’t been viewing saved records and indeed, who has made copies.
Organisations need to address this issue from two angles: classifying the information, and identifying the user. Document management and identity management technologies are therefore two of the most crucial elements for any storage security policy. Most businesses underestimate how much data they produce: technology, especially email, has enabled unprecedented levels of duplication and filing anarchy. Unless a company has been exceptionally meticulous in its IT use there is usually little or no knowledge of what information has been created. Document management procedures will identify which records, files, and data need to be secured, and how long they need to be saved for.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.