The high profile news stories about Edward Snowden have brought the issue of sensitive data protection to the forefront. It was reported that Snowden had four laptop computers replete with top-secret U.S. intelligence documents. But what documents might he still have and will he use them?
From your company's perspective, can your valuable information walk out the door? Do you know where sensitive data is stored and are there controls in place to protect it? Are you prepared to answer the following questions to prevent your data from making the front page news?
From the C-Suite perspective, we have put together a listing of five questions related to risk items to consider in protecting your valuable information:
Where is sensitive data stored?
A risk map pertaining to which servers, file shares, databases, etc. that contain sensitive information aids the general counsel when an event occurs. If the risk assessment determines that sensitive information is stored in one place, then the company should consider compartmentalizing certain data through-out the company.
Who has access to sensitive information?
Performing regular reviews of permission access allows the company to manage risk. Additionally, questions can be asked of employees that have accessed restricted areas. Lastly, IT personnel should have their own logins and not a generic administrative account.
Does our company have data security policies and does it monitor compliance?
Policies should be living documents and reviewed at regular intervals. In the case of an event, HR Policies provide the company protection ranging from confidentiality to nondisclosure and non-solicitation agreements. Lastly, background checks of employees are crucial.
When an event occurs, will we have adequate evidence to understand what happened?
When an event occurs, digital footprints are the best source of evidence to determine what was taken. Hence, having logs that go back 12 months is key, from the network logs, database logs, weblogs, etc. The more logging of events, the more information the company will have to understand what has occurred. From a physical security standpoint, badge swipes, cameras, and other data devices provide more data points.
Have we trained our employees on the policies in place?
Employees are the greatest asset as well as a potential liability. Employee training should be at least twice a year with case studies used. Have a dialogue with employees about using the hot line if they notice suspicious activity or unusual behavior.
To prepare for an event, companies can run mock scenarios with a team of employees and outside professionals that will help them get ready. By running these scenarios, companies can review the five steps above and make enhancements to each step as needed.
Government electronic surveillance and its impact on your organization's privacy and data security commitments
Corporate Counsel Connect, October 2013
Edward Snowden's NSA surveillance revelations and their impact on your organization
Corporate Counsel Connect, August 2013
Cyber-insurance: An important tool to protect information technology investments
Corporate Counsel Connect, April 2013
Bill Hardin was a Director in the Disputes and Investigations practice at Navigant. He has advised audit committees, boards, counsel, and management in numerous matters ranging from forensic accounting to turnaround management. He has performed many data incident response and theft of trade secret engagements. Bill is a CPA/CFF, CFE, PMP, and has an MBA from the University of Chicago Booth School of Business. He is a frequent speaker on financial and litigation risks. He serves on the board of directors for Illinois Legal Aid OnLine and acts on behalf of the Turnaround Management Association to provide pro-bono services to financially distressed clients.