The Dirty Dozen Risks: Using Information Governance to Improve Information Security

No entity can completely safeguard itself from a data breach. Although that fact could lead many CIOs, CSOs, CISOs and even the few chief information governance officers to anxiety and despair, they should take heart. There are low-cost steps that can be taken as part of a good information governance program to substantially reduce an entitys risk of breach and position it for a rapid incident response.

Its not as complicated as one might think.

Weve identified a dirty dozen list of common issues that affect the information security profiles of most entities and highlighted some helpful IG-informed answers.

1. Email Practices

For better and for worse, email has become the primary method of business communication. Valuable information assets often reside in email systems because employees exploit the convenience of messaging platforms to store unencrypted confidential, protected and proprietary information.

Companies can begin to address the problem by developing appropriate email deletion policies. Created within an IG framework, these policies call for automatically deleting emails older than X days, while ensuring that material subject to litigation holds and other key information (work in progress, research results, business records, etc.) are properly preserved. They should be developed with input from legal counsel as well as relevant business and administrative stakeholders.

2. File Shares and Other Unapproved Repositories

Every organization has content on file shares that is exposed to internal uncontrolled use and vulnerable to external actors through unauthorized access. To reduce exposure in the event of a breach, entities can create safe rooms and secure information within password-controlled repositories. They should also identify, classify and encrypt, files containing critical information.

3. Encryption

Encrypting sensitive files sent outside the firewall protects against intentional or unintentional misdirection, interception and misappropriation because only the intended recipient has the key to decrypt the file. Encrypting internal files, however, may not always be practical since it increases costs and imposes a barrier to access. Selective encryption of important but infrequently accessed information may be advisable. For sensitive information that needs to be available to multiple users, creating safe zones with levels of security access may be more practical.

4. Protecting Shared Information Assets

Aside from encryption, technologies are available to protect information sent outside the company. Software tools can ensure that an externally shared file can be viewed only by the intended recipient and track routing if that person sends the file on to anyone else. Some software even tracks copies and screenshots of the file and reports this activity back to the sender.

5. Removable Media

Removable media storage devices such as USB drives and recordable DVDs, can store massive amounts of data that mobile workforces rely on to stay productive. The downside is that they can easily be lost or misused by dishonest employees to steal corporate data For some companies, disabling USB ports and prohibiting downloads onto removable media may be the best option. If prohibition is not feasible, companies should adopt clear policies concerning when downloading is permitted, what types of data can and cannot be downloaded, and when encryption is required.

6. Password Policy

Inadequate user passwords are weak links in the cybersecurity chain. Using password generators and enforcing periodic password resets to network assets and ECM applications behind the firewall can create stronger user passwords. Password vaults to assist users in tracking sophisticated passwords are also a relatively low cost solution. Employees should also be trained to never share their passwords.

7. Hiring Practices and Background Checks

Consult with an employment lawyer about legally permissible ways to screen potential new hires for cybersecurity risks. Criminal records, credit and employment history could provide information a company might want to know before someone is hired and given access to the companys information systems. More in depth screening may be desired for personnel who will have greater network access. Exit interviews of terminated and resigning employees can help identify security concerns and reduce the misappropriation of corporate information. Forensic analysis of an existing employees hard drive for evidence of misappropriation might also be warranted in certain circumstances.

8. Ongoing Rights Management

Coordinated personnel information rights management is a classic IG scenario, and should incorporate a variety of enterprisewide concerns, including human resources, IT, business management and internal security. Access to the different components of corporate data should be on a need-to-know basis. Creating a matrix of rights per repository, per user, while not a simple exercise, can be implemented in increments.

9. Internal Tracking of Employee Activity

Several commercially available tools can track certain activity profiles, such as those created by external bad actors that breach the firewall and spoof internal users, and rogue employees seeking inappropriate access to corporate information. The effectiveness of these tools depends on establishing normal use baselines under a rights management policy to identify behaviors that deviate from the norm, which may indicate security risks.

10. IT Asset Disposition

Data, including sensitive information, can be stored on devices beyond just laptops, thumb drives, and external hard drives. Scanners, copiers and fax machines also store digital information as part of their standard functions. Because data-storing IT equipment has a limited life span, companies should implement strong, defensible policies to systematically deal with IT asset disposition. A solid plan, including adequate employee training, not only reduces the risk of a security incident or data breach, it also provides evidence that adequate safeguards and controls are in place should an incident occur. Disposition plans should address key issues across the entire IT disposition process.

11. Mobile Device Management

As Bring Your Own Device adoption grows and more business functions are conducted on mobile devices, entities should adopt adequate mobile device management (MDM) plans. Commercially available MDM software allows companies to automate management and control tasks on mobile devices, no matter where they are located. MDM tools allow companies to remotely provide maintenance services, backups and restorations, and locate, lock and wipe lost or stolen devices. Since every mobile device is a potential source of a security incident, implementation of a comprehensive MDM program should be a priority.

12. Employee Awareness and Training

The common thread throughout the preceding 11 steps is that employee awareness and training is crucial. The best network security in the world can be thwarted by a single negligent act, so ensuring that all employees understand their roles and responsibilities in safeguarding corporate information is vital.

Outside vendors and consultants can supplement employee training initiatives, but visible engagement by upper-level management can send a strong signal that information security is a top business priority.

By Judy A. Selby and Bryn Bowen