Media Management Policies - Who has them and who follows them?
January 21st, 2008 Drazen Drazic Posted in Bad Stuff, Dumb Security, governance |
Based upon my experience, the J.C.Penny problem as reported here TechNewsWorld (and all other IT news sites) is more prevalent than some would imagine. I’ve lost track of the number of times I have seen and heard about missing storage media.
Most of the lost media does not get into the wrong hands. It just gets lost and probably gets tossed and destroyed due to the finders of it not having the means to read what is there. Saying that, it only takes one episode of someone finding the means to read it to cause big damage to the organisation that mis-placed their data.
A lot of this comes down to organisations not having and/or implementing good policies and practices around media management.
It always amazes me that many organisations spend so much time developing a “data classification” policy (sometimes spending years) but never have a “data: storage, transmission and deletion” policy. What is the point of having the former, if you don’t have the latter? Think about it…..you classify the data and then what? Yep….where do you go?
I think this is the core of the issue here. I wonder how many backups sit in rubbish tips just waiting to be discovered?
January 21st, 2008 at 7:14 pm
There are several parts to this:
1. We will never know how much media with confidential data goes astray without disclosure laws, period. A server walks out the door (ala ACS 3 years ago), people notice, and hopefully ask questions. If an employee leaves their laptop at a subway sandwich shop they are (after being ridiculed by most other members of staff) held accountable for the physical loss after which you would hope they are questioned about what was on it etc. We hear about these every day.
The problem here is that, even with disclosure laws, in a lot of situations it is too easy to lie. Now is generally not the time for the employee to say “Well actually, I was thinking of leaving so I have a full copy of the client database with all their details”, or even that there may be sensitive info on it which they have been using for their job - password files etc.
The crux of the issue is that organisations are still focusing on tracking physical devices, not information. And of course USB sticks et al render tracking physical devices a problem too.
2. The second point is on the policy side. Any Data Classification policy that doesn’t cover storage, transmission and deletion is utterly useless. In fact I can hardly think of anything that is in a Data Classification Policy that wouldn’t include or reference storage, transmission or deletion !