Security Manager's Journal: Getting a handle on the data
Improved data handling should be an easy win for our manager, who is especially excited about IP protection.
Three months into my new job, I've had a chance to assess the landscape and establish some priorities. No. 1 will be the way we handle data.
At issue: When a security manager takes on a new job, he has to assess the landscape and set priorities.
Action plan: The first big push will involve data handling, because the CFO is behind the initiative -- and because data-handling projects involve the protection of the company's intellectual property, which is always a good idea.
There's a very practical reason for this. Before I arrived, the company had spent a lot of money on a third-party data assessment. The findings were startling, and the CFO expects remediation in short order. I want to capitalize on that.
But at least one aspect of data handling is near and dear to the heart of any security professional: the protection of intellectual property. The other goals of our project to improve data handling -- data classification and data retention -- are of more interest to Legal; by including them, I can get some traction and some valuable collaboration time with that department. Some wins there should serve the juicier IP protection aspect well.
I will recommend to Legal that we come up with two or three data classifications, such as "Confidential and Restricted" or "Confidential and Special Handling." Once Legal and some other key business units agree on the classifications, we can create some policies and processes so that workers can determine the classification of data and mark or protect it accordingly.
As for data retention, I will work closely with our internal counsel and, most likely, a firm with experience in retention law. Various federal and state laws require companies to keep certain documents for specified time periods. We will want to develop a policy and a retention schedule for all the categories of documents that we are required to keep. Next, I will add information on these retention policies to my security awareness training program. And we'll need to ensure that we have a place for storing retained data that can accommodate everything from e-mail messages and attachments to Oracle Financials and PeopleSoft HR documents.
ROI for IP
With the program to protect our intellectual property, there is a chance that I will be able to expand my staff and security infrastructure. That's because IP protection is one of the few technology initiatives that has the potential to generate real return on investment. Say that an employee who is planning to leave the company e-mails himself the source code for one of our next-generation products before his departure. If he is successful and isn't detected in time, he could sell that code or use it himself in ways that would directly and negatively affect our future revenue.
But there are certain tools that can detect such activity, giving us a chance to stop potential thieves before they can abscond with the virtual goods. I hope to get the go-ahead -- and the budget -- to deploy them.
To be specific, I am bullish on data leak protection software. I used it at my previous company to detect when intellectual property inadvertently or intentionally left the company network.
To discuss security with fellow Computerworld readers, go to computerworld.com/blogs/security.
I have told our legal counsel about the potential savings we could realize with such tools, and he is interested in moving forward with the effort. I'll keep evangelizing for this program through focus groups and other forums. I'm keeping my fingers crossed that I will be allowed to procure the appropriate resources to make this a successful initiative.
This week's journal was written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.