Security Manager's Journal: Getting a handle on the data

Improved data handling should be an easy win for our manager, who is especially excited about IP protection.

By Mathias Thurman, Computerworld |  Software, data management, security

Three months into my new job, I've had a chance to assess the landscape and establish some priorities. No. 1 will be the way we handle data.

Trouble Ticket

At issue: When a security manager takes on a new job, he has to assess the landscape and set priorities.

Action plan: The first big push will involve data handling, because the CFO is behind the initiative -- and because data-handling projects involve the protection of the company's intellectual property, which is always a good idea.

There's a very practical reason for this. Before I arrived, the company had spent a lot of money on a third-party data assessment. The findings were startling, and the CFO expects remediation in short order. I want to capitalize on that.

But at least one aspect of data handling is near and dear to the heart of any security professional: the protection of intellectual property. The other goals of our project to improve data handling -- data classification and data retention -- are of more interest to Legal; by including them, I can get some traction and some valuable collaboration time with that department. Some wins there should serve the juicier IP protection aspect well.

I will recommend to Legal that we come up with two or three data classifications, such as "Confidential and Restricted" or "Confidential and Special Handling." Once Legal and some other key business units agree on the classifications, we can create some policies and processes so that workers can determine the classification of data and mark or protect it accordingly.

As for data retention, I will work closely with our internal counsel and, most likely, a firm with experience in retention law. Various federal and state laws require companies to keep certain documents for specified time periods. We will want to develop a policy and a retention schedule for all the categories of documents that we are required to keep. Next, I will add information on these retention policies to my security awareness training program. And we'll need to ensure that we have a place for storing retained data that can accommodate everything from e-mail messages and attachments to Oracle Financials and PeopleSoft HR documents.

ROI for IP


Originally published on Computerworld |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question