They say that oral contracts are not worth the paper they're written on (ha-ha). Well, you might say the same about data protection policies. The Sandwell Council was found in breach of the UK Data Protection Laws due to the loss of a USB memory stick this February. As the situation implies, data encryption software like AlertBoot was not used to secure the contents of that USB stick.
The breach occurred when an employee copied over sensitive data to a memory stick. This was done so that the employee could continue working at home. This plan, however, could not be carried out because...the flashdrive was lost en route. Encryption software was not used on the device, as already detailed above. Sensitive information was saved to the device--for four families, which sounds like a small number when compared to some of the larger cases, but, regardless, cannot be excused. The Councilor apologized to the families for the breach, and declared that "the practice is not within the rules." They never are, councilor.
The breach occurred when an employee copied over sensitive data to a memory stick. This was done so that the employee could continue working at home. This plan, however, could not be carried out because...the flashdrive was lost en route.
Encryption software was not used on the device, as already detailed above. Sensitive information was saved to the device--for four families, which sounds like a small number when compared to some of the larger cases, but, regardless, cannot be excused.
The Councilor apologized to the families for the breach, and declared that "the practice is not within the rules." They never are, councilor.
Most people tend to play by the rules. But, you'll always find someone that doesn't quite feel the need to do so. It's because of such people that computer data policies are seen as useless: most follow it; a bunch don't; a data breach results because of those that don't; and everyone is left wondering "what's the use?" and feeling it was a waste of time. Such policies aren't useless. It's because of people following these policies that breaches tend to happens less frequently than they would/should. Remember, data security is about minimizing the odds of a data breach from occurring. Having a breach every 5 years is preferable over having one every six months, which in turn is preferable over having it every other week. Not having people follow a well-thought data policy is a sure prescription for the "every other week" scenario. While some executives may feel that it's going overboard, sometimes there is a real need for being a little pro-active with data security. For example, Sandwell wouldn't have been a breach in the first place had it used port control software to manage which devices were authorized to connect to their computers.
Most people tend to play by the rules. But, you'll always find someone that doesn't quite feel the need to do so. It's because of such people that computer data policies are seen as useless: most follow it; a bunch don't; a data breach results because of those that don't; and everyone is left wondering "what's the use?" and feeling it was a waste of time.
Such policies aren't useless. It's because of people following these policies that breaches tend to happens less frequently than they would/should. Remember, data security is about minimizing the odds of a data breach from occurring. Having a breach every 5 years is preferable over having one every six months, which in turn is preferable over having it every other week. Not having people follow a well-thought data policy is a sure prescription for the "every other week" scenario.
While some executives may feel that it's going overboard, sometimes there is a real need for being a little pro-active with data security. For example, Sandwell wouldn't have been a breach in the first place had it used port control software to manage which devices were authorized to connect to their computers.
Take for example the USB port control policies found in AlertBoot's encryption suite. Via the use of white lists or blacklists, one can control which devices are allowed to exchange information with a computer. What this means is that an employee's personal USB disk wouldn't work because it's not authorized. On the other hand, a USB disk that was authorized (because it was encrypted) would be able to connect, allowing data from the computer to be copied and saved. Another handy feature: external storage devices are automatically encrypted, including USB disks, when connected to a computer. In AlertBoot, however, such a disk is usable with authorized computer groups only. In simpler terms, a USB disk automatically encrypted via this method would not work once employees pop it in to their home computers. However, if they were to go back to their office and connect it to their work computer, their saved data would show up. (It would also work if he used a computer that was part of a larger group of computers. For example, if he works in Human Resources, it would work with HR's computers but not with the Accounting Department's computers.) Such approaches are not for everyone. Some may choose to use just full disk encryption on the computers and call it a day--not because the extra security is not necessary, but because it actually constricts the workers' workflow or efficiency. But if you find that you need a little extra
Take for example the USB port control policies found in AlertBoot's encryption suite. Via the use of white lists or blacklists, one can control which devices are allowed to exchange information with a computer. What this means is that an employee's personal USB disk wouldn't work because it's not authorized. On the other hand, a USB disk that was authorized (because it was encrypted) would be able to connect, allowing data from the computer to be copied and saved.
Another handy feature: external storage devices are automatically encrypted, including USB disks, when connected to a computer. In AlertBoot, however, such a disk is usable with authorized computer groups only.
In simpler terms, a USB disk automatically encrypted via this method would not work once employees pop it in to their home computers. However, if they were to go back to their office and connect it to their work computer, their saved data would show up. (It would also work if he used a computer that was part of a larger group of computers. For example, if he works in Human Resources, it would work with HR's computers but not with the Accounting Department's computers.)
Such approaches are not for everyone. Some may choose to use just full disk encryption on the computers and call it a day--not because the extra security is not necessary, but because it actually constricts the workers' workflow or efficiency. But if you find that you need a little extra
Related Articles and Sites:http://www.expressandstar.com/2009/09/05/rap-over-loss-of-sensitive-data/