single platform approach rather than trying to react to each technology threat
and/or risk scenario is a very important message.
If you think of the possible risks in terms of IT assets — such as laptop com-
puters, cell phones, BlackBerries, and the like — and sending data from one
point to another electronically, these risks have an important factor in
common. The common point of data departure is from the network — a
hacker breaks into the network to gain access, a device is connected to the
network to access and download data, or information is sent via the network.
Therefore, rather than attempt to come up with a multitude of countermea-
sures, protections can be placed at the network level.
To begin, most companies carry volumes of data with a range from high to low
sensitivity. Therefore, considering the amount of data, it’s helpful to establish
policies and procedures to delineate the level of importance for certain types
of information. For example, customer credit card or social security numbers
should hold a much higher priority than other types of information. High
value information should receive an elevated degree of protection such as
being encrypted, strict password protection, and other controls.
Other ways data can walk away .......................................................
Go into a store and at the checkout line among the flashlights and gum, you’ll
see a jump drive. This tiny device connects via a USB port and allows data to
be moved between computers. It also allows product specifications, intellec-
tual property, and customer information to leave the building without pass-
ing through the network (necessarily). This particular type of threat indicates
that certain data must receive special protection, or classification. Such data
should not be allowed to walk out of the building via a jump drive or another
device, such as an iPod. Data protection is another important issue.
Ultimately, employees must be trained to handle data properly depending on
their role and privileges. You must determine who handles sensitive data and
ensure that they are aware of the policies surrounding it, have a legitimate
reason for being given access to it, and do not have conflicting roles (see
Chapter 6) that could compromise their ability to be objective with regard
to handling the data. For this latter issue, access control could provide an
appropriate resource. As an example, access control could be used to ensure
that an IT administrator with access to credit card numbers is unable to cor-
relate those numbers with customer names and other information.
In all, the intent is to add an extra layer of protection and risk prevention in
order to prevent problems or quickly resolve them if they occur.
278 Part IV: Managing the Flow of Information
