can be moved to, policies on how IT assets can be handled, access to server
rooms, elimination of SoD issues, policies about how certain types of infor-
mation can be handled, policies requiring employees to use company cell
phones or other mobile devices, and so on.
And enforcement of these policies should be done at the network layer when
possible.
Communication ..................................................................................
Information doesn’t have to travel outside of the company on a mobile device.
E-mail, file transfer, conference calls, and other means to communicate also
present a challenge.
And when considering the volume of these communications, preventing all of
the imaginable risk scenarios can seem like a rather daunting prospect.
The first step is to take a rather surgical approach to it. For example, data with
a high level of sensitivity should receive a higher level of protection when it
travels across or outside of the network. In the case of an email, packet scan-
ning would identify if an email has a high value attachment and the network
could block it from traveling to an outside IP address or from being sent at all.
Emails and other correspondence could be scanned for certain code words
such as those relating to an impending merger or large scale business initiative.
Pattern recognition technology is another control that could be applied.
Essentially, these are IT solutions that look at usage patterns and can deter-
mine when usage exceeds or contrasts in some way with a defined pattern,
such as “Why are we sending more encrypted emails to one address or set of
addresses than is normal?” or “Why is someone browsing around our data-
bases that carry customer information?” Once identified, the user can be
logged out and/or an e-mail sent to an appropriate person to determine what
is going on and if necessary initiate a response.
When considering communications such as conference calls and video con-
ferencing, all of which enable a higher level of collaboration, it is important to
ensure these interactions are secure, but also that they happen efficiently so
they can facilitate collaboration. Manual controls such as policies establishing
how these conversations are to occur — use of secure call conferencing and
passwords — could be employed. There is also the idea of application-to-
application security, which could prevent connections to nonapproved
conferencing technology.
In short, policies and the network should be in the position of being able to
identify what is coming in and going out and to assure that when sensitive
data travels, it has the appropriate credentials to do so.
280 Part IV: Managing the Flow of Information
