How do I secure sensitive data? The first step is knowing where your sensitive data resides. Second is having set policies to systematically and consistently categorize the data and having controls in place to ensure that all categories of data are handled appropriately.
For example, if a company had a policy that said that any dataset that contain personally identifying information was considered to be “sensitive” and had to be encrypted both in transit across a network and at rest and it implemented technical controls to enforce that policy, the likelihood is that that data set is safe.
There is also a user education dimension to this problem; users need to understand the sensitivity of the data they work with and their role in keeping it safe. In many cases this involves educating users about what not to do. For example, access to payroll data is usually restricted to those employees that process the payroll and those that review it. This is usually done within a payroll application that has built in security and access controls. Payroll data and similar datasets should NEVER be downloaded onto an insecure laptop, thereby undermining all the required controls. As in a very public data breach that occurred a few years ago, when this laptop was lost millions found themselves risk for identity theft.
The best way to secure sensitive data is to do the basics well (like blocking and tackling in football). Understand what is sensitive in your data, set rules for handling it, implement technical controls to ensure it is actually handled properly, and educate your users about their role in keeping it safe.
Jonathan is President & CEO of SystemExperts Corporation, a network security consulting firm specializing in IT security and compliance. Jonathan started the company in 1994. He plays an active, hands-on role advising clients in compliance, technology strategies, managing complex programs, and building effective security organizations. Jonathan brings a business focus to this multifaceted work balancing all technical initiatives with business requirements and impact.