Developing an effective data security policy for a mobile workforce

Security continues to be a major concern for IT directors, accounting for a significant amount of their IT budget. Today’s new ways of working mean that the parameters of what is required to maintain security have changed.

In the past, businesses focused on protecting their network perimeter. Today concerns centre on protecting business data, which is increasingly going outside the organisation as employees and partners tunnel through network perimeters or even bypass them altogether.

In my view, ‘secure’ data for most organisations means three things. First, can our IT team or, more importantly, our users access our critical business data when they need to, irrespective of their location? Second, is our data protected from unauthorised access or outright theft? Finally, will our data be there if something goes wrong, such as if our computers fail?

Data security requires four key disciplines: identity and authentication management, information lifecycle management, network security and business continuity planning. In order to develop an effective data security policy, organisations need to take a holistic look at their entire infrastructure, from how data is created or acquired to how it is valued, stored, accessed and disposed of. This should encompass data that comes into the organisation from customers, partners and suppliers; data that is created within the organisation, such as presentations and reports; and data that goes out of the organisation, such as invoices and proposals.

The key to an effective data security policy, however, is people. No technology will be effective unless all employees adhere to the organisation’s security procedures. This means defining a clear security policy and obtaining employee buy-in and commitment. The policy should be enforceable, realistic, acceptable to users and should not violate personal privacy laws.

User education is essential. For example, a key control that may be used to protect data is to disable the use of USBs or other mobile storage devices. This usually proves to be an unpopular decision and so user education and awareness training must be an important part of implementing this control.

It is vital to obtain board level commitment. Too often the implementation and management of information security is left to the IT department. Security policy needs board level commitment and HR support before implementation, executive sponsorship during implementation, user education at all levels to ensure everyone understand what they need to do and HR defined penalties for policy violations. These penalties should be equally applicable at all levels of the organisation.

Implementing an effective security policy also means obtaining commitment from the various data owners within the organisation, who should be responsible for managing and keeping their data safe once the security solutions have been implemented. They can use Data Lifecycle Protection (DLP) tools, for example, to enforce policy and reporting requirements appropriate to their needs. Typically the security problems we see occur where users are allowed to store data on their own machines. Data owners should also be given responsibility for ensuring that data is consolidated in a central network location, as DLP works best when data is organised and structured.

To develop a comprehensive data security strategy we recommend a four step process:

  • Work out and define what level of security controls your organisation requires. You will almost certainly need a policy and some controls. You need to ensure that these controls and enforcement are commensurate with the value of the data being protected and the level of risk.
  • Assess the organisation’s data management strategy. Through assessment and gap analysis of current storage infrastructure, data management tools, processes and service delivery objectives, a long term data management strategy can be rationalised with other strategic data centre initiatives.
  • Review IT governance. Examine IT management processes, regulatory culture and best practice in terms of data value and security.
  • Develop a business continuity and disaster recovery strategy. Review the existing business continuance and disaster recovery strategies and update them as appropriate to ensure that ensure true data protection and security are maintained.

Richard Blanford, managing director, Fordway

Image source: Shutterstock/Den Rise