Unfortunately, in the real world, the issue is more complicated. As Wal-Mart recently discovered after monitoring...
employees to prevent communication with the media, it can be unsettling for employees to find out they are being watched by company officials.
So what do you do? Basically decide organizationally (and this is done by the CEO and general counsel, not the security manager) how detailed the traffic-inspection policy will be and what will happen if data is leaked. These policies must be documented, communicated to employees and enforced.
With the increasing maturity of leak-prevention products, many organizations are inspecting all outbound traffic for sensitive data. As a matter of course, that doesn't mean you should look at employees' personal email (if you allow that kind of thing), but you should scan email to make sure customer lists and other sensitive information stays put. In many cases, the enemy is actually an insider and you need to be able to confirm that.
Again, most importantly, even if you document and communicate the policies, you must enforce the policies equally. That means no one is above the law, not even the CEO. If you selectively administer guidelines, they won't be enforced..
For more information:
Dig Deeper on Security Awareness Training and Internal Threats-Information
Related Q&A from Mike Rothman
The CISSP certification can be a challenge to obtain. Mike Rothman unveils how to get on the right education and career tracks in order to get CISSP ... Continue Reading
In the world of security certifications, what is the GISP and how alike is it to the CISSP? In this security management expert response, learn about ... Continue Reading
Depending on your enterprise, it may or may not be necessary to utilize a QSA. In this security management expert response, learn how to determine ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.