What policies will prevent employees from leaking sensitive data?

In this SearchSecurity.com Q&A, security management expert Mike Rothman outlines the necessary policies and procedures that corporations should enforce to protect customer information, prevent data leakage and comply with employee privacy rights.

Mike Rothman, Securosis

To what extent should employees be monitored in order to prevent data leakage?

To put it simply, a company should monitor employees enough to make sure they aren't sending private data or intellectual property outside of the organization. Corporations have responsibilities to shareholders and customers to protect private data, which outweighs employee privacy rights. To what degree you "snoop" reflects an organization's culture more than anything else. Legally, if an employee is using the company's computing resources, the organization has the right to inspect everything that he or she is doing.

Unfortunately, in the real world, the issue is more complicated. As Wal-Mart recently discovered after monitoring...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please log in.

You have exceeded the maximum character limit.

Please provide a Corporate Email Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

employees to prevent communication with the media, it can be unsettling for employees to find out they are being watched by company officials.

So what do you do? Basically decide organizationally (and this is done by the CEO and general counsel, not the security manager) how detailed the traffic-inspection policy will be and what will happen if data is leaked. These policies must be documented, communicated to employees and enforced.

With the increasing maturity of leak-prevention products, many organizations are inspecting all outbound traffic for sensitive data. As a matter of course, that doesn't mean you should look at employees' personal email (if you allow that kind of thing), but you should scan email to make sure customer lists and other sensitive information stays put. In many cases, the enemy is actually an insider and you need to be able to confirm that.

Again, most importantly, even if you document and communicate the policies, you must enforce the policies equally. That means no one is above the law, not even the CEO. If you selectively administer guidelines, they won't be enforced..

For more information:

Learn how employee profiling can be used as a defense mechanism against insider threats.

Contributor Gary S. Miliefsky answers the questions all corporations should ask before implementing an employee monitoring program.

This was last published in May 2007

deep packet inspection (DPI)

10 of the biggest ransomware attacks of 2021 -- so far

data loss prevention (DLP)

VMware's internal Service-defined Firewall reimagines firewalling

Dig Deeper on Security Awareness Training and Internal Threats-Information

deep packet inspection (DPI)

10 of the biggest ransomware attacks of 2021 -- so far

data loss prevention (DLP)

VMware's internal Service-defined Firewall reimagines firewalling

Related Q&A from Mike Rothman

How to prevent software piracy

What are the roles and responsibilities of a liaison officer?

What's the best career path to get CISSP certified?