Information Handling - Data Leak Prevention in the Corporate World

by GOsafeonline | 17 March 2014

Data or information in the workplace could be created in various forms, such as emails, minutes of meetings, images, videos, project files, etc. These data could either be printed as paper documents; stored  electronically on media such as hard disks, flash drives, memory cards, optical discs; or even posted on the Internet such as cloud computing.  If the data is of business value, competitors might want to get hold of it, disgruntled employee might want to expose it, or avaricious employee might want to sell it. On the other hand, there might also be careless employees who leak such data unknowingly or accidentally. To prevent such situation from occurring in your organisation, there is a need for information to be classified in the corporate workplace, such that appropriate treatment could be applied to safeguard the data.

Information Handling – Data Leak Prevention in the Corporate World2

Data classification, in the context of information security, is the classification of data based on its level of impact to the organisation if disclosed, altered or destroyed without authorisation. To protect the organisation’s crown jewels and enable the employees to recognise them, the need to classify data stored on both physical and electronic media should be included in the corporate policy of an organisation. There are various classifications that an organisation may adopt, depending on the organisation’s needs. Some common classifications are “Secret”, “Confidential”, “Restricted”, “Public”, etc. The classification of data also helps to determine the type of security controls that are appropriate for safeguarding that data.
Go through the 10-question checklist on the next page to determine if your organisation has implemented measures to prevent the leakage of data.

Information Handling – Data Leak Prevention in the Corporate World3

WELL DONE, if your answer to all the questions is “Yes”! You have some security measures in place to prevent data leakage in your organisation. However, the protection measures that you could put in place to prevent data leakage in your organisation is not limited to those in the checklist only. Organisations could also refer to other international guidelines such as the ISO/IEC 27001 for the controls that could be put in place to manage information security.

Some Measures to Prevent Data Leak

Non-disclosure / confidentiality agreement

A non-disclosure / confidentiality agreement serves as a contract between the organisation and employee to restrict the sharing of classified information, knowledge and materials to third parties.

Classification of Data

Classifying and labeling data ensures that it is given the right protection. Organisation should provide a clear guideline on how employees should handle the various classified data.

Use official communication channel and storage media

Communication of classified data should only be done using official email account instead of personal email accounts to reduce unauthorized or accidental disclosure of information. Ensure that classified data are only stored and transferred through official storage media, with regular audit check to ensure these media are accountable.

Encrypt the data

Protect classified data stored on electronic storage media (such as hard disks, flash storage, optical discs, etc) by encrypting them with strong encryption algorithms (e.g. AES 256-bit, Twofish 256-bits). This prevents others from obtaining the content stored in the media or decrypting them easily even if the media is lost.

Proper Disposal of Used Media

When the media (e.g. hard disk) on which classified data were stored are no longer need, exercise caution in dealing with their disposal. Improper disposal methods could result in the classified data being recovered and misused. For paper documents, shredding should be done. For optical storage media (e.g. CD/DVDs), physical destruction (i.e. destroying the optical layer of the disc) should be performed. For electronic storage medium (e.g. hard disk, thumbdrive, etc), secure erasure (i.e. repetitively overwriting the memory space with 1s or 0s); degaussing – only applicable to hard disk (i.e. process of eliminating magnetic field); or even crushing the medium to bits should be performed.

Interesting Reads