About Me
- Scott Arnett
- Scott Arnett is an Information Technology & Security Professional Executive with over 30 years experience in IT. Scott has worked in various industries such as health care, insurance, manufacturing, broadcast, printing, and consulting and in enterprises ranging in size from $50M to $20B in revenue. Scott’s experience encompasses the following areas of specialization: Leadership, Strategy, Architecture, Business Partnership & Acumen, Process Management, Infrastructure and Security. With his broad understanding of technology and his ability to communicate successfully with both Executives and Technical Specialists, Scott has been consistently recognized as someone who not only can "Connect the Dots", but who can also create a workable solution. Scott is equally comfortable playing technical, project management/leadership and organizational leadership roles through experience gained throughout his career. Scott has previously acted in the role of CIO, CTO, and VP of IT, successfully built 9 data centers across the country, and is expert in understanding ITIL, PCI Compliance, SOX, HIPAA, FERPA, FRCP and COBIT.
Bob - great questions. I do believe data leak prevention AND monitoring should be part of any enterprise security framework. You can setup barriers to prevent corporate sensitive data from leaving your enterprise, and some employees will find a way around the barriers. You also need the forensic component of this, to find, determine, evaluate, and take action. In addition, you need staff trained in forensics, evidence collection, chain of custody and other key components. If you are serious about a complete security program - DLP is a key component of that.
ReplyDeleteThere are many components that make us a successful DLP program, such as data classification, records retention, and access controls. You also need the management support to take action when violations are identified and documented.
As far as web based email at the work place, I assume you are referencing personal email. I think it is ok to allow personal email access from work for family communications to continue, and not use corporate email for those communications. I do however feel there needs to be safe guards in place to prevent virus, and DLP violations.
Social networks - this really comes down to a business decision. There is no real technical debate on this one, it is a simple access control action. The debate is - what value does it bring to the company, customer and employee. Right now, my opinion is very little. Social networking sites doesn't bring in sales, value or revenue driving actions. If you weight the security risks, where does this stack up?
I would also mention that a Data/Document Label Policy is important. All documents, diagrams or sensitive information needs to be labeled as such. Internal Document, or Company Confidential - you need to label if you want to hold employees accountable. Some organizations hand out rubber stamps for this. Very important if you share information with a vendor or 3rd party.
ReplyDeleteI know some organizations that use their data classification identifiers as their labels. Just make sure it is clear, and understandable. Establish your policy, communicate it, and enforce it.
Good discussion!