Time To Review Your Corporate Data Policy?

Many organizations continue outdated practices that don’t consider the rapidly changing world of data governance. Outdated agreements and poorly devised classification policies are signs that it’s time for an overhaul; especially considering emerging technologies like the use of mobile assets and the cloud.

Use of personal assets

The cost of owning, leasing and supporting computer assets can be significant, but allowing the use of personal assets presents a risk to the company.  When users are allowed to copy data to their own devices and cloud space, they often allow unsecured data to reside in a location that is managed by someone who has not been authorized.  For instance, if you store unencrypted work documents on your home PC, and hand that PC over to a computer repair shop, you may have just given someone unauthorized access to sensitive data.  As with other security concerns, there are many solutions available.  Classification is a good first step to securing data, and Boldon James Classifier can also be installed on personal devices (BYOD) since functionality doesn’t rely on connectivity to the corporate domain.

Data ownership can be tricky, even on company assets

Establishing data ownership is a key element of classification and security, especially if you want to protect the data with a Non-Disclosure Agreement (NDA).  Ownership of the device upon which the data resides is an important factor in deciding data ownership, but so is the context in which the data is accessed.  Leventhal v. Knapek (2001) is often cited to suggest that personal data belongs to the user, even if it’s accessed on a company asset.  This demonstrates the importance of establishing a personal electronic device policy and a general anti-privacy policy.

Using the cloud to keep classifications in sync comes with a price

Before joining the mass-migration to subscription based, third party hosted solutions, beware of policy conflicts regarding confidentiality.  To quote Microsoft on the subject:

Source: https://www.microsoft.com/online/legal/v2/en-us/mos_PTC_data_use_limits.htm

 

It’s recommended that the cloud service provider and the customer enter into a mutual NDA.  In some cases, like with controlled information, a mutual NDA is required for all parties that hold the data, and there may be additional requirements.  For instance, to meet ITAR requirements, data that is stored in the cloud should be protected with strong encryption, but even that may not be sufficient since cloud based services often exist outside of the United States.

Clarifying the corporate data policy in the NDA

When strict controls are required, the associated NDA must be updated, written clearly, and it must provide a remedy for any given breach of contract.  A data loss case could be determined by ambiguous and contradictory rules in the agreement.  The rules for disclosure of confidential data are directly related to the classification of that data.  Therefore, the NDA is a good place to expound the application and maintenance of classification markings, including a ban on practices that disable the classification software or violate classification policy and the consequences of such actions.

Data policy affects company culture

In order for classification and data protection solutions to be effective in changing corporate security culture, organizations need to address any potential issues or hurdles that may affect their users before implementing a solution throughout the organization. Classification technology can help streamline processes, and usually organizations find users are much more open to being actively involved in security than they think. User engagement builds trust and understanding that classification is there to help and protect users.  Their feedback can help verify how the classification process, and solution, is being perceived and whether it is affecting their productivity.  For example, digital rights management is great at protecting the most sensitive data, but over-reliance could result in annoyances and loss of productivity.  Empowering the user is more effective than controlling the user.

In conclusion, organizations need to overhaul their corporate data policies sooner rather than later and embrace classification and other technologies to help streamline processes if they are to make the gains in data protection and security culture. Contact Boldon James today to find out how we can help your organization.

No Comments Yet

Boldon James Ltd, Cody Technology Park, Ively Road, Farnborough, Hampshire GU14 0LX, United Kingdom