Even with successful access controls and hacker-proof network security, it is still far too easy to inappropriately e-mail sensitive data, print financial documents or copy private information onto a portable USB drive. Here’s how to get started with a program that will protect your sensitive data:
1. Take an enterprise approach to encryption. End-user training is essential, but don’t depend on users to secure data. Many users view security as the IT department’s responsibility. They put the college’s needs first and expect the IT department to ensure that information security is transparent to their need for access — anywhere, anytime. To counter this, use end-to-end and stored-data encryption.
2. Encrypt all endpoints. Consider carefully all notebook computers and USB drives. Encryption technology allows secure portable storage and ensures that files remain encrypted wherever they are transferred. Having convenient two-factor authentication, such as a thumb swipe and a password, is important to securing access. It is equally important to have an enterprise-grade endpoint solution integrated with the overall security architecture. Point solutions that require intensive administration can quickly become too costly to administer.
3. Use device control technology to centrally manage removable storage devices. The central control console should provide device and content-based filtering, while monitoring and appropriately blocking confidential data transfer to any removable storage device.
4. Establish a data loss prevention (DLP) program. Powerful DLP technology uses a central console to protect information assets regardless of how that information is stored, secured or communicated. The DLP program needs to provide comprehensive information protection across three areas to truly secure data throughout the enterprise:
• Data in motion. A network scanning system should be deployed at the network perimeter to inspect incoming and outgoing traffic and to accurately identify information security violations.
• Data at rest. A vital security component deployed in the local network should connect to and inspect the contents of notebooks, desktops, servers and information repositories and then identify sensitive data and arm the systems to protect it.
• Data in use. An agent deployed on the user desktop or notebook must provide information protection (whether the user is on the network or off the network) through any input/output channel that presents an information security risk.
5. Set expectations, be clear about vulnerabilities and prioritize risks. Although powerful tools exist, none can make all data completely secure. It is important that all stakeholders within the college or university community understand each tool’s capabilities. Agreement is needed on the steps required to prioritize data to be protected and incrementally implement capabilities to monitor, alert, provide content protection and generate compliance reports.