How To

How to Secure Sensitive Information in Transit

CEO of R.J. Heffernan Associates, Richard J. Heffernan, answers readers' questions about securing information in motion.

September 01, 2003CSOQ: What is involved in transporting intellectual property (IP) from one corporate site to another? A: The security practices required in each situation are dictated in part by the business you are in and the risks you face. Planning for the security of information, especially at offsite meetings and conferences, starts with understanding the value and sensitivity of the information. Perform a risk assessment of each situation that involves oral, written and electronic information. That risk assessment will help ensure that risk identification, evaluation and mitigation activities, including the selection of reasonable and prudent security controls, are integrated into the business process. ISO 17799 is the basis for many security controls and may be used as the core program, but you must assign responsibility to monitor potential changes in contractual obligations, regulations and laws such as the Sarbanes-Oxley Act. Q: When transporting IP, do people generally take the proper precautions? A: Most people take proper precautions only if they are required to or if compliance is audited. The most common mistake is not involving experienced security personnel in the initial planning of the offsite meeting, conference or corporate move. Early involvement allows a security practitioner, who is experienced in performing risk assessments, to educate and advise planners as to issues that may put sensitive information at risk. A CSO can then advise alternative ways to avoid or mitigate the potential of exposing sensitive information to loss. Another common mistake or oversight is to not adequately educate all contractors, subcontractors, vendors and suppliers so that their actions do not put information at risk of exposure to unauthorized individuals or a potential loss of trade secret status because of claims of inadequate security.Q: In certain cases, is it better to follow the adage "security by obscurity"? Meaning, if you don't call attention to it, you get lost in the noise. A: It is almost always advisable to maintain a low profile for both personnel and sensitive information. One way is to ensure that your outsourced printer does not attach a sample copy of sensitive printed material to the outside of the boxes shipped to your event. Many organizations forgo being listed on the electronic and printed event listings of the hotels hosting conventions. Since IP now constitutes a large majority of the value of most corporations, you would have a hard time justifying a policy to external auditors that relies on hiding

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WEBCAST
The Surest Path to Effective and Efficient Compliance

VeriSignIn this webcast, we explore why and how — with best practices, practical tips and solutions that work — to ease your compliance challenge.

» View the webcast

Featured Sponsors
Sponsored Links

IS/IT Project Mgt. Credentials From Villanova - 100% Online

Learn how the new Quad-Core AMD Opteron™ processor improves performance

Data Protection: Challenges for the Traveling User

Key strategies for C-level executives and security staff

E-LOAN Maintains Reputation as a Privacy Leader with Symantec

Data Loss Prevention: Keeping Sensitive Data Out of the Wrong Hands

Prudential Financial Protects its Brand with Symantec

Envision Identity-Based Access Control for the Datacenter

Using Likewise to Comply with PCI Data Security Standard

Solving Online Credit Fraud Using Device Reputation

Think your data is safe? Think again. It's time to Outthink the Threat. Get eBook now

IDC Defines an Identity and Access Management Submarket

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era

Configuration Assessment: Choosing the Right Solution

Revolutionizing Endpoint Security with a Single Agent

Envision Identity-Based Access Control for the Datacenter

Rolling the dice with your security? Take the Self-Assessment Test now

7 Requirements of Data Loss Prevention

Information Security: Data Drains and How to Prevent Loss

How Are Open Source Development Communities Embracing Security Best Practices?

Digital Identity Protection and Data Security Get Personal

The Case for Business Software Assurance ~ Securing Your Applications

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

Diebold: Frost & Sullivan Global Physical Security Systems Integrator of the Year

Welcome to the age of Service-Oriented Security (SOS)

Enabling Compliance with Converged Mainframe Security and Storage