Steal This Data

Every company, no matter how big or small, should have a data classification scheme that defines the level of protection required for all company documents, customer, and partner information.  This classification scheme is a fundamental component to information security and should cover both digital and non-digital data assets, such as contracts, invoices, copies of checks, incoming faxes, etc. In a hardware store, for example, a data classification scheme would identify the sensitivity of every piece of data in the store, from customer account information to supplier delivery receipts.

Most businesses adopt a data classification scheme that categorizes information along the following four dimensions:

• Company confidential
• Private
• Sensitive
• Public

A simple scheme like this facilitates improved data security because it clearly identifies and communicates the levels of confidentiality required for all data and the people who should have access to it. For example, a presentation or patent application that is labeled “Company Confidential” is clearly not meant to be distributed outside of a company.

Good data classification schemes should also include a time element that lets data change it’s classification after a specified interval and an owner, who is responsible for maintaining and protecting a specified data type or source.

Neglecting to implement adequate security controls for sensitive information can lead to increased corporate liability and regulatory censure. Without a data classification scheme, a company may treat all information the same, greatly increasing the chance of accidental disclosure or security breaches.

Writing a data classification scheme is not that difficult and I’ve supplied a sample template below that can help you jump start the process. Getting it implemented however, may require a substantial degree of organizational change, so it is best to get the buy-in of senior management before you start that process.

A Data Classification Policy Template

Does your company have a well defined set of procedures are followed for all employees who resign or who have been terminated?

If not, I highly recommend that you write a standard employee termination policy and make sure that your human resources and information technology groups implement it whenever an employee is terminated or leaves your company. This is particularly important if the employee has access to sensitive financial information, customer information, confidential intellectual property or information technology systems, but should be uniformly implemented regardless of the employee’s role.

During the termination process, IT’s focus should be on protecting the data assets of your company from disclosure or inappropriate use and on making sure that the departing employee does not destroy any information required for business continuity including sales leads, customer information and trade secrets.

When you create your employee termination policy, it should include a check list of all the physical, network, computer, and data access privileges that an employee could possibly have. That can be quite a long list, but it’s essential that you document as much of it as possible because it is unlikely that your IT group will have this information centralized and up to date. A certain amount of discovery will be required before or during the termination process and a checklist will ensure that you’ve examined and revoked the employee’s access to all major systems of concern.

In the case of a terminated employee, IT should immediately revoke all computer, network, application and data access the former employee has. Remote access should also be disabled and the former employee should return all company-owned property, including notebook computers and intellectual property like corporate files containing customer, sales, financial or operational information. A careful log should be kept of each of these actions for legal or forensic purposes, including the time/date that they occurred and the name of IT or HR staff member who performed the action.

To get you started, I’ve provided a checklist of the systems and privileges that your IT and HR group should review and revoke upon employee termination.

1. Access to company computers including desktops, laptops and servers.
2. Access to the company’s physical and wireless networks.
3. Access to the VPN gateway.
4. Access to all company email accounts. This may include a personal account as well as one or more group accounts that the individual has access to. If the employee has access to email accounts with shared passwords, the shared password should be changed.
5. Terminate all email or message forwarding to personal devices such as mobile phones.
6. Access to all internal server-based systems. If these are accessed by multiple people using a shared password, the shared password should be changed.
7. Access to all externally hosted applications used by the company including online sales force management, CRM, billing, financial, email marketing, team collaboration and web hosting systems. If these are accessed by multiple people using a shared password, the shared password should be changed.
8. All remote servers that can be accessed outside of the company network, say over the internet. If these are accessed by multiple people using a shared password, the shared password should be changed.
9. Access to voicemail.
10. Access to all company conferencing services.
11. Access to the company credit card. If there is only one company credit card and it’s widely known, you may be SOL. I’d recommend you change the card number and centralize all purchasing to keep this information more secure.
12. Remove the employee’s name from the list of approved contacts maintained by all of your external service or software providers.
13. Access to physical premises, either using a key or remote access card. This may include access to multiple sites.
14. Access to any 3rd party locations where the company has equipment, including remote data centers.
15. Access to remote backups hosted by 3rd party services. This may require some forensic work in old expense reports to determine if the employee was backing up their desktop of laptop using an off site service.

Once access to the information has been revoked, your IT and HR groups should work with the employee’s manager and other departments to determine who will take over the terminated employee’s responsibilities and what information they should have access to. For example, if a sales rep is let go, a sales manager should review the rep’s pipleline and reassign leads or in progress deals to another employee. IT may need to be involved in this process if it requires moving data from one account to another or destroying electronic information if it is deemed worthless and should be disposed of.