One of my graduate students wrote to me recently about the rash of data losses on unencrypted laptop computers and backup media and asked how I would promulgate policy to cope with the problem. Here’s how I would approach the organizational behavior change needed to ensure that sensitive data on all storage media in the organization is protected.

(a) Establish and implement a company-wide policy forcing encryption of all sensitive folders on company computers, servers and removable media. The policy can use whole-disk encryption (e.g., Encryption Anywhere Hard Disk from GuardianEdge or PGP Corp.'s PGP Whole Disk Encryption products) or it can focus on partition- or folder-specific encryption. Regardless of which technique or product is used, the organization must plan for key escrow to permit data recovery if an employee forgets a key, quits in anger or is fired. Appropriate products include centralized key management and key-recovery features. Policies must take into account the likelihood that keys and even the encryption software will change over time; therefore, archive managers must manage backups so that data can be recovered and rewritten under the new encryption procedures as they change.

(b) In your IT or IT-security newsletters, publicize the news about the losses of control over unencrypted data on laptop computers, isolated hard drives and tapes. Some employees who do not understand or believe that encryption is important will resist change and may even obstruct progress towards the new procedures. Setting the stage for policy development and implementation helps to smooth the way for change.

(c) Provide extensive awareness, training and education over the next few months for all staff on how and why to follow the encryption procedures for their disks and removable media; be sure to have the employees work on scenarios of what might happen to THEIR group if confidential data were released through loss or theft. Have the technical support staff test the product thoroughly and work on problems likely to occur with the product. You can save a lot of time by recording narrated PowerPoint files that can help users with step-by-step illustrations of what to do with the products; be sure to include screen shots. I often create animations using overlays of screen shots so that users can follow the operations click-by-click.

M. E. Kabay, PhD, CISSP-ISSMP, is Program Director of the Master of Science in Information Assurance program at Norwich University.