One of my graduate students wrote to me recently about the rash of data losses on unencrypted laptop computers and backup media and asked how I would promulgate policy to cope with the problem. Here’s how I would approach the organizational behavior change needed to ensure that sensitive data on all storage media in the organization is protected.

(a) Establish and implement a company-wide policy forcing encryption of all sensitive folders on company computers, servers and removable media. The policy can use whole-disk encryption (e.g., Encryption Anywhere Hard Disk from GuardianEdge or PGP Corp.'s PGP Whole Disk Encryption products) or it can focus on partition- or folder-specific encryption. Regardless of which technique or product is used, the organization must plan for key escrow to permit data recovery if an employee forgets a key, quits in anger or is fired. Appropriate products include centralized key management and key-recovery features. Policies must take into account the likelihood that keys and even the encryption software will change over time; therefore, archive managers must manage backups so that data can be recovered and rewritten under the new encryption procedures as they change.

(b) In your IT or IT-security newsletters, publicize the news about the losses of control over unencrypted data on laptop computers, isolated hard drives and tapes. Some employees who do not understand or believe that encryption is important will resist change and may even obstruct progress towards the new procedures. Setting the stage for policy development and implementation helps to smooth the way for change.

(c) Provide extensive awareness, training and education over the next few months for all staff on how and why to follow the encryption procedures for their disks and removable media; be sure to have the employees work on scenarios of what might happen to THEIR group if confidential data were released through loss or theft. Have the technical support staff test the product thoroughly and work on problems likely to occur with the product. You can save a lot of time by recording narrated PowerPoint files that can help users with step-by-step illustrations of what to do with the products; be sure to include screen shots. I often create animations using overlays of screen shots so that users can follow the operations click-by-click.

Whitepapers

• The Trend from UNIX to Linux in SAP(r) Data Centers
• Getting in Compliance With Government Data Regulations By Leveraging Online Security Technology
• How to Offer the Strongest SSL Encryption
• Maximizing Site Visitor Trust Using Extended Validation SSL
• Seven Steps to Reducing your Security Risk
• The Latest Advancements in SSL Technology

View more SECURITY whitepapers

Webcasts

• The Secure Web Gateway. Mission Critical For Business - Webcast
• Mobile Data Security
• Best Practices for Deploying WAN Optimization for Disaster Recovery
• Key Considerations for a Successful 802.11n Deployment
• Solutions to the Toughest IT Challenges in Remote Offices
• Lowering the Cost of Email Archives

View more SECURITY webcasts

Special Reports

• The Evolution of Network Security
• Taking Virtualization Up a Notch
• The self-managed network

View more SECURITY special reports