Classify your company data into categories, a good set of classifications is
- Public – data for the eyes of anyone
- Public restricted – data released to the public upon request
- Internal – visible by all staff, possibly intranet content
- Restricted – visible by certain staff and departments only
Do you store ultra-sensitive data? Consider off-lining it, a method used by some organisations usually within the security industry. Create two networks or two computers. One for general documents, internet and email use and then another network for storage of ultra-sensitive data online which has no connection to the outside word. Remove the internet connection and the only way to get at is physically.
Data integrity is vitally as it will tell you who created a document and whether or not it has been tampered with ... especially important for contracts and legal evidence. Use a hash or a digital certificate to ensure integrity.
Encrypt sensitive files
Protect files using encryption, this will make it difficult for other departments to open files and also offer protection when transferred outside of the company by email, USB or disc. Microsoft Office offers basis password protection as standard but it’s advisable to use a paid-for product if your data is more sensitive.
If you are a business it’s a good idea to store all your data within the UK. The UK Data Protection Act prefers data to be stored within the UK or EU. If you wish to store or transfer data outside the UK or EU, you must ensure suitable secure measures to protect data. The majority of email providers are US-based: Hotmail, Yahoo and Google for example.
Do not store on a web server
A good rule is to only store on a website what you want the public to see. Web servers are in the public domain and data can be 'crawled'. ACS:Law was caught out because private data was held on a web server and was subsequently leaked, thus generating bad PR.
Kept access to a minimum
Staff and departments should only have access to what they need. Staff members should be given a private folder, normally My Documents; each department should get its own folder which is only accessible by departmental staff.
Keep an eye on what access staff have and if anyone leaves on Remove Access. Do not copy group profiles from other staff members since it will probably give them more information than they need.
Steganography can be used to hide highly-sensitive data from view. If, for example, you had a Word document that no one else was allowed to see, you could use a steganography programme to hide it within an innocent picture and no one would think of looking for it there.
Keep it within the company
For security and privacy reasons data should be stored within the company. As part of your IT policy, staff should not take data home and this should be enforced. Disable USB ports and optical disc drives and install specialist data leak prevention software.