Trusttone

What information should be protected?

A categorization of organizational information based on the movement of the information is as follows.

1. Information at rest

   Information at rest is the information that is stored within the organization’s IT perimeter. Files and documents on the servers and employee desktops and laptops are examples of information at rest.

2. Information in transit

   Information in transit is the information that is exchanged with the organization’s partners or customers. Emails, attachments and Instant Messages are examples of information in transit.

Another way to analyze information is to list the type of contents the organization (and law) would consider private to the organization or private to customers. Information private to customers must be protected for compliance reasons. Information private to the organization should be protected for business reasons and for enablement of cost saving through electronic workflows.

Content to consider

Any information that can be considered customer’s financial or identity information should be considered for protection. Content such as Social Security Number, employee number, name and address, bank account information, brokerage account information, tax related documents are all candidates for privacy protection. Health-related content such as PHI, diagnosis, lab reports, prescriptions along with a patient’s identity information should be considered for protection.

Organization’s intellectual property such as technological innovations, business plans, pricing information, and competitive strategies should be also protected to prevent future losses to the organization.

How should information be protected?

Information at rest, especially within the organizations IT infrastructure is typically protected by a defensive perimeter using firewalls and access control technologies. Most organizations have security measure at this level.

Information in transit should be protected using strong encryption to prevent unauthorized access en route. Most organizations typically fail to protect information in transit. Email and Instant Messages are typically sent without any protection and are open to access by anyone outside the organization. In most cases, data encryption is the appropriate solution to protect the information in transit. Mature, inexpensive solutions are available for encrypting emails, instant messages and Voice-over-IP sessions.

In case of very high value information where post-distribution control over information is required, digital rights management solutions should be considered as well.

To exploit the significant benefits offered by these collaboration tools – lower cost, faster turn-around and convenience – without fear of information leakage, organizations should seriously consider encryption of data in transit.