Workplace Information Protection

Businesses, small and large, have to deal with workplace information protection and privacy to some extent. The degree, to which these businesses and their management protect their confidential information including employee and client personal information, depends largely on a) their self-interest, b) the regulated environment in which they operate and must comply with, and c) their desire for good business practice.

Self Interest

Many businesses have trade secrets, which if stolen can provide competitive disadvantage and either end their business life, or if they’re lucky, just vanish their expansion and growth aspirations simply put. Therefore, they must protect that business confidential information at any price or they’ll disappear in no time. Businesses spy on each other all the time for valuable trade secrets to help them gain competitive advantage over whether it’s the launch of a new product and service or improvement of existing processes to increase efficiency, productivity and client base. Each business must determine what information is important to them and place security controls around them to secure their business viability and future growth. This is what I mean by “self interest”, protecting something that’s important. Other areas of self interest are financial fraud and to a lesser degree management attachment to the information protection field as certain key management members may be more security conscious than others, possibly due to their past professions and experiences, and therefore place importance on workplace information protection.

Regulations

Some businesses, depending on the nature of their business and industries in which they operate, have been scrutinized for many years and continue to be heavily regulated by the government such as financial institutions and healthcare companies. Businesses spend a lot of money just to keep up and comply with such regulations. Although, we can always debate over the usefulness of these laws and whether they’re worth the cost companies have to pay in order to comply, there is no doubt that following many of the business scandals and loss of public confidence, the government had to do something to prevent another corporate financial disaster that wipes out people’s retirement accounts, or another personal data leak that leads to mass identity theft and identity fraud. In my opinion, these laws, to some extent, help improve the corporate security controls by raising awareness, visibility, authority and oversight, and ensure confidentiality, integrity and availability of personal and financial data, but we need a national law, similar to the European Data Protection Directive, to address the corporate security issues in a consistent manner. There are too many laws floating around, at the federal and state level, overlapping each other, which if consolidated can address most of the risks in a consistent manner. But right now, the laws are too scattered, and may or may not apply to certain industries or even address all workplace information protection risks. Below are a few of the laws that companies have to comply with:

The Gramm Leach Bliley Act or GLBA was created to modernize the financial institutions' privacy law. In general GLBA relates to a "best practices" protection for an individuals' banking statements, social security number, credit card numbers, tax information or other personally identifiable information (PII).

Health Insurance Portability and Accountability Act or HIPAA, which applies to practically all healthcare plans and providers, required improved efficiency in healthcare delivery by standardizing Electronic Data Interchange, and protection of confidentiality and security of health data through setting and enforcing standards.

The Sarbanes-Oxley Act was signed into law in 2002 to improve corporate governance and ensure integrity of financial data. It introduced stringent new rules to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws.

The details behind some of these laws and others that impact identity theft and information security can be found in the identity theft laws section. These regulations often require establishment of many security components such as policies, procedures, standards, and an executive security position for managing workplace information protection risks among others.

Good Business

Having adequate workplace information protection controls just makes good business sense and not only can it save money spent on endless investigations, public relations, consumer notification and recovery of lost data, but can also build consumer confidence. Would it not make sense to secure the online transactions and protect the business and client information at the same time? Consumers are more reluctant to do business online as news of data leaks continue to emerge in the business sections of major newspapers almost weekly, but, would be more inclined to trust doing business online if businesses were able to buy their confidence back through their actions.

We will explore in detail 1) the scope of the information that needs protection, 2) the nature of the information to be protected, 3) rational for and extent of data protection, and 4) strategies for managing workplace information protection.

General Prevention Areas

Travel Security Increase your security awareness when you travel.
Computer Security Apply the minimum computer security measures.

Workplace Security Articles

Just Needed Training - Employee training needs must be properly assessed to develop a focused training scope. Just Needed Training provides a process to effectively define, prioritize and provide training.
Newscorp Spying Case - The reported case of Newscorp spying is a good reminder that key employee activities must always be monitored for suspicious behavior.
Information Security Risks - These are some of the most important information security risks for the information security function within any organization in possession of confidential information assets.
Data Security Breach - As we continue to see more data security breach cases, their causes continue to remain the same.
Increased Secretary Power And Access - Once in a while, executives might assign administrative task to their assistants requiring boss’s privileged access rights, thus increasing secretary power.
A Factual Article Is Not Inclusive Of All Risks - When writing an article about a certain risk, some factual article may be based on objective facts as evidenced in the news, but others may just be based on subjective judgment.
Fraud Notification Process - When companies face stolen or lost personal information, they must carefully consider the fraud notification process, which includes discovery, identification and fraud probability assessment.
Information KAGE Security Framework - The Information KAGE security framework is created to simplify management’s process for developing an information security strategy and risk management.
Why Some Executives Abuse Power - Some corporate executives abuse power and ignore internal controls related to workplace information protection for many reasons. The rational for such decisions and consequences for their companies are briefly discussed.
Fist In A Bucket Of Water - Some may think an employee is just a fist in a bucket of water, but without key performer employees, long term business success may not be assured.
Information Security Strategy - Businesses have often confidential and personal information that they need to protect and to do so must have an information security strategy and plan in place.
Stop Crook Employers - Beware of crook employers and CEOs who would sell their client and employee information to make an extra buck.
Unauthorized Sale Of Personal Information - Believe it or not, trusted company employees sell consumer data to criminal gangsters for profit. It's a win-win for both parties.



Return to the home page from workplace information protection.