QOTD on Data Handling

Commenting on a story in which Aberdeen Royal Infirmary lost a laptop containing almost 1,400 PII records, David Hoelzer, Director of Research & Principal Examiner for Enclave Forensics, wrote:
Somewhere in our information security program there needs to be an analysis of what data really needs to be where. The best way I've seen to do this is to develop matrix based policy that shows how each type of data may be handled. Something as simple as that should tell us very clearly that it's just never OK to have sensitive data of this level on a portable device. Organizations may consider selecting controls out of ISO-27000 that deal with management approval for movement of sensitive data.
Src: SANS NewsBites Vol 11 Num 33

No comments: