I'm starting off this week with a task to create a better method of assessing risks around data handling. I think that this is an aspect of security sometimes overlooked in the rush to mitigate risks in other areas: and while we do our utmost to ensure that infrastructure elements are being protected and that unauthorised access to data to taken care of, the actual handling of the data itself can leave itself open to exposure.
I'm splitting the assessment into three distinct areas: storage, transport, and disposal\destruction. I'll be looking into not only electronic transport of data (e.g. by email) but also physical transport such as when data is despatched using a courier service. I'll also be looking at storage on removable media such as memory sticks. First and foremost will be a look at the processes in place for marking-up data correctly and also data ownership. This also requires there to be a high level of awareness in place over when data should be marked-up with a classification and what classification to make use of.
It's an important exercise and it'll be interesting to see what variations there are across our global business in how this subject is handled.
