An abridged overview by Jim Lindell, President, Thorsten Consulting Group Inc....
First, the company must establish values and principles that define appropriate behavior regarding confidential information such as personnel, technologies, customers and suppliers. Once values and policies have been established, management must support, review and enforce them.
Second, make sure the hiring process emphasizes how employees must handle confidential information. Determine the candidate's ability to maintain confidentiality. How? By asking tough questions during the interview and doing thorough background checks.
After the employee is hired, continue training and explaining your policies and procedures regarding confidential information. The role of the CEO and senior management can't be overstated.
The CEO, on a regular basis, should highlight unacceptable public behavior and emphasize that it won't be tolerated. The Snowden/Manning incidents provide excellent examples that illustrate confidentiality expectations for all employees. At a minimum, these messages must come from the CEO at last once a year.
The best policies and procedures
To be effective, policies and procedures must:
• Reinforce acceptable behavior.
• Create a monitoring process to detect breaches in confidential information. (An integral part of a TSCM bug sweep.)
• Create an audit process to determine whether existing rules are being followed. (An integral part of a TSCM bug sweep.)
You must assess the nature of confidential information that is maintained and the potential for abuse. Both Snowden and Manning required technological tools and technological skills. You must understand the devices your employees are using, and how they can use them to access confidential information...
In addition to electronic access to your systems, you also must be aware of people who have physical access. The ability to take pictures of processes, documents and employees has changed dramatically. You must restrict access to your plant and offices.
Finally, it's important to establish policies and procedures that address disposal of equipment like computers, tablets, hard disk drives and flash drives. Since we can't see the digital information, it's easy to discard hardware and not realize what we're actually tossing out.
All businesses are at risk. Some are just more prepared than others. (more)