Right, as dull as it is, where would one look for a basic toolkit/methodology to identify risks around the handling/storage/transfer/loss of electronic corporate data?

Basically, I work for an SME and we have very little policy around data security, but it has come to a head as one of my colleagues will be working for an extended period in China and we ought to work up some procedures about what data we transmit to him and how we can maximise data security, starting with a more general risk assessment exercise on how we handle client data…..

A bit of googling suggests this could become both a can of worms and and administrative and bureaucratic nightmare….

Ta in advance, and well done if you’ve stayed awake this far!

Almost certainly a can of worms unless you impose quite strict rules from the start.

The biggest issue is you will most likely identify issues with local people taking things away on unencrypted pen drives and people having access to data that they really don’t need to.

My advice would be to start with two audits, first one of who has access to what and second an audit of who needs access to what to complete their role.

From there you can formulate access rights and policies based on business needs and not just on what currently exists.

What will it cost you if you lose your most valuable data to the competition? Now you have an idea of the budget you need to spend on getting this right. Think about it from a risk-based point of view though – no point in stressing over things that don’t really matter. If it’s mostly about the individual going to China focus on that person as information security is as much people thing as a technology thing and your job just got easier as there’s only one for now. Still – you should think about your site/network/data/staff security as your adversaries could just as easily come to you.

somouk – nail —> head. We are pretty slack, relying on people ‘not to be stupid’, but a prevalence of pen drives, drop-box, anonymous ftp, etc means that this isn’t much of a policy. When the director who raised this has no idea of the issues, what might be involved and the implications, and in the same breath says ‘don’t make it complex’ you have some handle on how much of a headache this will be.

scuttler – it’s not so much losing our data, but the implications of us losing confidential multinational data to one of their competitors that I worry about. The conversation would very quickly make us look like idiots (Them: ‘Show me your data security policy’, Us: ‘ Show you our what now?’)

Also, there is the issue that I’m not sure we have the skills to identify what the risk levels are for a particular medium (i.e. – how much of a risk is Dropbox, or Google Drive?) and not missing any obvious points of attack/data loss….. hence a free toolkit or template would be a handy starting point. I accept that a lot of this experience is hard won, so it may simply be a case of ‘getting someone in’ for advice.

WARNING: I am from the BC generation

Geeky chaps at work said have a look at this as a starter for 10; it’s aimed at SME apparently

http://news.bis.gov.uk/Press-Releases/Business-leaders-urged-to-step-up-response-to-cyber-threats-67f99.aspx

Been told to say there is a ZIP file thingy at the bottom that might be useful

how much of a risk is Dropbox, or Google Drive

Well a simple approach would be if you don’t know, it’s a high risk. As much because you don’t know as anything else…

You can cover it at a process level pretty easily with an Acceptable Use Policy and a Data Security policy – you really should have both anyway but it’s critical if you hold data that comes under the DPA and/or have IP you need to protect.
You absolutely can’t rely on users being sensible if you want to do it anywhere near properly. You need things like mandatory laptop encryption (inc. USB drives, or disable USB drive usage if it’s an option) and enforce email encryption as standard, not rely on the user to tick a box to encrypt specific emails. Likewise file transfers should be SFTP by default not by option.
It costs money though and usually involves a lot of someone’s time to set-up right and often impacts the usability for the end-user (at least in terms of usability for non-business stuff which although shouldn’t be an issue it can be if they’re senior and like kicking up a fuss).

All good stuff chaps – thanks. Feel free to contribute further – I feel sure I shall looking at this in more detail int eh near future as the more I look at it the more holes and questions I find….

Everything, up that last sentence is relevant and needs to be acted on. I suspect the business will only see:

It costs money though and usually involves a lot of someone’s time to set-up right and often impacts the usability for the end-user

Edit: Kona_TC – The CPNI link in that link you posted is a (very detailed) good starter for the issues to consider. Light bedtime reading…..