Tags Strategy, Growth, Data management, Security

Data basics

Do you know who’s got their hands on your most sensitive information right now? If not, we offer a concise, ten-point guide to developing a secure data policy for your business. By Sean Hargrave.

1. What is a data policy?

It sounds like a bureaucratic nightmare, but a data policy is fundamentally a company-wide agreement on how and where data is stored, and who has access to which parts and for what purpose. By setting clear limits on how data is brought together, stored and accessed, Nick Beevers, data sales specialist at IBM Software Business, believes a company’s executives can rest assured that they have a system that will keep information running safely and smoothly through an organisation.

“It’s really just committing to a structure that says ‘This is how we handle data’,” he explains. “Companies are holding on to more data than ever before, so they need an agreed methodology. It could be a written document or, as is the case with a lot of small businesses, more of an agreed, shared philosophy.”

2. That’s all well and good, but do I really need one?

Absolutely. Not only does an effective data policy make certain that the right information gets to the right people the right way within an organisation, it also helps companies demonstrate that they are gathering, storing and handling information in compliance with the Data Protection Act.

The Act requires that companies demonstrate best practice in handling data, so that information is stored safely, for no longer than is required and is only used for its original intent. Without a data policy, it’s difficult for a Board to reassure the public, clients and investors that it is compliant – and that’s essential these days.

A good data policy also ensures that past or present employees – or anyone else with access to the corporate network – can’t cause serious damage to the system, because their access is tailored to their role within the company.

By tailoring the system in this way, the risk of serious misuse of data, such as fraud, is reduced because it would take a number of people from different departments with multiple levels of seniority working together to pull it off.

This is a fairly vital point when you consider that, according to Peter Jopling, head of Tivoli Security Management at IBM, an estimated three in four “computer incidents” are not caused by hackers, as the headlines would suggest, but rather rogue employees or people who accidentally gain access to an unprotected system.

3. So I need a data policy – where do I begin?

First thing to remember: your policy is only as good as your systems. A company that wants to take greater control over its information will likely want to invest in a solid and effective database system, such as IBM’s Informix Dynamic Server (IDS) Express or DB2 Universal Database Express Edition.

“That’s when you start to get real control,” says Beevers. “If you have a sophisticated tool, such as either Informix Dynamic Server Express or DB2 Universal Database Express, you’ve not only got a very clever ‘bucket’ to put all your data in, you’ve got a fast, responsive system that helps you handle data so people know where it is. You can also set up the system to know the rules of your data policy, so it knows who has access to which information – misuse can then be reported.”

4. How do I decide who does what?

Paul Watson, founder of IBM database partner Oninit, believes that a company’s data policy should revolve around letting people know what their data role is within the company, with each role having specific rules applied to it.

“We might, for example, create a role for data entry staff that specifies where and how they store data,” he explains. “Then we’ll create a data entry managerial role that allows that information to be accessed and even deleted, so there are clear distinctions between what each level can and cannot do.”

5. Should I worry about security in general?

A data policy isn’t just about legitimate data generated and circulated with a company, it also has to tackle the whole question of unsolicited emails, viruses and other attacks on the network. A plan needs to be put in place to ensure the network and computers with access beyond it are protected by anti-spam and virus software with a resolute firewall in place to keep out intruders. That’s only part of it, though. Your company’s security systems are only part of the equation – your employees have to be involved and aware as well, so make sure they’re up to speed or else you may find yourself facing a nasty surprise in your system.

6. My company is merging with another – will that mess up my data policy?

A good policy will make data of common interest available to the right people, but should ensure that data isn’t automatically seen or used by new, enlarged departments. In addition, when companies merge, they may need to integrate different applications and systems under a single view – known as “Master Data Management”. This involves using additional tools such as WebSphere Express and WebSphere Information Integrator.

7. How closely should I watch company data?

A company should have the technology in place to monitor exactly what information its employees are accessing and what they’re doing with it. This may sound like spying, but a company has every right to protect valuable data, just as it is likely to have a security guard keeping watch over stock in a warehouse.

Then, should there be a problem with information being misused or records falsified, the IT staff can track who accessed which files, what they did with the information and, crucially, if any changes were made to it.

8. Once the system’s in place, how do I let everyone know?

The first rule of a data policy: you do talk about the data policy. A plan’s not going to work if nobody knows about it and transgressors are not disciplined. For small firms, the policy can be verbal guidelines on what’s acceptable when it comes to work and private use of data and the company’s network.

Whatever the rules, employees need to be made aware of them and, preferably, sign a document to show they have been trained on what they can and cannot do on work systems. Once this is in place, there must be a corporate will to enforce it consistently.

9. What was wrong with passwords?

Typically, the first line of defence for any employee accused of data misuse is that it must have been someone else using their log-on details. In fact, Paul Watson of Oninit often shows his blue chip clients how easy it is to crack passwords: “Within five minutes of walking in to a company, I’ve normally got the majority of passwords by using password cracking software,” he reveals.

“It’s crucial that staff members are prohibited from picking easy passwords like ‘secret’ and that they change them periodically – and never give them out. It’s a simple process to instigate, but it means you can be sure when somebody is logged on and misusing data that it is them and not somebody who has guessed or been given their password.”

10. OK, the data policy is up and running – do I have to keep an eye on it?

A data policy is like any set of rules: not only does it need to be enforced, it has to have someone within the organisation take ownership of it. Either a senior individual or a team needs to be tasked with drawing up the policy and then instigating and enforcing it. Without someone driving the project, your data policy is doomed to failure from the start.

Printer Friendly Email This Article