The most common way is to start an investigation (often with the help of external consultants) and then classify the information according to some kind of policy.
I would propose an alternative (slightly drastic) strategy, close down access and then ask the question: who needs this information to be able to perform their job. In general people has access to much information and by asking this simple question a pattern which information is vital emerges quickly. (Only the ones who needs it will be angry and call…)
This way we treat all information as "secret" and we differentiate based on the user which is much easier. I can give you an example from real life; a company I worked with a while back ( a consultancy company) started to loose people to an competitor. It turned out that a hired resource in the reception copied the whole internal phone register and the calendar (where it was possible to see where a consultant spent his or her time, which customers they visited etc etc) and gave it all to her boyfriend...a headhunter. This was of course not legal but I doubt anyone will go to jail for it. Did the receptionist need to see where a consultant spent their time through the internal calendar system?..of course not.
Conclusion..lock everything down..and give access on a need to know basis only.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment