On a mailing list I frequent, someone asked about policies to help a company avoid losing intellectual property. The generic term for stopping the loss of important information (with loss being not just destruction, but also the wrong people getting it) is data loss prevention or DLP. I was moved to comment… because most DLP policies are not worth a button.
Except for a few extremely harmful vectors, or vectors unique to your business maybe, it’s best not to identify particular technologies in the policy itself. Instead, make your intent clear; generally that company information is not to be disclosed to anyone outside the company. Depending on the nature of your business, you might need to make that even stricter – not to be disclosed to anyone not formally identified by the company as needing to know. You might also want to explicitly protect partners’ information.
If your security policy is more than half a page long, rest assured that no bugger will read it, nor know more than half the things in it. Write it in plain English, especially if you have foreign, young or poorly educated staff. Long, complex policies are invariably there just to cover the arses of those who wrote them – short pithy policies are there to be effective.
Whatever the policy, make sure everyone understands why it is there; either develop it with the employees or make sure they signed up for it. Imposing stuff after the fact can make people feel very hard done by, and can also make them want to break the rules just because they can.
Make sure the facilities that people need to make your policy work are available to them. Don’t require that waste paper be shredded unless you have a nice fast shredder within easy reach of everyone, or a locked waste paper disposal bin ditto. Make sure the shredder can eat staples, or stapled stuff won’t get shredded. Used media to be securely disposed of? Make sure there is a locked drop box for dead or unwanted storage media, and make sure the contents get destroyed properly at frequent intervals. If someone needs something that your policies block access to, make sure that they can get it quickly, easily and safely with a simple phone call (or get given a damn good reason why they can’t have it). And so on.
Same thing when people leave, for whatever reason: Make sure they know their obligations, provide every assistance necessary to help them meet those obligations (replace that work laptop/phone/iPad with clean kit they can take home), and make sure that you let them go with maximum respect and care.
The worst thing you can do is protect stuff that doesn’t really need protecting or implement stuff that gets in peoples’ way without offering a clear concomitant advantage. The first makes every measure a laughing stock, even those that would be useful, and they will not be taken seriously. The second leads inevitably to the development of invisible workarounds.
Er, sorry, no, the worst thing you can do is have a policy that doesn’t apply to the executive. If the boss swans off home every evening with a laptop under his/her arm, documents in his/her briefcase and his/her pockets full of USB sticks, people will know that the policies are a sham.
Ultimately, if someone wants to steal from you they will. Even if you take extremely active and intrusive measures you will still lose.
The best way to make people not steal from you is to keep them happy. That means paying them enough, giving them what they need to do their job, and not doing bad stuff to them or others. If you are inconsiderate, unethical or even criminal as a company, prepare to lose your secrets wholesale.