Legal Issues/Information Security

Record keeping is one of the most important in IT. By law, companies are required to keep emails and other electronic documents for seven years in case of legal procedures either started by the companies themselves or against the companies. The difficulty of record keeping is how to identify what to keep and what not to keep. Too often, for the sake of simplicity, companies keep all electronic records. Then here is the problem of cost of storing them. With more information are in digital formats, the volumes of the information are increasingly growing and storing all information are getting more expensive both in terms of storage space and labor cost.
The second issue is to how to secure companies data and propriety information from unauthorized access both external and internal threats. There are two aspects of securing company data; one is to setup ACL (access control list) that only allows certain authorized personal to have access to the data and denies all others’ accesses. The second half of the information protection is auditing and threat detections. ACL can be broken given enough time to the hackers using methods such as brute force. In order to prevent such attacks, reviewing auditing log and deploying hacking detection technology will enable company to catch hackers in action and send out alarms when such attacks are happening in the real time.
When data security is breached, which will happen sometimes, companies need to have a policy to deal in such an event. First is to assess the scope of the damage to gauge the situation. Second is to contain the damage and prevent to spread to other part of security breach, i.e. user account privilege has access to other important data. Third is to investigate the incident and find the source of the attack and the root cause of the security breach. Forth is to improve security procedure to prevent future similar attacks.
Intellectual property can be the critical part of the companies’ competitive advantages. I remembered a in 2006, administrative assistant of the executive from inside Coca-Cola tried to sell Coca-Cola’s trade secret to Pepsi. She was turned in by Pepsi and Coca-Cola avoided a disaster outcome. Had she found a buyer with intent to get into the beverage business, who knows how much damages she could cause, maybe billions of dollars? How did she get the information is an important lesson to learn in today’s business environment and a case study of information security.