Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« People Need Periodic, Effective, Training And Ongoing Awareness To Truly Safeguard Information | Main | 17 Info Security & Privacy Topics Call Center Staff Must Understand »

Death and Data

I encountered something rather remarkable in just the past two months; a couple of CISOs told me that they have had high-level business leaders, each of whom had a significant amount of computing equipment and information at their homes, die suddenly as a result of different circumstances.

As I discussed this with them, I wondered, how many organizations are ready to deal with something like this?

It is a very awkward situation. You may not want to contact the family members too soon to ask for the equipment and information, and then seem to be uncaring or insensitive.

However, you do not want to risk that the family members want to quickly remove such items from their homes, and then have the equipment end up being sold to someone on an Internet web site.

Many organizations don't even have an information and computing equipment reclamation security policy in place; every organization needs to have one. Even fewer probably know how they would handle a death situation.

I know it's rather morbid to think about...but think about all the information and equipment...

In just these two situations the high-level CxOs had in their homes...

  • Computers they used from their homes for doing business; one had the company-owned laptop, and the other had both a company-owned laptop and a computer the CxO owned but also used for work. They both had a ton of information, much of it confidential, on the computers.
  • Cell phones they used for business...in both situations the cell phones were owned by the respective companies.
  • Both had possibly reams of print documents containing sensitive information and possibly personally identifiable information (PII); the companies are not for sure since they were not tracked.
  • Electronic storage devices, such as USB drives, DVDs and CDs were likely to have been at the CxOs' homes, but neither is for sure.

These are the same types of items that must be reclaimed when an employee is fired or otherwise terminated. There should be procedures for the reclamation.

However, in these death situations, in what ways should the procedures be changed, if any?

Timeliness is going to be important, as is tactfulness, sympathy and empathy.

How would your organization deal with this?

Tags:                
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on July 28, 2008 9:07 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/773

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.