A few years ago I was in the elevator of a multiple company office building and overheard two interesting conversations. First, two people got on talking about the next board meeting and commented that the Board “are sure not going to like the numbers this quarter.” In another instance two engineers got on talking about the lack of security surrounding their development environment.
If I were an unethical opportunist investor of the first company or a criminal in the second I could have used these bits of information to my advantage, most certainly at the expense of the companies involved.
Information Security is often thought of as a technological solution to protect sensitive organizational assets. Overlooked is the impact that people have on the security environment. All the technological measures in the world would be rendered ineffective if an employee posts sensitive information to Facebook, overheard talking about it with colleagues, or answers a phishing email.
Northeastern is not a typical business but it does have information that is classified as sensitive by Federal, State and internal regulations and policies:
- Student data is protected by the Family Educational Rights and Privacy Act (FERPA)
- Health records are protected by Health Insurance Portability and Accountability Act (HIPAA)
- Research data is protected by its sponsoring organization and HIPPA
- Personally Identifying Information (i.e. Social Security numbers, bank account numbers, credit card numbers) are protected by Federal and Massachusetts data privacy laws (MA201 CRM 17.00)
- Other Northeastern internal policies surrounding information and systems
Steps to keep sensitive information safe:
- Do not discuss sensitive information in public spaces and elevators
- Do not post sensitive or confidential data on social media or the Internet
- Verify a callers identity before engaging in sensitive conversations
- Make use of a shredder or a secure recycling bin to destroy sensitive documents
- Ask yourself if the person to whom you are speaking deserves to know the information they are inquiring about
Please contact the Office of Information Security (firstname.lastname@example.org) for questions about sensitive information and PII
More information on the dangers of careless talk: ACCJ: Loose Lips Sink Companies
Image credit: Wikipedia: Loose_lips_sink_ships