Here's some simple steps to help you determine what needs to be secured and how to go about it.
The most important step in security is determining what needs to be secured and its exposure if not secured. There are several categories of information that you should consider.
High Value / High Risk
Information that WILL cause harm to your business if it is made available outside the people in your company that need to see and use it. This could be trade secret information or information that could be used against you in legal processes.
Customer records and information are also typically in this category. Information in this category must not be made public.
Business operation information.
Accounting data and ERP data fit into this category. It is used by persons in the performance of specific jobs and needs to be available for the business to operate.
Disclosure would not be damaging but loss would cause loss of business process and revenue.
Publicly Available Information.
This information is already available in the public domain but is housed on your systems to aid productivity of your people and processes. Disclosure has very little risk and the information is easily recovered from various sources. The primary cost of losing this information is the time required to find it in other areas.
Now consider the cost of losing information in these categories.
What is the exposure if a laptop containing legal documents or new product plans is turned over to a rival company or other hostile entity? What could it cost?
Who needs this information?
For each category of information determine which groups or individuals need access to it. Who should be able to change it? AND WHO SHOULD BE ABLE TO MAKE COPIES?
