locked computer

Data Security: Where There Is Data, There Should Be Policy

Russell W. Gilmore, CISSP, CISM, EnCE Business Continuity Planning, Compliance, Computer Forensics, Corporate Compliance, Crisis Management Planning, Electronic Data Recovery, Security Policy and Procedure Development, Security Program Development


data securityThe recent report by the Wall Street Journal about the Morgan Stanley data security breach scares me as an employee. Reportedly, Morgan Stanley terminated Galen Marsh, a financial adviser, for allegedly stealing account information from about 350,000 wealth management clients and posting some of it online. Federal law enforcement officials are focusing their probe on the possibility that Marsh’s computer was hacked. That is what concerns me. (Full story here.)

I have not reviewed the full report nor have I looked deeply into the incident. I focused on the consequences that befell Mr. Marsh. There is a slim possibility that he did nothing wrong. We are in the era of BYOD – Bring Your Own Device – and the use of laptops and mobile devices by employees. It is time for there to be a clear understanding about the company’s responsibilities and the individual employee’s responsibilities. This is not to suggest that an employee’s first question should be “Will I get fired if this laptop is hacked and company data is stolen?” when presented with a company laptop. There should be a clear understanding between the company and the employee about the security expectations of each. How do we control any electronic device that contains company data?

The foundation of this understanding begins with a good company policy. A policy should be specific regarding the proper use of electronic devices. It should also indicate who is responsible for email security, data security, acceptable use, and physical security of the device. A policy should be a living document. Review electronic device policies that cover laptops once a year at a minimum. Policies should also be flexible. Some employees may take a laptop home and some may not.

Companies should give employees a chance to review policy before signing. Companies should allow employees to ask questions. I suspect Morgan Stanley utilizes policies that cover the use of laptops by employees for work purposes. I doubt the employee thought he would get fired if the laptop was hacked and client data was exposed. What would have happened if the employee were a CFO or CEO?

There is most likely a lot more to this story than the public knows. In conclusion, as an employee, make sure you are fully aware of what the company expects as it relates to the use of company data and company-provided electronic devices.


Plan. Protect. Prosper.

Protus3 specializes in security system design, security consulting, corporate investigations and other investigative services. Partner with Protus3 and we will examine each situation to identify threats and develop solutions for your best outcome.

919-834-8584 or 800-775-8584