ISO27001 is a good system to have in place but it must be enforced vigorously, otherwise it is just too easy to allow data to be lost or removed.
The prime method for theft of data remains the USB stick and this seems to be the method of choice for those wishing to steal data from systems.
There are a couple of things you can do to protect your data:
- Set up computers and laptops to exclude USB devices and CD/DVD writers. It may seem harsh for laptop users not to be able to use the USB port, apart from a mouse but if the data you hold is sensitive then this level of protection is justifiable.
- Using group policy to prevent the export of data by email or other attachment.
- Enforce the encryption policy to make sure that any data stored on a laptop is secure; password protection alone is not enough.
- You could also set up your laptop systems to be 'thin client', that is to have all data stored on a server and using the laptop to connect to the server. No data can be stored on the laptop, so the laptop cannot be compromised.
- And finally ensure that paper documents are protectively marked if they are sensitive and enforce security protocols for restricted, confidential and secret documents.
Let us all make sure that 2010 is not going to be a year when we lose data.