cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
denbesten
Community Champion

Re: Detecting email sent to personal email accounts

Effectively, you are asking to black list employee email addresses.  The obvious first step is to ask employees for their addresses.  Either that or white list your customers.

 

However, I think your approach is flawed. Solely playing technical whac-a-mole to defend confidential information is doomed to failure.  To be successful, you need employees to become your advocates in protecting CI.  The simple fact that you authorized them to see the CI in the first place means they can screenshot it, take a picture with their mobile phone, hand transcribe, memorize, etc.   As you are discovering, enforcement of rules that make it hard for them to do their jobs fosters shadow-IT-like behavior and ultimately hurts your overall goal to protect CI.

 

Much more enlightened is to ask why they need to print, empathize with their concerns and to find that "middle ground" which all parties can accept.  Most likely, you will find that they are trying to copy stuff from one document to another, or they are being asked to review documents on a screen which is much too small.  Both of these scenarios can be solved by issuing second (or third) monitors.  Or, maybe you buy everyone a shredder for Christmas and encourage its use in your CI training program.

 

You might also find that the documents being emailed/printed are those belonging to the employee.  For example, I duplicate my own CI (performance review, employment contract, benefits notices, tax forms, etc) into a location not under employer control.  In part, this is CYA, but mostly it is so that they remain accessible even beyond my employment.

 

Also, with respect to the juser@yahoo.com scenario, it is only necessary to read about Mark Donnelly (thanks, rlade for the link) to realize that false positives ought to be considered.

Steve-Wilme
Advocate I

Re: Detecting email sent to personal email accounts

How do you propose to identify PII definitively?  If you examine the legal definitions of what constitutes personal information, then this is fiendishly difficult for unstructured information.  For example, in the UK, the regulator includes information that is obviously about someone, although they may not be named or have an obvious unique id in the info, as personal data.  For example, say I was to draft a linkedin recommendation for someone and email it to them.  I may not mention them except by the first name, but everything else would fall under the 'definitely about them'.  You could of course argue this is not PII that the organisation is data controller for.

 

 

 

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS