A trivial observation will reveal a lot of issues about the security culture of an organization.
1. Does the organization:
- Have information security policies in place
- Define the differennt information classes
- Provide examples of each information class
- Establish approval process with appropriate authoritive level to declassify information for sharing
- Deploy viable means to share confidential materials
- Communicate properly all staff with mandatory regular refresher programme
- Integrate information security undertaking in the employment term
- Impose discrepancy process for policy violation
- Enforce role based access profile per job function
- Review periodically for appropriate access rights
2. Do the staff:
- Have minimal access to information just per the job roles
- Forget to reclassify the information after approval has been granted
- Understand what has gone wrong
It seems so many issues have been surfaced but this is the challenge and a matter of fact when all of us living in the digital world, not-to-mention unstructured information is everywhere beyond the organization cyber landscape.
The bottom line relies on human rather than technologies to secure information mandated by policies (written directives).