Best practice in protecting private information and documents for high-level management?

Question

What's the best practice to protect private & confidential documents/information/messages/emails related to high-management level in a network that is run by an IT department and IT staff?

As you know IT staff has access to everything. So how can we be sure that high-classified reports and information are protected from them.

Use end-to-end encryption. Give C-Levels SmartCards and let them generate their own keys. — Neil McGuigan, Aug 26 '15 at 20:44
@NeilMcGuigan, Thank you, can you please share some good resources to read more about these methods? — CEO, Aug 27 '15 at 01:02

score 0 · Answer 1 · answered Aug 27 '15 at 15:01

My experience suggests that the simplest approach is the best approach... In general:

Restrict the access list to the intended audience and a small group of data custodians. This minimizes your “surface area.” Remember that everyone in IT doesn’t need to access everything.
Actively review the “access list” and revise as necessary, conducting regular security audits.
Mandate and maintain security awareness training for those who are granted access as users and as data administrators
Enable logging on sensitive resources with alerts for audit failures
Refer to applicable standards for the industry your organization is part of. (i.e. FERPA, HIPAA, PCI, SOX, etc ...) to ensure that special requirements are met.
Ensure that you do not overlook the Personally Identifiable Information (PII) category of security
Restrict physical access to the location (servers) where the data is stored.
Encrypt the files/disks on which the data is stored.

Best practice in protecting private information and documents for high-level management?

1 Answers1