>If Google Docs is not approved for company use, how does the security team identify SSNs in Google Docs?
Part of my argument is that Google Docs is popular and widely used by users, so IT should support it.
Then there’s training on how to use unsupported stuff (ie don’t email ssns, don’t upload ssns, etc).
Then there’s DLP as the source file was a PowerPoint on the partner’s laptop. Back then, I don’t know what products existed but today I have implemented DLP that if a file has a social it is flagged for review immediately and will present visual cues to the user for sensitivity and it is blocked from lots of different transfer methods. This helps prevent users who don’t know the file is sensitive (most of the potential breaches I’ve encountered) but users can get around it (screenshot, phone, etc) if they are really determined.
My point is mostly about rules being better rather than rigid. The best rules fit into a mental model and should be easy to follow. The “Just say no” style rules work just as well for security as for drugs and smoking.
Usability is really important, I think, in security.
Part of my argument is that Google Docs is popular and widely used by users, so IT should support it.
Then there’s training on how to use unsupported stuff (ie don’t email ssns, don’t upload ssns, etc).
Then there’s DLP as the source file was a PowerPoint on the partner’s laptop. Back then, I don’t know what products existed but today I have implemented DLP that if a file has a social it is flagged for review immediately and will present visual cues to the user for sensitivity and it is blocked from lots of different transfer methods. This helps prevent users who don’t know the file is sensitive (most of the potential breaches I’ve encountered) but users can get around it (screenshot, phone, etc) if they are really determined.
My point is mostly about rules being better rather than rigid. The best rules fit into a mental model and should be easy to follow. The “Just say no” style rules work just as well for security as for drugs and smoking.
Usability is really important, I think, in security.