I encountered something rather remarkable in just the past two months; a couple of CISOs told me that they have had high-level business leaders, each of whom had a significant amount of computing equipment and information at their homes, die suddenly as a result of different circumstances.
As I discussed this with them, I wondered, how many organizations are ready to deal with something like this?
It is a very awkward situation. You may not want to contact the family members too soon to ask for the equipment and information, and then seem to be uncaring or insensitive.
However, you do not want to risk that the family members want to quickly remove such items from their homes, and then have the equipment end up being sold to someone on an Internet web site.
Many organizations don’t even have an information and computing equipment reclamation security policy in place; every organization needs to have one. Even fewer probably know how they would handle a death situation.
I know it’s rather morbid to think about…but think about all the information and equipment…
In just these two situations the high-level CxOs had in their homes…
- Computers they used from their homes for doing business; one had the company-owned laptop, and the other had both a company-owned laptop and a computer the CxO owned but also used for work. They both had a ton of information, much of it confidential, on the computers.
- Cell phones they used for business…in both situations the cell phones were owned by the respective companies.
- Both had possibly reams of print documents containing sensitive information and possibly personally identifiable information (PII); the companies are not for sure since they were not tracked.
- Electronic storage devices, such as USB drives, DVDs and CDs were likely to have been at the CxOs’ homes, but neither is for sure.
These are the same types of items that must be reclaimed when an employee is fired or otherwise terminated. There should be procedures for the reclamation.
However, in these death situations, in what ways should the procedures be changed, if any?
Timeliness is going to be important, as is tactfulness, sympathy and empathy.
How would your organization deal with this?
Tags: awareness and training, information reclamation, Information Security, IT compliance, policies and procedures, privacy training, risk management, security training