4-10                    CRC Handbook of Modern Telecommunications, Second Edition

              •   Can the product be “trained” to ignore common, nonconfidential content?
              •   Does  the  product  have  build-in  templates  for  outgoing  messages  with  governmental  regula-
                 tions (e.g., Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley
                 Act, and Sarbanes-Oxley Act (SOX), European Acts, the Communications Assistance for Law
                 Enforcement  Act  (CALEA),  European  Telecommunications  Standards  Institute  (ETSI),  state
                 regulations, etc.)?
              •   What is the total number of file/document types supported by the product?
              •   Can the product identify specific data elements (e.g., social security number, credit card number,
                 account numbers)?
              •   Can the product learn key phrases that distinguish private from public documents?
              •   What are the financial conditions (e.g., price, maintenance, etc.)

               The return on investment (ROI) regarding filtering and monitoring products is closely aligned with
            business risk, and they are often purchased under the umbrella of compliance and risk management.
              Usually, the following protections are common:

              •   Word and e-mail attachments
              •   Copied Word content onto e-mail body
              •   Zipped documents transferred via FTP
              •   Encrypted documents transferred via standard protocols
              •   Data sent via HTTPS and HTTP
              •   Data copied to USB devices
              •   Image data transfers
              •   Altered image data transfers

              Steps to prevent data loss include:
               1.  Guard against human error: Use security technologies, such as data encryption, as a safety net for
                 honest mistakes.
               2.  When in doubt, encrypt: All laptop hard drives should be encrypted.
               3.  Monitor outgoing messages: Use software to block e-mail messages or the file transfers with con-
                 fidential data.
               4.  Ensure that security is easy to use: Otherwise, employees will find ways to get around it.
               5.  Audit security practices regularly: Experts say such reviews should happen at least monthly.
            4.1.3.3  Deleting and Retaining Documents
            Enterprises are challenged with respect to the decision on deleting or retaining data. Mistakes either
            way may be very painful. There following provides some advice on each:

            4.1.3.3.1  Deleting Documents
              •   Be consistent and objective about what you want to delete
              •   Know, what, when, and why data was deleted and by whom
              •   Get rid of all copies when deleting documents
              •   Wipe computers when switching owners or when decommissioning
              •   Make sure data is completely gone

            4.1.3.3.2  Retaining Documents
              •   Know your data and organize it well
              •   Identify laws, acts, and regulations that affect your company and keep data as long as required
              •   Hold onto data that could be subject to investigation
              •   Educate employees on what to keep
              •   Avoid creating risky e-mails