I recently had a really great conversation with the CTO of a large money center bank about information access and control.  During our meeting, we discussed his priorities and the things that keep him up at night which were mostly centered on personally identifiable information (PII) and ensuring the proper safeguards were in place to protect it.  My agenda was mostly around messaging and he agreed that it is important to have proper safeguards and controls in place to take appropriate action (log, encrypt, intercept, etc.) once information takes flight either in or as an attachment to an email.  That said, his approach was more inclusive starting with where the information resides and who can access it. 

He explained their approach as follows:

• Only the right people have access to this type of information – Access Control
• If those people or access rights change, there is a process in place to manage it – Change Control
• Create transparency when one of these authorized users breaches a rule (ie, alert them that their message has been flagged for further review due to the possible inclusion of PII) – Information Control

Policy-based controls for messaging work well in this situation because they are building on the policy-based controls limiting who can access what information.  This makes the problem much easier to solve and ensures that the bank’s most valuable asset to protect- your information – remains safe.