Step No. 4: Restrict access to information and administrative control
Restrict access to information and administrative control as much as possible, but not to the point of impacting employees' ability to get their job done. While it may be convenient for employees to be able to log in to servers, it may not be necessary.
For example, a software engineering group doesn't need shell access to the source code control repository server; rather, they can simply use tools to check out code and check in changes (thereby maintaining an audit log). In the event that access to the backend files is needed (such as for searches over the entire repository), consider using other means such as a read-only file system export. Restricting access limits the amount of disclosure and damage that can be done by a disgruntled or exiting employee.
Step No. 5: Employ some form of endpoint protection
If necessary, employ some form of endpoint protection for employee computers and mobile devices. There are varying levels of endpoint protection available, from the ability to turn a fully-functional laptop into little more than a dumb terminal, to the ability to perform a remote data erase if a device is lost. This is another area where a balance must be struck between security and convenience. These technologies can help assure your ability to collect and audit the locations where data has been stored and copied.
Step No. 6: Identify and protect important electronic documents
Identify and protect important electronic documents for tracking, data integrity and disclosure. Depending on the sensitivity of the documents, the technologies that come into play include watermarking, digital rights management (DRM), document fingerprinting, digital signatures and encryption. These can help track the source of leaked information, prevent accidental leakage of (or intentional damage to) data, and protect the contents of a document if storage media or a portable device is lost or stolen. Depending on the sophistication of the technology used, it may also be helpful to render any data held by a departing employee useless.