Here???s the thing, employees will generally follow the rules set down for them. Policy and procedures need to be enforced from the top down. A junior level administrator can???t tell the CIO what to do unless the CIO agrees. The commitment to policies must come from the executive level. The responsibility therefore rests with the executive level as well. Isn???t executive responsibility part of the provision of Sarbanes-Oxley section 302? Executives have no less of a responsibility regarding the protection personal information.
I would like to see a federal law mandating that one person at the executive level in every company or government organization should be assigned the responsibility of setting forth privacy and security procedures and ensuring that they are followed. In the event of a loss, that person should be held personally responsible and should serve no less than 1 year in prison. Maybe the threat of jail time will wake up the negligent.
Finally, if you are asked to take tapes home, ask that the request is put into writing absolving you of any liability. You probably don???t get paid enough to take on such responsibility and liability.
Still think P2P file sharing is a major culprit of data loss?