Most security products designed to protect information and data focus on the infrastructure that contains the data. Firewalls, anti-virus programs, and virtual private networks are designed to prevent malevolent intruders from entering the storage facility to obtain, corrupt, or destroy the data. Data, however, are typically collected and developed for some purpose, which means they are regularly accessed and/or moved outside of a particular secure place. Security must not only prevent access to data, it must ensure that the data is shared or accessed only for functions intended by the legitimate owner of the data. Data encryption (making it accessible only to those with an authorized access code) is part of the solution and should be a part of any comprehensive security strategy; however, encrypted data cannot be compressed, slowing network performance and collaboration when encryption keys cannot be shared. Organizations must begin a data security assessment by defining and identifying "sensitive" data that require limited access, knowing where these data reside, how these data are being used, and by whom. Organizations must develop policies for the storage, access, and use of the data, with enforcement mechanisms based on user identity and access-management technology. Security procedures and technologies must be devised and selected to ensure that sensitive data are protected wherever the data reside, i.e., within the corporate network or outside, during travel, or when in someone's home. The other articles in this six-part series will discuss various key aspects of this "information-centric" approach to data security.