My 24" Core 2 Duo iMac has EFI Boot. It didn't stop me from installing Linux Mint on it last month (full format & repartition of the hard drive, not as a "guest"). Can someone help me understand what's the difference?

You might think that telephones carry an inherent expectation of privacy. But they don't. At least not your communication while you're sitting at your desk.

If we didn't install our root certificate on every machine than every internal website that is protected by SSL would not be trusted.

Also, 802.1x authentication would break.

We also couldn't do smart card authentication.

LOL. We're not injecting anything.

We've got a Microsoft Enterprise PKI.

Our own Root CA, Policy CA, and Issuing CA.

All of the machines that are joined to our domain are company-owned workstations and servers.

The Local & Personal Certificate Stores are controlled through Group Policy.

All of our workstations have our internal root certificate already on the machines, and all of our workstations and servers explicitly trust our root certificate.

Again: Our stuff. Our network. Our data. You have no privacy.

If employees stopped conducting themselves like they thought they had privacy while they were surfing the net while they were at work they wouldn't be so shocked and amazed when they find out they have none.

We don't hide anything. Not sure where or why you think we are (have?).

All of our employees know that:
  (1) The company own the computers, the network, and the information stored on them.
  (2) Employees have no expectation of privacy while using and interacting with any of the items from #1.

Not saying I disagree with anything you've written, but the courts have stated an employee has an implicit expectation of privacy while reading their blackberry sitting on the toilet.

However, they have none while they're surfing the net.

There is a distinct difference than an employer installing a video camera in the bathrooms than installing technical controls to fulfill their fiduciary and regulatory responsibilities to protect their trade secrets and other company data.

Very true, and a point that a lot of people seem to forget.

SSH public/ private key authentication is fantastic. Wish more people would use it,

There. Fixed that for you .

Somebody mod the parent up. ;-)

Anything is possible, and no amount of security technology or policy is going to stop the most determined individual.

It would depend on the policy.

Most companies contract with a third-party to do the classification for them. There's just too many domains out there to try to manage something like that manually.

Well for starters, most of that work is done by our compliance folks. The group that I'm in just manages the infrastructure.

I'm fairly confident thought that spreadsheets would easily be detectable provided the information wasn't encrypted within the spreadsheets.

Most of the alerts are generated by folks themselves doing personal business while at work.

As for the stuff we might not be able to detect - again - encryption is key (pun intended).

But in all honesty a lot depends on the data classification, which is set by the data owner.

Confidential data is supposed to be encrypted while the data is at rest and while it's in motion.

In that regard the data leakage products aren't going to see it.

(Yes I know a malicious actor could just as easily encrypt our own precious data and send it to themselves undetected.)

Look, security is a balancing act. A company could make their network more secure than it is but no work could get done if they did. No company can be expected to plug all the holes that might exist, but you look for the highest risks with the largest impacts and you mitigate those risks accordingly.

I just checked. Turns out ours can do it too but I don't remember ever seeing it on a roadmap of something to turn on.

Not sure what benefit it would provide us anyway tbh.

Actually it's important for any publicly traded companies.

It's not just HIPAA, but also Sarbanes-Oxley, GLBA, the SEC, and a myriad of other pesky CFRs.