How do you enforce a rule of no unauthorized copying of data? How do you know when it's happened? Some organizations go as far as prohibiting thumb drives, but that sounds like throwing the baby out with the bath water. Maybe data-leak protection software?
When it comes down to controlling the flow of data it is all about monitoring. On a typical company network people have access to the Internet and with this access can transfer files outside the companies control. If the company is dealing with data which requires a higher level of security than only internal access is allowed (and typically this is even restricted inside a specific department). The policy to disallow thumbdrives/CD's/floppies (for us old people) is nothing new it simply makes the removal of data from these higher security locations harder but not impossible.
It is possible to lock data down pretty tight. You would get some unhappy employees, especially developers as we need more access, but it is possible. Is it 100% bullet proof? No, but it is pretty damn close. For smaller companies, trust is key. For larger companies, it is a must.
The question of whose PC it is becomes cloudier when the employee has paid for and owns the PC and software, but the employer has essentially reimbursed the employee for the expense, and requires specific system configurations as well as adherence to security and data policies. I'm talking about "Bring Your Own Computer" which Kraft Foods recently introduced. Kraft is, by any measure, a large and sophisticated organization. Why is it okay with them when so many view it with such alarm? Could it be simple budget pressures and the desire to save 20 percent or more on purchasing and support?
I had not heard about this, it is an interesting concept. However, when it comes down to it the security responsibility is on Kraft and thus they must be able to police the data and equipment connecting and transmitting on their networks. I would say that a policy would have to be put in place up front with the understanding that they (the company) control this policy and it will be created and modified based on the needs of the company.