Practical Data Loss Prevention
(Week 2 of 4)
by Michael McKinzie, CISSP
Building on my post from last week I want to invoke thought about how you as an individual or on behalf of your organization approach data loss prevention (DLP). I used an example of the way we (generally speaking) expect, and rely on our financial institutions to keep our money safe and accurately accounted for but I also mention the expectations banks and institutions place on users and consumers. If we apply this same model to computer use, it is form of a privileged system model (authentication and permissions). i.e. proper authentication to access resources , and permission based rules to govern activities just as the bank controls access to accounts.
The challenge remains there are constant threats to our data from vectors by misuse, social networks, theft, lost devices, malware, viruses, Trojans, botnets, social engineering, integrated business partners, outsourcing etc. IT administrators adhering to best practices are vigilant in protecting data but are required to balance it with usability for businesses to remain productive and competitive. Businesses continue to rely on faster and broader communications and data security is often perceived as a hindrance.
“Every day, CIOs face the challenge of putting the necessary technologies and processes in place to protect confidential data and comply with federal regulations, but they have to accomplish this without impeding daily business operations.” – CIO Magazine
So where do we practically begin? Does the organization know what their sensitive data is/classified, where it resides, how it travels through business processes, how it is shared and used? Some of these questions are easy to answer but some might be difficult. Who owns the data? If a user accesses his or her personal email account, or another personal use site, is any information or data downloaded belong to the organization? Does the company have a legal obligation to protect it? Should the company control the user’s content? Do they have a legal obligation to do so to protect company or customer information and interests?
How do we classify data? These are often the questions and challenges facing organizations on a daily basis. Is it practical to just restrict access? Perhaps sales and marketing or the executives of the company have specific needs requiring access? Maybe the company promotes control versus broad restrictions? I don’t have answers to all of these questions nor do I believe there is a simple answer which applies to all organizations. How do you approach it?
I am interested in hearing your thoughts on:
1. Do you think it is important to classify data formally? If so, have you done this and what was your experience?
2. What do you think is the largest threat to your confidential data? Users, malicious attacks, social networks, data leakage via lost or stolen devices etc.
3. Do you or your organization promote control over broad restriction policies or how do you determine the best practice? e.g. restrict or block webmail, and social networking sites versus providing limited access with monitoring
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
