Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/6/2012
10:30 AM
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

Tech Insight: Getting Ready For Data Loss Prevention (DLP)

DLP is a business issue requiring the co-existence of people and process with technology

[This article appears as a special to Dark Reading courtesy of the (ISC)2 Advisory Board of the Americas Executive Writers Bureau.]

The last thing any organization wants is to make news due to a data breach, but with the evolution of security threats coupled with the unpredictable human factor, the risk of data leakage has intensified.

While technology provides functionality to enforce business conduct, meet regulatory requirements, and safeguard confidential data, it can't stand alone: There must be a well-defined set of policies -- standards, directives, and guidelines -- that outline exactly what data requires protecting, where data security controls will be enforced, and exactly how data will be protected.

That is the case with data loss prevention (DLP). One of the most common misinterpretations of DLP is that it is an information security issue. In fact, it resides much higher and belongs to the organization as a whole. One of the biggest mistakes an organization can make is relying solely on security teams to implement a data protection program. Gartner's recent "Best Practices for Data Loss Prevention: A Process, Not a Technology" reportreinforces that organizations cannot simply "set and forget" DLP, and must involve business stakeholders early in the early stages to develop a clear and concise strategy for how the organization will address data exposures.

The most effective way of creating administrative data-protection controls -- policies, standards, directives, and guidelines -- is through a collaboration of strategic business lines that understand the risk and have an invested interest in the outcome. That includes, but is not limited to, legal, privacy, security, and human resources. Having perspectives from these and other stakeholders will ensure that when it’s time to commence the data protection program, the technical controls are not seen as roadblocks, but rather enablers, for performing business securely.

In parallel to administrative controls, there are operational documents that must be developed that define what teams become involved while handling the output generated from technical controls. It is important that an event management workflow is created to determine what resources will be required throughout the triage, response, and investigative phases. Having a streamlined digital investigation structure, such as those referenced in the "Security Careers: A Closer Look At Digital Investigations", can greatly reduce the gap between incident occurrence and detection, which lends to reducing the organizational damages (reputation, financial, etc.) or ongoing data exposures (malicious intent, "know-do" gap, etc.).

The "know-do" gap is the void between what we know and what we do in practice: knowing what our organization's administrative controls are, but choosing not to follow them. The human factor can become a detrimental concern as it is the most difficult to predict and avert through technology, and this is where administrative controls are required. Simply throwing a policy in front of employees and saying, "Thou shall not do" when this may be how business was being conducted for some time, increases resistance, the perception of roadblocks, and may result in data exposures.

Before administrative controls are enforced, the key stakeholders should develop an organizational communication strategy that socializes how the data protection program will be implemented and provides educational tools that reduce this "know-do" gap.

Here's an example of a "know-do" gap situation: Say your mobile employees do not have direct access to the organization's applications or network when communicating with clients. A potential client asks a mobile employee to email him business documents for future reference. Since your employee doesn't have access to your approved email platform, he deems it to be acceptable this one time to use his public Webmail account to send the client the information.

Symantec's "Leveraging a Maturity Model to Achieve Proactive Compliance" whitepaper discusses the Capability Maturity Model (CMM)as a method of shifting away from tactical reactions toward proactive strategies when addressing risk management and compliance. The intention of CMM is to provide organization with a means of measuring the strength of existing controls and also where there opportunities to improve. One of the key points in this document, which enforces the holistic data protection approach, is that incorporating people in the early planning stages to build process will result in higher compliance and stronger data security.

Having a baseline of well-established and approved administrative controls, coupled with the maturity ratings for data protection controls, creates a waterfall effect providing direction for prioritizing focus on enhancing or implementing technical controls. Ask some important questions, such as what is sensitive data? Where is sensitive data stored? How is data being used? If there is not a good understanding of an organization's data, there is no way to quantify the associated risk and start working toward implementing appropriate controls, whether administrative or technical.

Following the same methodology of collaborating with multiple business lines, a stronger perspective can be gained about additional risk or data usage that security teams are not aware of, only this time the business lines are those involved with the daily processing and usage of the organizations data. Even though output from each business line's assessment is independent, collectively, the results generated illustrate where priority should be focused, opportunities to collectively reduce risk, and support the creation of technical policies for enforcing administrative controls.

DLP is first and foremost a business issue requiring the co-existence of people and process with technology. Implementing a data protection program is essential for every organization, and it should not be a painful process. While it requires an organization to dedicate resources over a larger time frame, the benefits of establishing policies before implementing security controls will be proved by not becoming an obstacle to conduct business but a platform for performing business securely.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

 

Jason is an Information Security professional with over 10 years of experience. He is currently the Director of Security Forensics & Civil Investigations within the Scotiabank group. Throughout his career at Scotiabank, he has been responsible for digital investigations, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
AFORGIE750
50%
50%
AFORGIE750,
User Rank: Apprentice
4/7/2012 | 9:44:52 PM
re: Tech Insight: Getting Ready For Data Loss Prevention (DLP)
GǣAs an information security professional who spent the last few years working in the field with technical and non-technical stake holders on their data protection initiatives, I have to say that although these points are valid, it seems like another situation where the reader is being told what to do without being provided the practical steps that show them how.- -That hasnGt helped IT get an upper hand on DLP -projects in the past and it wonGt help much more now. -IGd recommend paying more attention to some of the topics that are often overlooked in during DLP projects, such as:
-
-+-------- Ensuring that all project stake holders have a consistent understanding of security principles and what communicates risk.- -
-+-------- Knowing the latest data breach trends to confirm where you are most likely to experience a high impact data breach and allocate resources accordingly.
-+-------- Understanding the Methodology and Execution Strategies of the different vendors.- Not everyone has the same vision for how the problem is solved, and itGs critical that you align with whomever you agree.-
-+-------- Determine what your requirements are to promote response automation.

-
Yesterday, I covered this in a live webcast which is now available on demand if you or anyone would be interested in viewing: http://www.websense.com/conten...

Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5615
PUBLISHED: 2020-08-04
Cross-site request forgery (CSRF) vulnerability in [Calendar01] free edition ver1.0.0 and [Calendar02] free edition ver1.0.0 allows remote attackers to hijack the authentication of administrators via unspecified vectors.
CVE-2020-5616
PUBLISHED: 2020-08-04
[Calendar01], [Calendar02], [PKOBO-News01], [PKOBO-vote01], [Telop01], [Gallery01], [CalendarForm01], and [Link01] [Calendar01] free edition ver1.0.0, [Calendar02] free edition ver1.0.0, [PKOBO-News01] free edition ver1.0.3 and earlier, [PKOBO-vote01] free edition ver1.0.1 and earlier, [Telop01] fre...
CVE-2020-5617
PUBLISHED: 2020-08-04
Privilege escalation vulnerability in SKYSEA Client View Ver.12.200.12n to 15.210.05f allows an attacker to obtain unauthorized privileges and modify/obtain sensitive information or perform unintended operations via unspecified vectors.
CVE-2020-11583
PUBLISHED: 2020-08-03
A GET-based XSS reflected vulnerability in Plesk Obsidian 18.0.17 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.
CVE-2020-11584
PUBLISHED: 2020-08-03
A GET-based XSS reflected vulnerability in Plesk Onyx 17.8.11 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.