[This article appears as a special to Dark Reading courtesy of the (ISC)2 Advisory Board of the Americas Executive Writers Bureau.]
The last thing any organization wants is to make news due to a data breach, but with the evolution of security threats coupled with the unpredictable human factor, the risk of data leakage has intensified.
While technology provides functionality to enforce business conduct, meet regulatory requirements, and safeguard confidential data, it can't stand alone: There must be a well-defined set of policies -- standards, directives, and guidelines -- that outline exactly what data requires protecting, where data security controls will be enforced, and exactly how data will be protected.
That is the case with data loss prevention (DLP). One of the most common misinterpretations of DLP is that it is an information security issue. In fact, it resides much higher and belongs to the organization as a whole. One of the biggest mistakes an organization can make is relying solely on security teams to implement a data protection program. Gartner's recent "Best Practices for Data Loss Prevention: A Process, Not a Technology" reportreinforces that organizations cannot simply "set and forget" DLP, and must involve business stakeholders early in the early stages to develop a clear and concise strategy for how the organization will address data exposures.
The most effective way of creating administrative data-protection controls -- policies, standards, directives, and guidelines -- is through a collaboration of strategic business lines that understand the risk and have an invested interest in the outcome. That includes, but is not limited to, legal, privacy, security, and human resources. Having perspectives from these and other stakeholders will ensure that when it’s time to commence the data protection program, the technical controls are not seen as roadblocks, but rather enablers, for performing business securely.
In parallel to administrative controls, there are operational documents that must be developed that define what teams become involved while handling the output generated from technical controls. It is important that an event management workflow is created to determine what resources will be required throughout the triage, response, and investigative phases. Having a streamlined digital investigation structure, such as those referenced in the "Security Careers: A Closer Look At Digital Investigations", can greatly reduce the gap between incident occurrence and detection, which lends to reducing the organizational damages (reputation, financial, etc.) or ongoing data exposures (malicious intent, "know-do" gap, etc.).
The "know-do" gap is the void between what we know and what we do in practice: knowing what our organization's administrative controls are, but choosing not to follow them. The human factor can become a detrimental concern as it is the most difficult to predict and avert through technology, and this is where administrative controls are required. Simply throwing a policy in front of employees and saying, "Thou shall not do" when this may be how business was being conducted for some time, increases resistance, the perception of roadblocks, and may result in data exposures.
Before administrative controls are enforced, the key stakeholders should develop an organizational communication strategy that socializes how the data protection program will be implemented and provides educational tools that reduce this "know-do" gap.
Here's an example of a "know-do" gap situation: Say your mobile employees do not have direct access to the organization's applications or network when communicating with clients. A potential client asks a mobile employee to email him business documents for future reference. Since your employee doesn't have access to your approved email platform, he deems it to be acceptable this one time to use his public Webmail account to send the client the information.
Symantec's "Leveraging a Maturity Model to Achieve Proactive Compliance" whitepaper discusses the Capability Maturity Model (CMM)as a method of shifting away from tactical reactions toward proactive strategies when addressing risk management and compliance. The intention of CMM is to provide organization with a means of measuring the strength of existing controls and also where there opportunities to improve. One of the key points in this document, which enforces the holistic data protection approach, is that incorporating people in the early planning stages to build process will result in higher compliance and stronger data security.
Having a baseline of well-established and approved administrative controls, coupled with the maturity ratings for data protection controls, creates a waterfall effect providing direction for prioritizing focus on enhancing or implementing technical controls. Ask some important questions, such as what is sensitive data? Where is sensitive data stored? How is data being used? If there is not a good understanding of an organization's data, there is no way to quantify the associated risk and start working toward implementing appropriate controls, whether administrative or technical.
Following the same methodology of collaborating with multiple business lines, a stronger perspective can be gained about additional risk or data usage that security teams are not aware of, only this time the business lines are those involved with the daily processing and usage of the organizations data. Even though output from each business line's assessment is independent, collectively, the results generated illustrate where priority should be focused, opportunities to collectively reduce risk, and support the creation of technical policies for enforcing administrative controls.
DLP is first and foremost a business issue requiring the co-existence of people and process with technology. Implementing a data protection program is essential for every organization, and it should not be a painful process. While it requires an organization to dedicate resources over a larger time frame, the benefits of establishing policies before implementing security controls will be proved by not becoming an obstacle to conduct business but a platform for performing business securely.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
Jason is an Information Security professional with over 10 years of experience. He is currently the Director of Security Forensics & Civil Investigations within the Scotiabank group. Throughout his career at Scotiabank, he has been responsible for digital investigations, ... View Full Bio