Published: July 30 2009, 03:57 PM | no comments
by David Miller

"DLP" the term has been getting a lot of attention, especially with the continuing coverage of data loss events.  And as the term is tossed around in hallway discussions, it is important to keep a clear understanding of what DLP is, particularly as you evaluate solutions and write RFPs for technologies to help protect your environment from data loss and misuse.

CSOonline.com recently did a series offering an in-depth look at DLP.  A podcast with CSO Senior Editor Bill Brenner and Rich Mogull, analyst and CEO for Securosis, gives one of the most accurate views of the DLP market and one analyst's take on what DLP is and is not.  The podcast can be found here.

Below, I discuss five capabilities that either reinforce or supplement what CSO has outlined in an effort to help to clarify what DLP is not. 

• A solution that controls access to data by locking down a platform, available tools, or other means is not DLP. This describes an Access Control solution. Combining Access Control with DLP can be a very powerful approach to securing the enterprise.
• A solution that only blocks access to websites or filters inbound emails is not DLP. DLP enables a firm to prevent data loss (just like its name suggests!). Data Loss Prevention solutions aren't necessarily concerned with what website a user accesses, or what emails are coming from certain domains (although DLP can often perform those tasks). DLP is interested in what a user is doing with information and data on a website and in an email.
• Strictly speaking, encryption solutions are not DLP. Encryption provides important security safeguards to an enterprise. However, a user can still use an encrypted thumb drive to move sensitive data out of the enterprise. In this example, the user can remove data from the enterprise in a form that only they can use - which could suit their corrupt purposes just fine! Encryption is another category that is complementary to DLP, but is not DLP.
• Solutions that monitor and report on data use violations are DLP - minus the "Prevention"! A "Data Use Monitoring" solution stops well short of where a Data Loss Prevention solution intervenes with end-users to stop sensitive data from being leaked.
• Solutions that discover and classify data - without controlling it - are not DLP. Finding and inventorying your data is important. However, DLP takes the next step and uses the analysis to control the files. And, during the file scanning effort itself, DLP can move or replace a file to protect it.

Are you struggling with what DLP is and is not? 

 

Published: July 30 2009, 05:50 AM | no comments
by CA GRC Blog Admin

Next week, the GRC team heads to Washington, D.C. for the Governance, Risk & Compliance Conference, taking place on Tuesday, August 4th at the Walter E. Washington Convention Center. Meet the team at our exhibit table #5 for a demo of our CA GRC Manager solutions.

If you plan to attend, be sure to check out the "Governance Strategies for a Web 2.0 World" session running from 9:30 "" 10:30 am on August 4th (see the full schedule here). Allan Gajadhar, one of regular blog contributors, will be sharing his thoughts on the topic as part of a panel of experts, along with representatives from Government Insights, US Intelligence Community, AIIM and the Department of Education.

The focus of the session will be:

The adoption by Federal IT professionals of exciting new social networking and collaboration web applications raises several thorny security and privacy issues as well as highlighting a potential generational divide in the public sector workforce. Learn what the minimal levels of acceptable governance are based on recent successful Web 2.0 implementations.



Attendees will learn:

• What are the main factors to be considered when balancing Web 2.0 application implementation and security/privacy needs?




• What are the minimal levels of acceptable governance for Web 2.0 implementations?




• What steps can an IT manager take to help their organization embrace the changes needed to realize the benefits of Web 2.0 applications?




• What are some of the major Web 2.0 implementation pitfalls?

See you in D.C.!

Published: July 29 2009, 07:34 AM | no comments
by Galina Datskovsky

A few weeks ago a company called Fly Clear went out of business. For those of you unfamiliar with this particular company, its mission was to speed you through the airport security lines by pre-clearing you with the government and issuing you a special card that would take you to the front of the line. In the process of clearing you for this privilege the company collected very important personal information, such as your biometrics: fingerprints, retina scans, etc. The first question that most Fly Clear users are probably asking is: what will happen to all my data? Can Fly Clear guarantee that it does not fall into the wrong hands or become public? How will my privacy be preserved? Fortunately, according to its Web site, Fly Clear appears to be working with Verified Identity Pass, Inc. and the Transportation Security Administration (TSA) to secure information for deletion or future use in another Registered Traveler program operated by a TSA authorized service provider.

This is a great example, however, of what companies need to think about when it comes to the governance and securing of data when there is a third party involved. Take those same user concerns about the storage and privacy of data and multiply them ten- fold and you have the picture of outsourcing corporate records "“ or as I like to call it "records in the cloud." Many companies are jumping onto the "˜cloud' bandwagon. Salesforce.com is one of the most common ways for companies to manage their sales leads. Microsoft Office Online and Google mail are gaining in popularity. It is very appealing to give up responsibility for the infrastructure, for the nightmare of upgrades, and at first glance-- the responsibility. The responsibility however does NOT go away. In fact, putting information in the hands of the third party requires great thought.

Before deciding to put information in the hands of a third party, it is important to understand what they do with that information. How is your disposition policy adhered to? What is their back up practice? Where does the infrastructure reside? How is your information co-mingled with others or is it? What happens if they go out of business or are acquired (potentially by your competitor)? And as in the example of Fly Clear "“ what are the procedures to get information back the case that this occurs? If you fail to ask all the right questions and to ascertain that your information is treated correctly, you may have a number of legal and eDiscovery issues that you did not bargain for. In my next blog I will provide an initial check list of information you should be concerned with. In the meantime, I'd love to hear your thoughts and ideas.

Published: July 28 2009, 06:05 AM | no comments
by Sumner Blount

I have written four previous blog postings that attempted to highlight some of the key principles of Lean Thinking, and how these can be related to the area of GRC. (Check out my past posts here: The Four Main Principles of Lean GRC, Eliminating Waste, Focusing on Individuals Who Add Value, and Leveraging Pull Value) This blog will consider the final area of Lean Thinking and show its relevance to GRC.

The final Lean Principle is:
Establish consistency and excellence (optimize) across the organization


If Lean GRC principles have been established in an organization, many of the risk and compliance processes have become simplified, automated, and hopefully somewhat streamlined. Waste has been identified, and eliminated to the extent possible. All process components that do not add value directly to the customer have been removed. Communication is probably better, and duplication of information and activities has been reduced.

But, as these improvements are made, it is important to use them as a springboard for more across-the-board efficiency gains throughout the organization. Specifically, as GRC begins to optimize and streamline processes, remaining inefficiencies become more obvious. Then, the Lean approach encourages replicating these techniques throughout the organization, further optimizing risk and compliance processes.

A common and unified GRC approach greatly simplifies this process because it provides a common framework within which all related business processes can be optimized. If you can standardize all functional areas on a common GRC "backbone," for example, you can get the benefit of having common technology and process across a broader set of people within the enterprise. As an example, when an enterprise adopts a common risk management framework, it implies that consistent terminology, risk identification and assessment processes, and risk metrics are used throughout the organization. The result is simplified risk management, and improved quality and consistency of risk information on which key decisions can be based.

Another related approach is the use of "cross-pollination teams" that are instructed to take improvements that they have made within a limited part of the organization, and extend them across broader organizational units or functional areas. This has, of course, organizational and political challenges, but there is no better way of introducing improvements than to use people who have successfully done it in other groups.

The point here is very simple. Don't stop once you have "leaned up" your own silo. Gather the learning, and the people, from initial and successful efforts, and use them to continue to optimize GRC processes across the broader enterprise. That's when the benefits of Lean GRC will be really significant and visible to all.



*LeanGRC is a trademark of OCEG.

Published: July 24 2009, 09:33 AM | no comments
by Chris Wraight

In a May 2009 survey of more than 400 IT and security professionals conducted by Dark Reading and sister publication InformationWeek, 52 percent of respondents said they are more concerned about the possibility of internal data leaks -- both accidental and malicious -- than they are about external threats.

Stories about internal security breaches are in the news practically every day. CMP has a dedicated site to the topic of insider threat.  The threat is real and we saw it recently when a senior developer at a leading investment bank allegedly stole computer code that automates the firm's high-volume trading on stock and commodities markets. (see Computerworld story).

As noted in an earlier post by my colleague David Miller, Data Loss Prevention (DLP) software can be used to identify and prevent the removal of proprietary information from an enterprise. 

Complementary to a DLP solution, the use of an access control solution enables a firm to go far beyond the capabilities of an operating system to control privileged users like the ex-developer mentioned above.

According to the FBI complaint in the incident with the developer, he first removed the encryption program that he used and then attempted to erase his steps.  Fortunately for the firm, they maintained a backup of the activity log; however, how many times have we seen backups fail? 

Effective access control must allow an organization to proactively define very fine-grained controls for its privileged users.  An example of this would have been to allow the senior developer access to the source code, but to disallow him to either install or remove any programs.  Additionally, this person would be prevented from being able access any activity log, let alone delete them.

The combination of a DLP and access control solution can offer both data and resource protection and proactively secure sensitive information and critical systems.  Are you securing both the data and the resources supporting it?