Data Leakage Prevention – Protecting Sensitive Information

When DuPont lost $400 million in intellectual property, it wasn’t because a hacker from the other side of the world infiltrated their system. The information was simply stolen by a former employee. Alarmingly, data loss incidents are not always caused by deliberate actions.

A file containing personal information accidentally attached to an email and sent to multiple recipients; financial data stored in a USB pen drive, accidentally left in a restaurant; or bank account data of colleagues, inadvertently posted on a company website – these are also some of the everyday causes of data loss.

A report done by research company Infowatch regarding global data leaks in 2010 showed that there were actually more accidental data leaks in that year compared to intentional ones. Accidental leaks comprised 53%, while intentional leaks comprised 42% (the rest were unidentified).

But even if they ?only? happened accidentally, breach incidents like these can still be very costly. The tens of thousands of dollars that you could sometimes end up paying in civil penalties (as in the case when you lose other people?s personal information) can just be the beginning. More costly than this is the loss of customer and investor confidence. Once you lose those, you could consequently lose a considerable portion of your business.

Confidential information that may already be leaking out right under your nose

With all the data you collect, process, exchange, and store electronically every day, your IT system has surely now become a storehouse of sensitive information. Some of them, you may be even taking for granted.

But imagine what would happen if any of the following trade secrets fell into the wrong hands: marketing plans, confidential customer information, pricing data, product development strategies, business plans, supplier information, source codes, and employee salaries.

These are not the only kind of data that you should be worried about. You could also get into trouble if your sloppy IT security fails to protect employee or client personal information such as their names; social security numbers; drivers license numbers; or bank account numbers and credit/debit card numbers along with their corresponding PINs.

In some countries, you could face onerous data breach notification requirements and heavy fines when these kind of data are involved.

There are now more holes to plug

It’s not just the different varieties of sensitive electronic information that you have to worry about. Because these data can take on different forms, i.e. data-at-rest, data-in-motion, and data-at-the-endpoints, you also need to take aim at different areas in your IT system.

Sensitive information can be found ?at rest? in each of your employees? hard disks, in your servers, storage disks, and in off-site backup disks. They can also be found ?in motion? in email, instant messaging, social networking messaging, P2P file sharing, ftp, http, and so on.

That’s not all. Your highly mobile workforce may have already introduced yet another high-risk area into your system: data-at-the-endpoints. This includes USB flash-disks, laptops, portable hard disks, CDs, and even smartphones.

The main challenge of data leak prevention

Having been made aware of the various aspects of data leakage, have you already come to grips with the extent of the task at hand?

There are two major things you need to do here to prevent data leakage.

One, you need to identify what data you have that can be considered as sensitive/confidential information. Of course you have financial information and employee salaries in your files. But do you also store personally identifiable information? Do you have trade secrets that are stored in electronic form?

Two, you need to pinpoint their locations. Are they only on your hard disks and laptops? Or have they made their way to flash drives, CDs/DVDs, or portable HDDs? Are they being transmitted through email or any other file transfer media?

The reason why you need to know what your sensitive data are as well as where they are is because you would like all efforts of securing them to be as efficient and unobtrusive as possible.

Let’s say, as a way of protecting your data, you decide to implement encryption. Since encryption can consume a lot of storage space and significantly reduce performance, it may be impractical to encrypt your entire database or all your files. For the same reason, you wouldn’t want to encrypt every single email that you send.

Thus, the best way would be to encrypt only the data that really need encryption. But again, you need to know what data needs to be encrypted and where those data can be found. That alone is no simple task.

Not only will you need to deal with the data you already have, you will also have to worry about the data that will go through your systems during the course of your day-to-day transactions.

Identifying sensitive data as it enters or leaves your system, goes through your network, or gets stored in your file system or database, and then applying the necessary security actions should be done automatically and intelligently. Otherwise, you could end up spending on a lot of man-hours or, worse, wasting them on a lot of false positives and negatives.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK

Check our similar posts

Introduction to Matrix Management

A leader is responsible to empower his people and get the best out of them. Yet an organisational structure can either help or hamper performance. Worst, it can make or break success.

Looking at the fast-changing world of the global economy, whatsoever slows up and obstructs decision-making is a challenge. Hierarchical management is rather unattractive and functional silos are unlikable. Instead, employees desire to create teams equipped with flexibility, cooperation and coordination.

Recognising that companies have both vertical and horizontal chains of command, the matrix model is created. The concept of this principle lies in the ability to manage the collaboration of people across various functions and achieve strategic objectives through key projects.

Consider this scenario:

Ian is a sales executive of a company. His role is to sell a new product under the supervision of a product manager. The manager is expert about the product and she is accountable to coordinate the people across the organisation, making sure the product is achieved.

Moreover, Ian also reports to the sales manager who oversees his overall performance, monitors his pay and benefits and guides his personal development.

Complicated it may seem but this set-up is common to companies that seek to maximise the effect of expert product managers, without compromising the function of the staffing overhead in control of the organisation. This is a successful approach to management known as Matrix Management.

Matrix Management Defined

Matrix management is a type of organisational management wherein employees of similar skills are shared for work assignments. Simply stated, it is a structure in which the workforce reports to multiple managers of different roles.

For example, a team of engineers work under the supervision of their department head, which is the engineering manager. However, the same people from the engineering department may be assigned to other projects where they report to the project manager. Thus, while working on a designated project, each engineer has to work under various managers to accomplish the job.

Historical Background

Although some critics say that matrix management was first adopted in the Second World War, its origins can be traced more reliably to the US space programme of the 1960’s when President Kennedy has drawn his vision of putting a man on the moon. In order to accomplish the objective, NASA revolutionised its approach on the project leading to the consequent birth of ?matrix organisation?. This strategic method facilitated the energy, creativity and decision-making to triumph the grand vision.

In the 1970’s, matrix organisation received huge attention as the only new form of organisation in the twentieth century. In fact it was applied by Digital Equipment, Xerox, and Citibank. Despite its initial success, the enthusiasm of corporations with regards to matrix organisation declined in the 1980’s, largely because it was complex.

Furthermore, the drive for motivating people to work creatively and flexibly has only strengthened. And by the 1990’s, the evolution of matrix management geared towards creation and empowerment of virtual teams that focused on customer service and speedy delivery.

Although all forms of matrix has loopholes and flaws, research says that until today, matrix management is still the leading approach used by companies to achieve organisational goals.

Operational Efficiency Initiatives

When was the last time you checked your technology spending against your IT infrastructure’s contribution to the bottom line?

Chances are, what’s happening underneath all those automated processes, expensive hardware, and fancy graphical user interfaces is not doing your bottom line any good.

If you don’t keep a watchful eye, your IT operations can easily nurture a lot of wastage and unnecessary costs. Underutilised servers, duplicate processes, poorly managed bandwidths, and too much complexity are among the common culprits.

For minor problems, we can eliminate wastage by setting up some technology enhancements, instilling best practices, and performing a few tweaks. However, if you’re not adequately trained on how to go about with it, your band-aid solutions can add more complexity to the mix.

Of course, there will always come a time when you will have to spend on new technologies to maintain the overall efficiency of your IT infrastructure. Whether you intend to purchase new hardware or software applications or build an entirely new infrastructure, the sheer cost of such undertakings warrants seeking expert advice.

Failure to do so can result in fragmented resources lacking in cohesiveness, which don’t contribute to efficiency at all.

Our solutions for improving operational efficiencies cover the entire spectrum: from planning what to buy, optimising what you’ve already bought, to making your team comfortable with them all. Please find time to view our solutions below and uncover ways to drive those profits up even as you work within your budget.

 

More Operational Review Blogs

 

Carrying out an Operational Review

 

Operational Reviews

 

Operational Efficiency Initiatives

 

Operational Review Defined

 

How COBIT helps you achieve SOX Compliance

First released way back in 1996, COBIT has already been around for quite a while. One reason why it never took off was because companies were never compelled to use it ? until now. Today, many CEOs and CIOs are finding it to be a vital tool for achieving SOX compliance in IT.

Thanks to SOX, COBIT (Control Objectives for Information and related Technology) is now one of the most widely accepted source of guidance among companies who have IT integrated with their accounting/financial systems. It has also gained general acceptability with third parties and regulators. But how did this happen?

Role of control frameworks in SOX compliance

You see, the Sarbanes-Oxley Act, despite having clearly manifested the urgency of establishing effective internal controls, does not provide a road map for you to follow nor does it specify a yardstick to help you determine whether an acceptable mileage in the right direction has already been achieved.

In other words, if you were a CIO and you wanted to find guidance on what steps you had to take to achieve compliance, you wouldn’t be able to find the answers in the legislation itself.

That can be a big problem. Two of your main SOX compliance obligations as a CEO or CIO is to assume responsibility in establishing internal controls over financial reporting and to certify their effectiveness. After that, the external auditors are supposed to attest to your assertions. Obviously, there has to be a well-defined basis before you can make such assertions and auditors can attest to anything.

In the language of auditors, this ?well-defined basis? is known as a control framework. Simply put, once you certify the presence of adequate internal controls in your organisation, the external auditor will ask, ?What control framework did you use??

Knowing what control framework you employed will help external auditors determine how to proceed with their evaluations and tests. For your part, a control framework can serve as a guide to help you work towards specific objectives for achieving compliance. Both of you can use it as a common reference point before drawing any conclusions regarding your controls.

But there are many control frameworks out there. What should you use?

How SOX, COSO, and COBIT fit together

Fortunately, despite SOX?s silence regarding control frameworks, you aren’t left entirely to your own devices. You could actually take a hint from the SEC and PCAOB, two of the lead organisations responsible for implementing SOX. SEC and PCAOB point to the adoption of any widely accepted control framework.

In this regard, they both highly endorse COSO, a well-established internal control framework formulated by the Committee of Sponsoring Organisations of the Treadway Commission (COSO). Now, I must tell you, if you’re looking specifically for instructions pertaining to IT controls, you won’t find those in COSO either.

Although COSO is the most established control framework for enterprise governance and risk management you’ll ever find (and in fact, it’s what we recommend for your general accounting processes), it lacks many IT-related details. What is therefore needed for your IT processes is a framework that, in addition to being highly aligned with COSO, also provides more detailed considerations for IT.

This is where COBIT fits the bill.

How COBIT can contribute to your regulatory compliance endeavors

COBIT builds upon and adheres with COSO while providing a finer grain of detail focused on IT. You can even find a mapping between COBIT IT processes and COSO components within the COBIT document itself.

Designed with regulatory compliance in mind, COBIT lays down a clear path for developing policies and good practice for IT control, thus enabling you to bridge the gap between control requirements, technical issues, and business risks.

Some of the components you’ll find in COBIT include:

IT control objectives

These are statements defining specific desired results that, as a whole, characterise a well-managed IT process. They come in two forms for each COBIT-defined IT process: a high-level control objective and a number of detailed control objectives. These objectives will enable you to have a sense of direction by telling you exactly what you need to aim for.

Maturity models

These are used as benchmarks that give you a relative measurement stating where your level of management or control over an IT process or high-level control objective stands. It serves as a basis for setting as-is and to-be positions and enables support for gap analysis, which determines what needs to be done to achieve a chosen level. Basically, if a control objective points you to a direction, then its corresponding maturity model tells you how far in that direction you’ve gone.

RACI charts

These charts tell you who (e.g. CEO, CFO, Head of Operations, Head of IT Administration) should be Responsible, Accountable, Consulted, and Informed for each activity.

Goals and Metrics

These are sets of goals along with the corresponding metrics that allow you to measure against those goals. Goals and metrics are defined in three levels: IT goals and metrics, which define what business expects from IT; process goals and metrics, which define what the IT process should deliver to support It’s objectives; and activity goals and metrics, which measure how well the process is performing.

In addition to those, you’ll also find mappings of each process to the information criteria involved, IT resources that need to be leveraged, and the governance focus areas that are affected.

Everything is presented in a logical and manageable structure, so that you can easily draw connections between IT processes and business goals, which will in turn help you decide what appropriate governance and control is needed. Ultimately, COBIT can equip you with the right tools to maintain a cost-benefit balance as you work towards achieving SOX compliance.

Ready to work with Denizon?

Contact Us Today