No one wants to read about their organization -- or that of their customers -- in the headlines following a breach...
of customer data or other sensitive information. And now that the Privacy Rights Clearing House maintains a comprehensive list of all known data breaches since 2005, major breaches live on in infamy long after the incident. Even more embarrassing is that most breaches are preventable.
In this tip, we'll review data breach prevention techniques and policies that can help ensure your customers don't make headlines for the wrong reasons.
Data breach prevention techniques
There are numerous techniques and a variety of tools that can help stop leakage or loss of information. In the following sections, we will briefly discuss each method and what solution providers can do to help their clients implement stop gaps to improve their overall information security posture.
Information security policies
Instituting information security policies and procedures is the least expensive way to help combat data loss. Policies and procedures are developed to instill a common set of principles for all personnel. That being said, policies and guidelines are also infrequently enforced. If staff members are not educated on these policies and guidelines, then enforcement becomes almost impossible.
To start, help your customers by either assisting them with conducting an information security policy assessment or by offering them the service. Solution providers will need to be well-versed in the use of information security baseline standards, such as ISO 27002 (formerly ISO 17799) and COBIT. Having a thorough understanding of these guidelines will help you (the solution provider) position yourself as a trusted advisor to the client.
Solution providers should have solid policy-writing skills and knowledge of the various data breach laws as well as those that are being drafted. Solution providers also need to be aware of the various State Security Breach Notification Laws that are in existence and to be able to articulate and integrate these with their clients' information security policies. Other best practices include making sure customers update their antivirus software, and maintaining an exit policy for employees that ensures privileges are revoked.
There are a variety of products available in the DLP (data loss prevention) category that combine software management and policy implementation and control. These products provide an "automated" mechanism that responds to defined attributes for policy management. In the simplest terms, these products allow the administrator to define criteria that determines how information will flow in and out of an organization as well as provide an audit trail and an alert notification process for exclusionary requirements.
DLP vendors that offer such products include NextLabs Inc., Orchestria Corp., Proofpoint Inc., Vericept Corp., Verdasys Inc. and Symantec Corp. (via its acquisition of Vontu). Their technologies utilize customizable "policies" defined by the organization to monitor, report against, redirect and stop data flow within the organization's network and computing systems. When enabled, these products could, for instance, disable USB ports or prevent laptops from accessing the network.
Solution providers should be well versed in the use and application of these tools to assist their clients with policy development and implementation. Organizations often face challenges implementing and managing their data loss prevention programs, and solution providers should be prepared to fill those gaps.
Information technology risk management assessments
An information technology risk management assessment can be used to assess a company's information security posture. An information technology risk management assessment gauges the effectiveness of IT security controls and ensures the implemented security technologies do not introduce unnecessary risk and exposure to the business.
The risk management assessment includes two core program components: the first is an organization's current maturity posture snapshot for security and management of the technologies implemented, second is a detailed gap analysis report that includes a mitigation roadmap containing recommendations for continuous improvement.
The Information risk management maturity matrix diagram illustrates a sample maturity matrix that is used to evaluate the organizations current and desired posture for IT/IS security and management.
Partner with third-party vendors that specialize in conducting risk management assessments. Leverage your relationship with the customer and introduce your extended advisory support by offering strategic assessments of the customer's IT risk posture. Demonstrate the value these assessments have with simple, yet,effective "heat maps." Heat maps are high-impact illustrations that pinpoint specific gaps or deficiencies visually so the client sees where they need to focus resources immediately. This heat map illustrates a sample "heat map" highlighting areas of severe deficiency (red), minimal deficiency (yellow) and no deficiency (green).
While it is nearly impossible to completely stop all data loss and data leakage, there are a variety of options to mitigate the risk and exposure. However, this is not to say that solution providers should just simply throw an assortment of tools, policies and approaches at the problems.
The best value a solution provider can bring to the customer is to understand the organization, its challenges and obstacles, and develop a strategy that integrates fundamental policies for awareness and education with technologies aimed at preventing the unauthorized removal of corporate information assets, and a comprehensive IT risk management assessment to reduce the risk of breaches and exposure.