Tag Archives: DLP

ISNow – Digital Loss Prevention

The following introduction was originally published in the BCS Information Security Now Magazine, Winter 2011 issue (Volume 6, Issue 1), which was on the topic of Digital Loss Prevention:

Gareth Niblett, Chair of the ISSG, says that many people see DLP software as something that magically stops your data from being lost, whereas the reality is quite different. 

DLP is often used as a catch-all term for technology that somehow magically stops all unauthorised information flows once it has been installed.

In reality DLP has much wider implications in an organisation and can be quite nuanced. It could be considered as part of information lifecycle management, and should focus on ensuring the organisation can share the information it needs to, both internally and externally, in a correct, accountable and secure manner – data loss is then also prevented as a beneficial by-product.

To achieve robust inter-organisational collaboration capabilities, we would need common policies for identity proofing and verification (IPV) of organisations, people and devices, issuance of credentials, authentication, authorisation so that interoperability can be obtained (for consistency and cost reasons).

Add a bridge, to tie together disparate systems and organisations with cross certification, along with an independent verification process, to ensure assurance is provided to all parties. Mix.

Levels of trust

One leading initiative, which I am involved with, is working towards such federated trust, at higher levels of assurance between regulated companies and industries. The British Business Federation Authority (BBFA) http://federatedbusiness.org/ is a not-for-profit self-regulating organisation born out of a government request for a body to represent the needs of UK industry in relation to identity management, which came at a joint BCS/eema seminar in 2009.

The BBFA Steering Group is made up of companies from regulated industry sectors and, along with its policy management authorities, is working with both private and public sector organisations towards standards- based and interoperable IPV, strong authentication and authorisation, federation and PKI bridge policies, procedures and mechanisms, as it recognises that without these no technology can meet the real needs of customers and end users.”

A PDF version of the magazine is available online at:

http://www.bcs.org/upload/pdf/isnow-winter-2011.pdf

ISNow – Data Loss & Data Leakage

The following introduction was originally published in the BCS Information Security Now Magazine, Summer 2009 issue (Volume 3, Issue 4), which was on the topic of Data Loss and Data Leakage:

Data Loss
Data loss prevention should be less about deploying the latest technology that claims unrivalled capabilities in securing all the data you value, rather it should be about having the right data policies, procedures in place along with suitably educated and motivated people, who can act as your data guardians.

The lack of universal technical control will always leave gaps for data to be deliberately exfiltrated or accidently exposed, but without comprehensive and effective data policies and procedures, and the people to support and enforce it, technology cannot provide a solution to your data management ills.
It is key that data procedures cover at least:

  1. how the organisation assigns a value to its data and information, i.e. values its assets;
  2. how its categorises and marks data, in relation to its value or sensitivity;
  3. how it assigns rules for handling data throughout its whole lifecycle, especially for personal information.

In a recession, the impact of the loss of corporate or customer data can be amplified and leave your organisation more vulnerable to disaster than before. The actual or suspected loss of information should be covered by your organisation’s incident response or business continuity plan.

Data Leakage
People can be shocked and concerned when media-friendly volumes of data are lost or exposed, even though only a tiny proportion may directly relate to or affect them, yet they volunteer personal information to near strangers when using the Internet and think very little about the implications of doing so.

With their photos, blogs, CVs, social networks, and contributions to online discussions individuals can provide the greatest insight and intrusion into their online and real world lives, and also the lives of their friends and family who may not have consented to their information being shared so openly.

Maybe each Internet connection should come with a health/wealth warning…”

A PDF version of the magazine is available online at:

http://www.bcs.org/upload/pdf/isnow-summer09.pdf