|
Enterprise Iinformation Protection: A Continuous Improvement Process
The normal state of business is change. Employees are hired and fired, companies are bought and sold, products are launched and reach end of life, government regulations grow and change, and external threats keep getting more dangerous. For all of these reasons, a technology alone cannot protect a company's digital assets. Technology must enable a data-centric security process and that process must then be utilized to drive an enterprise-wide security program that enables companies to continually improve how to identify and mitigate the continuously changing risks to data. The best practice for a continuously improving EIP program consists of six continually maturing steps:
1.) Monitor and Detect
2.) Evaluate Compliance, Assess Risk
3.) Classify Data Define Policy
4.) Align Policy and Business Process
5.) Deploy Controls
6.) Train End Users, Enforce Data Governance
1) Monitor and Detect
EIP offers unprecedented visibility to where sensitive data is located and how it is being used. Visibility is the cornerstone of effective monitoring and risk detection, and cannot be limited to just data moving across the network, but must include data as it is created and interacted with by end users and as it moves across global distributed environments. Monitoring is the critical component that enables all other steps in the EIP process. Monitoring and detection also includes discovery of data at rest across distributed environments and unlike other discovery tools, an EIP platform integrates data discovery into the broader monitoring and detection capabilities.
2) Evaluate Compliance & Asses Risk
Data that is collected (Meta-data) from discovery as well as ongoing monitoring and detection is compiled and evaluated to understand and evaluate risk. The enterprise-wide visibility into data location and movement creates a rich and powerful environment to accurately detect risk and determine risk criticality. Companies that have deployed EIP solutions will spend some number of weeks doing nothing but “monitoring and analyzing” data risks. In all cases these companies report that the information collected offers “An eye opening experience!” as unknown risks become visible. Most companies find sensitive data in locations, and being used in ways that they did not and could not have imagined. They quickly realize hidden risks, security system shortfalls and threats that could spell disaster.
3) Classifying Data, Defining Policies
The next step in the process is putting this holistic visibility into risk and risk criticality to work. Only EIP enables this powerful step where in a risk based and evolutionary approach, risk points can be prioritized and the sensitive data that flows through them classified.
Although not required, classification is powerful tool to enhance data usage visibility, risk definition and policy creation. Many companies struggle with the “all or nothing” approach to data classification, but with an EIP approach, companies can base classification on risk, and classify only the data most at risk. Once that data type is classified and policies applied to mitigate risk, the next most critical risk can be classified and mitigated. This approach is evolutionary and controlled and gives the data security team a path to classification success not available with DLP type approaches.
Creating, implementing and continuously improving data security polices is critical to the success of a data-centric security program. Because of the constantly changing business environment and threat challenges, security polices in the past have been little more than pieces of paper signed and filed away or security policies written in manuals and collecting dust on a shelf. When Managers have data protection software that can analyze and classify sensitive data and offer real visibility into where risks and threats exist, they can begin to build realistic and actionable data security policies. Digital Guardian's highly flexible policy engine can define, implement, adjust and improve data security policies over time. These policies are the high level definitions that consist of many compensating controls that protect data based on the defined risk.
4) Aligning Policy and Business Process
A data-centric security process must work in coordination with and support of a company's many complex business processes. Digital Guardian policies are flexible in that they can be aligned with processes, offering many control choices and enable greater sharing of sensitive data. They are automatically enforced at the user level and in real-time so that they can warn a user of a risky activity and offer an alternative action. They support and enable the business process, and equally important they ensure the integrity of the data that flows through each process.
5) Deploying Controls
Once security policies are defined or updated, IT managers implement the policies in a “test mode” where IT security managers can study the results and ensure that controls work effectively. Once controls are activated, rules are automatically enforced based on user, group, activity and data sensitivity. Controls directly interact with end-users before they put data at risk, offering choices and driving accountability.
6) Training and Enforcement
The most critical piece of the security process is the ability to effectively change user behavior. It is after all the people, not the network, not the firewall and not the information, that create risk - but they also enable business. People put data at risk for three primary reasons: 1) they are burdened with a bad and preventative process and in trying to get their work completed find creative ways to bypass it. 2) They are untrained as to data security risks and policies and therefore will unknowingly put data a risk. 3) They are compromised by perceived mistreatment or enticement by third parties and they knowingly put data at risk.
The Digital Guardian EIP Solution offers uniquely flexible models for delivering automated data security controls to end-users. These risk appropriate warnings can be configured to enforce corporate polices, offer alternative approaches to completing tasks including forcing security system usage like VPNs or automatic encryption of emails and files, reinforce training for compliance rules like HIPAA and PCI and deter improper activities.
Part: 1 2 3
Previous: A Data-Centric Approach Next: From Tactical to Strategic
|
