DATA CLASSIFICATION

A Common Sense Approach To Risk Management

Information within an enterprise has experienced rapid growth in volume, variety and velocity and organisations face constant pressure to provide faster access at any time, from any location and from any device. However, not all information has the same value to the organization – and therefore different classes of information represent different risks with respect to confidentiality, integrity and availability. Classifying or segmenting enterprise information helps to ensure not only that the appropriate levels of policies, controls and resources are in place, but also that these investments are delivering an appropriate level of value to the business in return.

This is according to a recent Analyst Insight report from Aberdeen Group which outlines the benefits to classifying data in order to effectively protect it. The report, titled Does Your Enterprise Classify Its Data analyzes over five years of data loss prevention (DLP) research by Aberdeen, and concludes that data classification is a capability that is consistently linked with the best performing organisations in the area of data loss prevention.

‘Aberdeen’s research has consistently shown that there are several general steps which are associated with top performance when it comes to protecting sensitive enterprise data’ according to Aberdeen’s Vice President and Research Fellow, Derek Brink. ‘These include identification and classification of your data – because you can’t protect what you don’t manage, and you can’t manage what you don’t know about.’

Success Steps for Safeguarding Sensitive Enterprise Data:

Over the last five years, Aberdeen research has consistently shown that the following steps are among those correlated with top performance at safeguarding sensitive enterprise data:

• Identify and classify your data – you can’t protect what you don’t manage, you can’t manage what you don’t know about.
• Prioritise security control objectives - as a function of risk, audit and compliance requirements
• Establish consistent policies - as part of an overall approach to safeguarding sensitive data – both data at rest and in motion across the network

Users are responsible for their own data, and are educated on corporate policy while they work. Aberdeen’s research reiterates this by noting that end-user involvement is a critical component of a successful data loss prevention initiative.

When it comes to their data loss prevention initiatives, Aberdeen’s latest research has shown that the top performers tend to be pragmatists about getting started. For example, they may not devote a great deal of energy to identifying and discovering all of the data throughout their entire enterprise, because in many cases they already know where a great deal of their most sensitive data is – such as their centralized file shares, which are popping up throughout the enterprise in support of increased collaboration.

Similarly, classification of all their data is not necessarily a prerequisite to getting started. Often the most pressing business requirement may be monitoring and filtering with the objective of addressing requirements for regulatory compliance (e.g., PCI DSS for the protection of payment card data, or HIPAA for the protection of patient medical records). For others, it may be the unstructured data (e.g., documents, diagrams, spreadsheets, product designs) that comprises an organisation’s intellectual property. In any case, it may not always be practical or worthwhile to invest limited IT resources looking backwards through many years of historical records to achieve 100% classification.

For these and other reasons, taking a common-sense approach to the risk management equation generally makes sense: focus your initial efforts where the value of the information, the probability of occurrence of data loss or data exposure, and the total financial impact of each potential occurrence are most high, and expand the initiative over time.

In five separate studies on data loss prevention conducted over five consecutive years, Aberdeen’s research has shown that data classification is a capability which is consistently correlated with the achievement of top performance. Compared to the lagging performers, the leading performers in each study are between 1.5-times to 3-times more likely to indicate that data classification is a current capability. For full details on the Aberdeen Group Analyst Insight Does Your Enterprise Classify Its Data? (January 2012).

About PixAlert

PixAlert’s Data Classification Solution helps businesses to discover sensitive information and apply client specific classification controls which enable data to be appropriately stored, handled and secured in accordance with business value and sensitivity requirements. PixAlert’s Data Audit Solutions help to reduce risk, maintain compliance and safeguard corporate reputation through proven market leading data discovery technologies www.pixalert.com

Article References:

Aberdeen Group Analyst Insight - Does Your Enterprise Classify Its Data

CONSUMER PRIVACY VIOLATIONS AND GAPS...

Imagine if a bank paid more attention to the color of the carpet in its lobby than the type of safe it uses to store its customers’ valuables - no one would want to store anything there. Last month, Apple were the latest privacy violators as it was announced that the company who promotes itself as being more secure than others were discovered to be handing out people’s address books. Who’s next for a privacy slip - Google, Amazon, Sony, Facebook or perhaps a small start-up in such a rush to get its product out in the face of competition that it will focus more on designing the icon of its app, than ensuring users’ privacy.

Whose fault is all of this? We can’t just point fingers at the companies that make iPhones, apps, social networking services and web sites. The argument that if consumers care about their privacy they shouldn’t use these technologies is a cop-out as technology is now completely woven into every part of society and business. We didn’t tell people who wanted safer cars simply not to drive, we made safer cars. Safety advocates, consumers and the government dragged the automobile industry toward including seat belts, air bags, more visible taillights and other safety features.

Christopher N. Olsen, Assistant Director in the division of privacy and identity protection at the US Federal Trade Commission expects that as the privacy violations pile up, Congress could enact laws to protect consumers. ‘Industry should redouble its efforts to focus on privacy issues, or they may face additional pressure in form of legislation from Congress’ he said. Legislation is not always ideal, as technology companies argue that more regulation will stifle innovation.

But the current system of self-regulation is clearly not working. ‘The FTC has been very active on the enforcement front; we’ve recently entered into consent decrees with large companies like Facebook and Google, and we have pushed other companies too’ Mr. Olsen said. And he’s just talking about violations involving the web. As for mobile devices where the majority of web interactions will take place, he describes as the ‘Wild West’.

Patricia Poss, Chief of the Mobile Technology at FTC suggested that to avoid regulation, companies should build security into their products from the beginning of the process, not after a privacy debacle. ‘Companies need to look at privacy issues in terms of consumer needs, integrating privacy into design and really consider privacy at every stage of product development’. If companies start to do this, they could avoid the fate of Google and Facebook which are now operating, however loosely, under government scrutiny after abusing customers’ privacy.

With so much at stake for organisations regardless of size in terms of reputational damage, financial consequences and tainted consumer credibility, you would presume that companies holding valuable consumer data would go to enormous lengths to keep their consumer databases secure. However as we’ve seen on countless occasions, data leakage and breach is steadily on the rise, jeopardising and putting consumers personal data seriously at risk serving only to highlight tighter regulatory enforcement requirements to legislators.

About PixAlert

PixAlert deploy world-class scalable enterprise content audit solutions which enable organisations to discover where unsecured, unstructured sensitive information and inappropriate images reside on networks and within email correspondence. PixAlert audit solutions and managed services help to safeguard brand integrity and reputation through proven market leading data discovery and illicit image detection software products.

For further information contact This e-mail address is being protected from spambots. You need JavaScript enabled to view it or www.pixalert.com

Article Source: New York Times, BITS

SECURITY MATTERS - Breaches Help in C-suite Communication 

With considerable mainstream attention being paid to security threats and breaches, executives appear to be finally getting the message that security matters. C-suite officers now understand the impact on bottom line earnings that security breaches can have and are asking about the state of preparedness.

That's according to a panel of experts at the recent RSA Conference in California who said security pros must understand how to communicate effectively with their bosses to not only explain the threats but also to make the case for budget and discussions need to be more business-oriented and less jargon-filled. Security pros must therefore understand how to communicate effectively with their bosses to not only explain the threats, but also to make the case for budget. Bill Phelps, Head of Security at Accenture said that many non-technical executives formerly had little awareness of what cyber threats meant to their organization ‘the discussion around probability and consequences has changed’ he said.

Gary McAlum, CSO of insurance firm USAA, said security pros can talk about breaches and compliance regulations in the board room, but when it comes down to the bottom line, reputation and brand are the drivers, ‘we need a continuing process of education’ he said ‘otherwise there are significant consequences’. Dave Cullinane, CISO and VP of global fraud, risk and security at eBay, echoed this sentiment, saying that CISOs have to get better at communicating with their CEO to inform them regularly on what's going on from a security perspective. This will prepare them to speak with the press in the event of an incident, ‘we have to quantify the risk posture and have a good discussion around risk tolerance to demonstrate ROI in reducing fraud and the number of incidents’ he said.

Eddie Schwartz, VP and CISO at RSA, which itself experienced a high-profile breach last year, made the case that discussions with higher-ups need to be more business-oriented so to not baffle executives with a lot of jargon. Citing the breach last year at his company, he spoke of the lessons learned. ‘While security people understand incident management, crisis management is an entirely different beast’, he said. At RSA, a team was put together to gather analytics to show the impact of the breach, and to look at all sides of the situation.

As far as what needs to be done to thwart future attacks, security pros must stop reacting to external attacks and instead need to get in front of the economic model which the cyber criminals use. That is, from observing their patterns of attack, be prepared to know where and how they might try to breach their next target. ’Security personnel need to change their behavior to develop stronger instincts about what looks off’, Phelps from Accenture said. ‘People need to become more attuned to security risks’ he said. "We need to change culturally’.

Security matters and senior executives need now more so than ever to buy into the strategic and operational business value that preventative data security processes deliver. The task of securing critical and sensitive assets while balancing compliancy can be complicated.   However by identifying and being aware of which critical assets need protection alongside continuous review measures, security risks can be minimised and valuable information protected and managed efficiently.

About PixAlert

PixAlert deploy world-class scalable enterprise content audit solutions which enable organisations to discover where unsecured, unstructured sensitive information and inappropriate images reside on networks and within email correspondence. PixAlert audit solutions and managed services help to safeguard brand integrity and reputation through proven market leading data discovery and illicit image detection software products.

For further information contact This e-mail address is being protected from spambots. You need JavaScript enabled to view it or www.pixalert.com

Article Author: Gerard Curtin, CEO, PixAlert - March 2012

Article Source: SC Magazine

DATA CLASSIFICATION – Protecting the Crown Jewels

If you know you’ve got valuables, you install an alarm system and ensure that entry and exit points are fully secure – shouldn’t you at least do the same for your data?

Increasingly, data classification is being deployed as an effective means to help address risks and enable compliance. An enterprise that implements an efficient data classification programme can understand what data they have, recognise its importance and make informed decisions about how it should be managed, handled and stored. This allows companies to realise a range of benefits that can save time and resources while reducing legal vulnerabilities associated with data leakage.

Data classification serves the need for compliance and risk management requirements as critical data can be identified and protected to meet compliance audits or legal discovery tasks. Another important benefit is in cost savings as the process enables less important data to be migrated or deleted from network storage. By identifying data that will benefit most from classification and by moving it to a location that provides the best storage performance for indexing tasks it helps distinguish mission-critical information and focus on procedures for securing that essential data.

The process essentially assigns a level of sensitivity to data used by an organisation allowing companies to organise their information in a way that corresponds to their specific business needs and values. While classification systems vary depending on user’s requirements, most apply levels corresponding to the following definitions: secret, confidential, restricted (or sensitive) and unclassified.

Management must often spearhead the classification effort with input from every department as data classification is not solely an IT function. While applications exist that can help with data classification ultimately it is a subjective business and is often best done as a collaborative task that considers business, technical and other perspectives.

Justifying a Data Classification Initiative

• Understand what is realistically achievable: break the project down into smaller, targeted and manageable pieces with regular reviews and implementation goals.
• Set the bar at a realistic height: if there is likely to be resistance within an organisation, opt for a simpler scheme rather than one that is overly complex and so likely to cause resistance among users.
• Approve a data classification strategy: enforce the strategy even if full implementation is delayed. Therefore if confidential information is inadvertently disclosed, the security program can point to the classification strategy and push accountability to the line of business managers that have not yet implemented it.
• Use regulation to push the business case: increased legislation is one of the most effective drivers that can be used by a security program. Reference these regulations to bring awareness of the need for data classification and give the security program the necessary support to get implemented.

Enterprise data cannot be adequately protected if there's no way of tracking its location, value and sensitivity and therefore business needs and risk tolerance should be the driving forces behind data classification initiatives. It has been suggested that data classification offers more benefit to larger companies with adequate resources and expertise to manage such an undertaking. However, even small companies can benefit from data classification if they deal with compliance needs and government regulatory requirements.

Benefits of Data Classification Programme

• Helps management prioritise levels of controls required for data protection - having a data classification program in place that includes appropriate levels of controls for various classification levels, helps leadership make more effective investment decisions to meet internal and external control expectations.
• Align and rationalise controls–establish controlled practice through defined levels of protection for information assets that manage data accessibility and ownership through a clear user policy framework.
• Reduce costs associated with less sensitive data - frequently when data classification is developed, organisations realise that they are not only UNDER controlling their most sensitive data, but often wasting resources OVER controlling less sensitive data. The process helps to optimise storage resources by eliminating data with no value.
• Improve enterprise security environment –ensuring that data is utilized into consistent and timely business information aligned to business priorities and management of data assets

There is no fast-track to data classification but there are solid arguments for why it should be undertaken properly using a manageable, automated and client specific procedure. The raison d’être for implementing a classification initiative should be driven through the strategic benefits in prioritising and optimising the value of the information that organisations hold, access, and manage. In making this leap of faith, an organisation will begin to reap the lasting benefits of data classification as a strategic and necessary data security control.

About PixAlert

PixAlert deploy world-class scalable enterprise content audit solutions which help organisations to discover where unsecured, unstructured sensitive information and inappropriate images reside on corporate networks and email correspondence. PixAlert’s Data Classification Solution helps businesses to discover sensitive information and then apply client specific classification controls which enable data to be appropriately stored, handled and secured in accordance with business value and sensitivity requirements. PixAlert’s data solutions assist to reduce risk, maintain compliance and safeguard corporate reputation through proven market leading data discovery technologies www.pixalert.com

Author: Gerard Curtin, CEO, PixAlert - March 2012

Article References:

Tech Target.com 

CTO Edge

Mark Brooks

ONE STOP SHOP FOR EU DATA PROTECTION

Implications for Business of new EU Data Protection Framework

The EU has recently unveiled their proposal for a significant reform of the existing EU data protection framework. The proposed data protection framework sets the general data protection structure (the Regulation) and a Directive that applies to the processing of personal data, replacing the existing Data Protection Directive 95/46/EC.

The changes create ‘a single set of European rules—valid everywhere across the EU’ stated Viviane Reding, the EU Commissioner for Justice, Fundamental Rights and Citizenship ‘one rule for 27 member states and 500 million people’. The new regulation sees national data protection authorities as the go-to regulators for organisations, meaning that an organisation will only have to work with one DPA rather than many or as Reding described it ‘a one-stop shop’.

EU Directives must be implemented by each EU Member State via national legislation, which can give rise to different interpretations of the legislation and require a country-by-country analysis of the specific legal requirements. Replacing the existing Data Protection Directive with a Regulation means that individual countries cannot tailor the law in any way and that European law on data protection will be uniform.

Viviane Reding said the proposals will improve the protection of Europeans’ personal data, reduce administrative burdens and save companies’ money. She identified the following key goals of the proposed reform:;

• Address the protection of personal data processed by law enforcement and judicial authorities;
• Update and modernise existing EU data protection rules in light of technological developments in order to improve the protection of personal data processed inside and outside of the EU
• Give individuals more control over their personal data and facilitate access to and transfer of such data;
• Harmonize data protection rules across the EU by establishing a “strong, clear, and uniform data protection framework” with a single set of data protection rules and a single national data protection
• Boost the EU digital economy and foster economic growth, innovation, and job creation in the EU

The main provisions of the newly proposed regulation include:

Expansion of Definition of Personal Data: what constitutes personal data is outlined in an EU published factsheet on the proposed data protection reform and is defined as ‘any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, and posts on social network websites, medical information or computer’s IP address’.

Breach notification mandate: in the event of a serious breach, organisations must notify the national supervisory authority as soon as possible (if feasible within 24 hours)

Increased enforcement powers for Data Protection Authorities: DPAs will be able to fine organisations that violate the rules up to €1 million or up to 2 percent of the global annual turnover of a company

Data Protection Officer Requirement: companies with more than 250 employees and certain other organisations will be required to designate a data protection officer.

Data protection impact assessment requirement & security obligations: organisations involved in risky data processing will be required to conduct data protection impact assessments and implement appropriate technical and organisational measures ‘to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected, having regard to the state of the art and the costs of their implementation’.

Explicit consent requirement: wherever consent is required for data to be processed, it must be given explicitly, rather than assumed, according to the regulation.                                                                                                                                                                                            

Extra-territorial reach: The regulation applies to ‘personal data handled abroad by companies that are active in the EU market and offer their services to EU citizens’.                                                                                                                                                                           

Significant Penalties : penalties for violations of the regulation range, based on the type of violation, from a written warning to fines for intentional or negligent conduct of anywhere from €250,000 or 0.5 % of the annual worldwide turnover of a company up to €1,000,000 or 2% of annual worldwide turnover of a company.                                                                                                                                                                            

Transfers of Personal Data to Third Countries: under the proposed regulation, transfers based on standard data protection must now be approved by just one supervisory authority and will not require further authorisation.

The proposed data protection framework is currently under review by the European Parliament and EU Member States and is likely to undergo further modification before final adaptation. When sanctioned, the Regulation will go into effect and the Directive will be required to be incorporated into the national law of each Member State within approximately two years from the date of adoption.

The prospect of hefty penalties coupled with more stringent operating security procedures may be an unsavory but necessary catalyst in getting organisations to become more protective and compliant in their approach to securing consumer data. The new framework is believed to be an ambitious but necessary means to enforce best practice data protection procedures across Europe in a single harmonisation and simplify the current patchwork of 27 different national laws.

Once the new regulation is ratified, organisations across all industry sectors will need to accurately assess their security controls and proactively ensure that sufficient structures exist to properly and continuously protect valuable consumer data. This gives businesses some time to prepare and get their affairs in order by deploying security practice and robust policies which will bring about more clarity on the amount of data being lost through improved data breach prevention, reporting and control of sensitive data assets.

About PixAlert

PixAlert deploy world-class scalable enterprise content audit solutions which enable organisations to discover where unsecured, unstructured sensitive information and inappropriate images reside on corporate networks and email correspondence. PixAlert data solutions help to reduce risk, maintain compliance and safeguard corporate reputation through proven market leading data discovery technologies www.pixalert.com

Original Article Source/Reference:

1. IAPP

2. National Law Review

Article Author: Niamh Hayes, Marketing Advisor, PixAlert