Identifying Broken Business Processes

Transcription

1 Identifying Broken Business Processes A data-centric approach to defining, identifying, and enforcing protection of sensitive documents at rest, in motion, and in use 6/07 I

2 Abstract The true value of content monitoring and filtering lies in helping management to identify and correct faulty business processes and accidental disclosures. Gartner Research: Content Monitoring and Filtering Helps Find Faulty Business Process, Accidental Disclosures, February 23, A business process is a collection of interrelated tasks that solve a particular issue or produce a desired output. Because most business processes are human-driven even automated processes are defined and developed by human input often the most carefully constructed processes can break or cease to operate as designed. The end result may still be reached successfully, but the desired efficiency, optimization, and security may be adversely affected. When the broken business process involves information technology and sensitive data, it can lead to a data breach, which in turn can lead to such consequences as financial losses, fines, and the loss of customer confidence. Enterprises therefore need the ability to identify and correct broken business processes without suspending operations or waiting until the breach occurs. Examples of Broken Business Processes What does a broken business process look like, especially if the end result of the process is achieved? A broken process is usually invisible, which is why it frequently goes undetected. This is to the detriment of the enterprise, as auditors have a knack for tracking them down. Obviously, it s better for an enterprise if broken business processes can be identified and remedied before third-parties find them. Usually, when a business process is broken, data either is not where it should be or is present when it shouldn t be. One example would be the Payment Card Industry Data Security Standard (PCI DSS), a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures, and specifies where and how credit card data must be handled by a merchant. At a simple level, the PCI DSS states that organizations are prohibited from keeping PIN or other personal information stored on a card s magnetic strip. They can keep credit card numbers and expiration dates, but that information must be protected. However, it may have been a company s policy in the past to retain personal information to be used for future marketing or customer service initiatives. Therefore, the company s systems will have been set up to store information it now must find and delete. Sometimes, as with point of sale devices, personal information is kept without the company s knowledge or intention. Regardless, if prohibited information is there it represents a violation of the PCI DSS and is, in essence, a broken business process. Another example might affect the Human Resources function. Someone in one division of a company may want to hire someone from another division. He asks corporate HR for the employee s file. HR s the pertinent information but doesn t encrypt the attachment. Along the way, it s intercepted (or maybe HR accidentally sent it to the wrong person), and the employee s personal information is now public. That, too, is a broken business process. Transferring sensitive information must be regulated by controls and processes designed to ensure security and protect the employee s privacy. When there is a breakdown in handling customer or employee data, serious consequences can result.

3 The Challenges of Fixing Broken Business Processes There are many challenges in overcoming broken business processes and thereby mitigating the risk of being caught with unprotected or prohibited personal information. For one, in today s distributed enterprises, information lives in many different places. In fact, copies of single files can exist in different databases, servers, and locations. If the original file contains information that must be destroyed per PCI DSS regulations, then every copy of that file also must be destroyed. So finding stored information is one challenge. Another challenge is finding data that may be protected or allowed in storage on the network, but has been sent or stored illegally by employees for example, a customer file that a user saves to his or her desktop, s outside the company, or retains after she changes job functions. These can be harder to discover because it requires broadening the search not just to network storage devices and databases, but to every employee s desktop computer and it gets harder still when the search extends to laptops, PDAs, and other portable devices. Finding the information is one challenge; identifying it as data that must be protected or destroyed is another. Not every document about employee John Smith is confidential, nor must everything that can be read from a magnetic strip be destroyed. On the other hand, a memo or that paraphrases or quotes sensitive information needs to be identified as such, even though it may not strictly be the file that was sought. Finally, the information that has been found and classified must be acted upon appropriately. In the case of PCI DSS, that may mean deleting the file (and all its copies). Or it may mean storing the data in a secure archive, or quarantining it. Additionally, the company may have to provide documentation proving that it has protected the information. At the same time, this process is a good time to reiterate policies and compliance requirements to employees so they understand what a permissible use is and what is prohibited. In most cases, broken business processes are unintentional rather than malicious. To sum up, there are three key tasks companies must undertake to prevent and police broken business processes: Define: Driven by internal policies or external regulations, companies must define what types of information are considered sensitive and in need of protection or destruction. Identify: Sensitive information resides in many different formats and is stored in multiple locations. Identifying all pertinent documents out of the total universe of information is no simple matter. To be effective, a solution must have accurate data identification that minimizes false negatives. Enforce: Finally, protecting sensitive information requires automated control and compliance enforcement to ensure it is not improperly accessed or inadvertently leaked. An effective enforcement solution should be able to auto-encrypt s and attachments and prohibit users from inadvertently or maliciously copying sensitive files to removable media.

4 Vericept s Solution to Broken Business Processes A pioneer in data loss prevention, Vericept offers a comprehensive solution that defines, identifies, and enforces sensitive information in motion, at rest, and in use. This includes files on servers, databases, desktops, and , including attachments. Vericept s unparalleled detection technologies automatically discover sensitive information based on a company s uniquely configured policies and regulations without disrupting business operations. After definition, the Vericept solution identifies the information and enforces policies relating to it against unauthorized distribution even when modified or reformatted, thereby enabling companies to mitigate compliance violations, whether malicious or inadvertent. Vericept is widely recognized as having the most comprehensive content detection suite on the market, uniquely able to discover and analyze sensitive information in both structured and unstructured data. The Vericept solution is differentiated by the use of contextual linguistics to identify content according to pre-configured taxonomies. This allows information to be analyzed that may not fit specific keywords and ensures that not every file mentioning customer John Smith is destroyed. Vericept is the only solution on the market that combines data identification with the information classification necessary to accurately identify information that needs to be protected or deleted, providing the most accurate solution for finding and identifying sensitive information. Vericept s solution uses rules not only to identify sensitive words and documents, but also to decide what to do when someone tries to locally save or transmit such files. In the case of , Vericept can be configured to either place an message containing sensitive information either as an attachment or in the body of the in quarantine, block it, auto-encrypt it, or return it to the sender to request confirmation that he or she intended to transmit the sensitive document. The latter strategy is also effective in reminding innocent users of company policy and eliminating accidental violations. In the case of sensitive information located on a laptop or desktop, Vericept can be configured to block it from being copied to a USB drive or other removable media. Easy to use, easy to own Operationally, the Vericept solution centralizes policy management to ensure consistent application across all business units and locations, yet allows for delegated responsibility to empower business unit stakeholders to discover and protect sensitive information where they can best control it. They can then assign role-based permissions; for example, an engineer collaborating with an external partner on the development of a new product will have reason to transmit sensitive documents, and for the sake of efficiency should be allowed to do so with minimal intrusion while ensuring the sensitive information is protected. Deploying the solution is easily and quickly accomplished. Vericept s professional services team consults on the development of the rules and policies around which kinds of data should be protected, how to search for them, and what to do with them when they re found, and can also implement the component pieces in the most optimal way. From the strategic to the tactical, we work closely with customers to ensure high performance and low total cost of ownership.

5 Conclusion There are any number of reasons and causes for broken business processes. Whether malicious or inadvertent, the risks and penalties for not protecting sensitive information or storing confidential information in violation of regulatory requirements are too severe to take any chances. You need to proactively and continuously search for the presence of sensitive information and monitor how it is being used and accessed. It is a complex and challenging project, one that requires not only an automated tool, but also a comprehensive solution that can: Define and identify sensitive information stored anywhere on desktops, laptops, and servers Enforce company policies and regulatory requirements by continuously monitoring improper presence or transmittal of sensitive information across all network protocols Prevent leakage with blocking, auto-encryption, and user self-compliance policies Analyze incidents with comprehensive reports, dashboards, and event highlighting Vericept s proven technology is based on nine patent-pending technologies. With extensive experience in Financial Services, Retail, Healthcare, Energy, and Government, Vericept currently protects billions of pieces of communication each and every day. It can t prevent broken business processes but it can mitigate the risks by finding and fixing incidents quickly and efficiently. Why Vericept? Vericept Corporation is the leading provider of comprehensive compliance and data loss prevention solutions. Vericept mitigates internal risk by providing enterprise-wide discovery, classification and prevention of the information exchanged inside and outside an organization. Vericept s patentpending classification suite delivers the highest degree of accuracy and lowest instance of false positive events available in the marketplace. Only Vericept offers comprehensive solutions for data at rest, data in motion, and data in use at the endpoint, providing visibility and control of sensitive data across all forms of traffic, including , webmail, IM, P2P, and FTP. Vericept s technology is deployed in over 750 organizations worldwide and protects billions of pieces of communication every day. Vericept is a privately held company with major operations in Waltham, MA and Denver, CO. Vericept Contact Information For additional product or sales information, please contact Vericept at: Vericept Corporation Reservoir Place 1601 Trapelo Road, Suite 140 Waltham, MA Seventeenth Street, Suite 1500 Denver, CO [email protected] Visit the company website at Vericept Corporation. All rights reserved. Vericept, Identity Match, Case Files, Intelligent Content Control Engine, Self-Compliance, Content Analysis Description Language and Category Designer are all trademarks and/or service marks of Vericept Corporation. All other trademarks and/or service marks are the property of their respective owners.