Identifying Broken Business Processes



Similar documents
RSA Solution Brief RSA. Data Loss. Uncover your risk, establish control. RSA. Key Manager. RSA Solution Brief

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

Data Loss Prevention Best Practices to comply with PCI-DSS An Executive Guide

Websense Data Security Solutions

A Buyer's Guide to Data Loss Protection Solutions

Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services.

Websense Data Security Suite and Cyber-Ark Inter-Business Vault. The Power of Integration

Data Loss Prevention Program

WHITEPAPER. Addressing Them with Adaptive Network Security. Executive Summary... An Evolving Network Environment Adaptive Network Security...

Using Data Loss Prevention for Financial Institutions Banks, Credit Unions, Payments

Protecting Regulated Information in Cloud Storage with DLP

Symantec DLP Overview. Jonathan Jesse ITS Partners

IBM Data Security Services for endpoint data protection endpoint data loss prevention solution

RSA Data Loss Prevention (DLP) Understand business risk and mitigate it effectively

Data Security: Fight Insider Threats & Protect Your Sensitive Data

Security Management. Keeping the IT Security Administrator Busy

PCI Data Security Standards (DSS)

The Impact of HIPAA and HITECH

Security Information Lifecycle

Best Practices for DLP Implementation in Healthcare Organizations

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Somansa Data Security and Regulatory Compliance for Healthcare

IBM Data Security Services for endpoint data protection endpoint data loss prevention solution

Payment Card Industry Data Security Standard

CA Technologies Data Protection

THE EXECUTIVE GUIDE TO DATA LOSS PREVENTION. Technology Overview, Business Justification, and Resource Requirements

Introduction to PCI DSS

The Next Step in Outbound Protection. By Robert Mannal, CIPP, CISSP

Preemptive security solutions for healthcare

Protecting Business Information With A SharePoint Data Governance Model. TITUS White Paper

plantemoran.com What School Personnel Administrators Need to know

European developer & provider ensuring data protection User console: Simile Fingerprint Filter Policies and content filtering rules

A CPA recounts exponential growth in Compliance. Mary Ellen McLaughlin

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

User Driven Security. 5 Critical Reasons Why It's Needed for DLP. TITUS White Paper

Data Loss Prevention and HIPAA. Kit Robinson Director

A Practical Guide to Improving PCI Compliance Posture

PCI Compliance for Cloud Applications

10 Building Blocks for Securing File Data

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

WHITEPAPER. Addressing Them with Secure Network Access Control. Executive Summary... An Evolving Network Environment... 2

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

State of Oregon. State of Oregon 1

Managing PHI in the Cloud Best Practices

ITAR Compliance Best Practices Guide

HIPAA and HITECH Compliance for Cloud Applications

Teradata and Protegrity High-Value Protection for High-Value Data

Estate Agents Authority

Information Security Policy. Appendix B. Secure Transfer of Information

Data Classification Technical Assessment

Symantec Enterprise Vault for Microsoft Exchange

White Paper. Managing Risk to Sensitive Data with SecureSphere

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY

Enterprise Data Protection

Feature. Log Management: A Pragmatic Approach to PCI DSS

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

Data Loss Prevention. Keeping sensitive data out of the wrong hands*

Information Resources Security Guidelines

SPICE EduGuide EG0015 Security of Administrative Accounts

Compliance in 5 Steps

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

PCI DSS COMPLIANCE DATA

YOUR HIPAA RISK ANALYSIS IN FIVE STEPS

Protecting personally identifiable information: What data is at risk and what you can do about it

Symantec Enterprise Vault for Microsoft Exchange

There are many examples of sensitive information falling into the wrong hands. What s the worst that can happen? The worst has already happened.

IBM Security QRadar Vulnerability Manager

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

how can I comprehensively control sensitive content within Microsoft SharePoint?

Enterprise Security Solutions

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

HIPAA Compliance Evaluation Report

Brochure Achieving security with cloud data protection. Autonomy LiveVault

Veritas Enterprise Vault for Microsoft Exchange Server

2016 OCR AUDIT E-BOOK

What is required of a compliant Risk Assessment?

Five Tips to Ensure Data Loss Prevention Success

IBM Policy Assessment and Compliance

Only 8% of corporate laptop data is actually backed up to corporate servers. Pixius Advantage Outsourcing Managed Services

Transcription:

Identifying Broken Business Processes A data-centric approach to defining, identifying, and enforcing protection of sensitive documents at rest, in motion, and in use 6/07 I www.vericept.com

Abstract The true value of content monitoring and filtering lies in helping management to identify and correct faulty business processes and accidental disclosures. Gartner Research: Content Monitoring and Filtering Helps Find Faulty Business Process, Accidental Disclosures, February 23, 2006. A business process is a collection of interrelated tasks that solve a particular issue or produce a desired output. Because most business processes are human-driven even automated processes are defined and developed by human input often the most carefully constructed processes can break or cease to operate as designed. The end result may still be reached successfully, but the desired efficiency, optimization, and security may be adversely affected. When the broken business process involves information technology and sensitive data, it can lead to a data breach, which in turn can lead to such consequences as financial losses, fines, and the loss of customer confidence. Enterprises therefore need the ability to identify and correct broken business processes without suspending operations or waiting until the breach occurs. Examples of Broken Business Processes What does a broken business process look like, especially if the end result of the process is achieved? A broken process is usually invisible, which is why it frequently goes undetected. This is to the detriment of the enterprise, as auditors have a knack for tracking them down. Obviously, it s better for an enterprise if broken business processes can be identified and remedied before third-parties find them. Usually, when a business process is broken, data either is not where it should be or is present when it shouldn t be. One example would be the Payment Card Industry Data Security Standard (PCI DSS), a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures, and specifies where and how credit card data must be handled by a merchant. At a simple level, the PCI DSS states that organizations are prohibited from keeping PIN or other personal information stored on a card s magnetic strip. They can keep credit card numbers and expiration dates, but that information must be protected. However, it may have been a company s policy in the past to retain personal information to be used for future marketing or customer service initiatives. Therefore, the company s systems will have been set up to store information it now must find and delete. Sometimes, as with point of sale devices, personal information is kept without the company s knowledge or intention. Regardless, if prohibited information is there it represents a violation of the PCI DSS and is, in essence, a broken business process. Another example might affect the Human Resources function. Someone in one division of a company may want to hire someone from another division. He asks corporate HR for the employee s file. HR emails the pertinent information but doesn t encrypt the attachment. Along the way, it s intercepted (or maybe HR accidentally sent it to the wrong person), and the employee s personal information is now public. That, too, is a broken business process. Transferring sensitive information must be regulated by controls and processes designed to ensure security and protect the employee s privacy. When there is a breakdown in handling customer or employee data, serious consequences can result.

The Challenges of Fixing Broken Business Processes There are many challenges in overcoming broken business processes and thereby mitigating the risk of being caught with unprotected or prohibited personal information. For one, in today s distributed enterprises, information lives in many different places. In fact, copies of single files can exist in different databases, servers, and locations. If the original file contains information that must be destroyed per PCI DSS regulations, then every copy of that file also must be destroyed. So finding stored information is one challenge. Another challenge is finding data that may be protected or allowed in storage on the network, but has been sent or stored illegally by employees for example, a customer file that a user saves to his or her desktop, emails outside the company, or retains after she changes job functions. These can be harder to discover because it requires broadening the search not just to network storage devices and databases, but to every employee s desktop computer and it gets harder still when the search extends to laptops, PDAs, and other portable devices. Finding the information is one challenge; identifying it as data that must be protected or destroyed is another. Not every document about employee John Smith is confidential, nor must everything that can be read from a magnetic strip be destroyed. On the other hand, a memo or email that paraphrases or quotes sensitive information needs to be identified as such, even though it may not strictly be the file that was sought. Finally, the information that has been found and classified must be acted upon appropriately. In the case of PCI DSS, that may mean deleting the file (and all its copies). Or it may mean storing the data in a secure archive, or quarantining it. Additionally, the company may have to provide documentation proving that it has protected the information. At the same time, this process is a good time to reiterate policies and compliance requirements to employees so they understand what a permissible use is and what is prohibited. In most cases, broken business processes are unintentional rather than malicious. To sum up, there are three key tasks companies must undertake to prevent and police broken business processes: Define: Driven by internal policies or external regulations, companies must define what types of information are considered sensitive and in need of protection or destruction. Identify: Sensitive information resides in many different formats and is stored in multiple locations. Identifying all pertinent documents out of the total universe of information is no simple matter. To be effective, a solution must have accurate data identification that minimizes false negatives. Enforce: Finally, protecting sensitive information requires automated control and compliance enforcement to ensure it is not improperly accessed or inadvertently leaked. An effective enforcement solution should be able to auto-encrypt emails and attachments and prohibit users from inadvertently or maliciously copying sensitive files to removable media.

Vericept s Solution to Broken Business Processes A pioneer in data loss prevention, Vericept offers a comprehensive solution that defines, identifies, and enforces sensitive information in motion, at rest, and in use. This includes files on servers, databases, desktops, and email, including attachments. Vericept s unparalleled detection technologies automatically discover sensitive information based on a company s uniquely configured policies and regulations without disrupting business operations. After definition, the Vericept solution identifies the information and enforces policies relating to it against unauthorized distribution even when modified or reformatted, thereby enabling companies to mitigate compliance violations, whether malicious or inadvertent. Vericept is widely recognized as having the most comprehensive content detection suite on the market, uniquely able to discover and analyze sensitive information in both structured and unstructured data. The Vericept solution is differentiated by the use of contextual linguistics to identify content according to pre-configured taxonomies. This allows information to be analyzed that may not fit specific keywords and ensures that not every file mentioning customer John Smith is destroyed. Vericept is the only solution on the market that combines data identification with the information classification necessary to accurately identify information that needs to be protected or deleted, providing the most accurate solution for finding and identifying sensitive information. Vericept s solution uses rules not only to identify sensitive words and documents, but also to decide what to do when someone tries to locally save or transmit such files. In the case of email, Vericept can be configured to either place an email message containing sensitive information either as an attachment or in the body of the email in quarantine, block it, auto-encrypt it, or return it to the sender to request confirmation that he or she intended to transmit the sensitive document. The latter strategy is also effective in reminding innocent users of company policy and eliminating accidental violations. In the case of sensitive information located on a laptop or desktop, Vericept can be configured to block it from being copied to a USB drive or other removable media. Easy to use, easy to own Operationally, the Vericept solution centralizes policy management to ensure consistent application across all business units and locations, yet allows for delegated responsibility to empower business unit stakeholders to discover and protect sensitive information where they can best control it. They can then assign role-based permissions; for example, an engineer collaborating with an external partner on the development of a new product will have reason to transmit sensitive documents, and for the sake of efficiency should be allowed to do so with minimal intrusion while ensuring the sensitive information is protected. Deploying the solution is easily and quickly accomplished. Vericept s professional services team consults on the development of the rules and policies around which kinds of data should be protected, how to search for them, and what to do with them when they re found, and can also implement the component pieces in the most optimal way. From the strategic to the tactical, we work closely with customers to ensure high performance and low total cost of ownership.

Conclusion There are any number of reasons and causes for broken business processes. Whether malicious or inadvertent, the risks and penalties for not protecting sensitive information or storing confidential information in violation of regulatory requirements are too severe to take any chances. You need to proactively and continuously search for the presence of sensitive information and monitor how it is being used and accessed. It is a complex and challenging project, one that requires not only an automated tool, but also a comprehensive solution that can: Define and identify sensitive information stored anywhere on desktops, laptops, and servers Enforce company policies and regulatory requirements by continuously monitoring improper presence or transmittal of sensitive information across all network protocols Prevent leakage with blocking, auto-encryption, and user self-compliance policies Analyze incidents with comprehensive reports, dashboards, and event highlighting Vericept s proven technology is based on nine patent-pending technologies. With extensive experience in Financial Services, Retail, Healthcare, Energy, and Government, Vericept currently protects billions of pieces of communication each and every day. It can t prevent broken business processes but it can mitigate the risks by finding and fixing incidents quickly and efficiently. Why Vericept? Vericept Corporation is the leading provider of comprehensive compliance and data loss prevention solutions. Vericept mitigates internal risk by providing enterprise-wide discovery, classification and prevention of the information exchanged inside and outside an organization. Vericept s patentpending classification suite delivers the highest degree of accuracy and lowest instance of false positive events available in the marketplace. Only Vericept offers comprehensive solutions for data at rest, data in motion, and data in use at the endpoint, providing visibility and control of sensitive data across all forms of traffic, including email, webmail, IM, P2P, and FTP. Vericept s technology is deployed in over 750 organizations worldwide and protects billions of pieces of communication every day. Vericept is a privately held company with major operations in Waltham, MA and Denver, CO. Vericept Contact Information For additional product or sales information, please contact Vericept at: Vericept Corporation Reservoir Place 1601 Trapelo Road, Suite 140 Waltham, MA 02451 555 Seventeenth Street, Suite 1500 Denver, CO 80202 800-262-0274 303-798-1568 info@vericept.com Visit the company website at www.vericept.com. 2007 Vericept Corporation. All rights reserved. Vericept, Identity Match, Case Files, Intelligent Content Control Engine, Email Self-Compliance, Content Analysis Description Language and Category Designer are all trademarks and/or service marks of Vericept Corporation. All other trademarks and/or service marks are the property of their respective owners.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information