WHITE PAPER N Information Security Best Practices: Why Classification is Key An Osterman Research White Paper Published November 2011 sponsored by SPONSORED BY SPON sponsored by Osterman Research, Inc. P.O. Box 1058 Black Diamond, Washington 98010-1058 USA Tel: +1 253 630 5839 Fax: +1 253 458 0934 info@ostermanresearch.com www.ostermanresearch.com twitter.com/mosterman
Executive Summary Is classification important? In a word, yes. Some believe, for example, that Wikileaks would not have gained access to US government documents if the appropriate classification technology had been deployed. Email messages and their attachments, production reports, legal briefs, press releases, job applications, tax documents, memos and other content have varying degrees of sensitivity: some content is highly sensitive and should never be sent outside of an organization or stored on internal systems without being encrypted or access-controlled, while other content contains no sensitive or confidential information of any kind. Additionally, there are other files on the network, such as surveillance or tactical combat videos, CAD diagrams and sensitive pictures. All have a level of sensitivity that should be managed. A classification system that permits users to tag this content based on its sensitivity or confidentiality can provide any organization with a number of important benefits: Users become more aware of corporate policies and regulatory obligations to protect data. Inadvertent leaks of sensitive data are reduced dramatically. Data loss prevention (DLP) systems can operate more effectively and efficiently. Archiving systems can retain content more accurately. KEY TAKEAWAYS All organizations should deploy a content classification system to protect against inadvertent data leaks and to help users become more aware of the sensitivity of the content they create, send, read and otherwise process in the course of doing their work. Classification systems are easy to use, do not impose a burden on users normal workflows, and complement an organization s existing (or to-be-deployed) DLP and archiving systems. Is classification important? Some believe that Wikileaks would not have gained access to US government documents if the appropriate classification technology had been deployed. ABOUT THE SPONSOR OF THIS PAPER This white paper was sponsored by TITUS, a leading provider of classification technology used across a wide range of industries. A brief overview of the company is included at the end of this document. What is Classification? The concept of classification in the context of security is quite simple: it is merely the tagging of messages and files based on the sensitivity of their content. An outgoing email, a file stored on a server or a document created using a desktop productivity application can be tagged with an appropriate label to ensure that the information contained within it is categorized and processed appropriately. Tags can be pre-established so that users simply select the appropriate option from a drop-down menu in an application or, in some cases, individual users can define tags. With the right technology, classification is a simple process that becomes part of users normal content sending, receiving and filing workflow. 2011 Osterman Research, Inc. 1
The fundamental reason for tagging for security purposes is to ensure that sensitive data is not inadvertently leaked through email or a file transfer system, or that sensitive data is not stored without appropriate access controls in place. A classification system is not intended to be a replacement for a DLP system in fact, a classification system actually makes DLP more effective and efficient by providing DLP systems with more information on which to base a routing, encryption or blocking decision. Conversely, DLP systems cannot be as efficient in the absence of classification simply because they lack important information about the content they scan. Why is Classification Important? There are a number of reasons that emails and files need to be classified based on the sensitivity of their content. For example, within and outside an organization there is information that is sensitive and access to which should be limited only to those with a specific need for it. This information might include personnel records, job applications, marketing plans, press releases, product announcements, discussions about trade secrets, discussions with auditors or legal counsel and other content for which access needs to be managed. More importantly, there are a variety of regulatory obligations imposed on virtually all organizations to protect data. For example: Forty-six of the 50 US states, as well as the US Virgin Islands, Puerto Rico and the District of Columbia, now have laws on the books that require individuals to be notified if a data breach has occurred. Alberta also passed a similar provision in 2010 that was incorporated into its Personal Information Protection Act i. The Gramm-Leach-Bliley Act requires that financial institutions protect information collected about individuals, including names, addresses and phone numbers; bank and credit card account numbers; income and credit histories; and Social Security numbers. The Payment Card Industry Data Security Standard encompasses a set of requirements for protecting the security of consumers and others payment account information. DLP solutions are not as effective without the additional information provided by a classification system. Classification gives DLP systems more information with which to manage content. The Health Insurance Portability and Accountability Act addresses the use and disclosure of an individual's health information. It defines and limits the circumstances in which an individual's protected health information (PHI) may be used or disclosed by covered entities, and states that covered entities must establish and implement policies and procedures to protect PHI. US federal agencies have an obligation to manage Controlled Unclassified Information (CUI) in a more cohesive way as a result of Executive Order 13556. The goal of this order is to categorize information in accordance with federal guidelines to safeguard and appropriately manage unclassified information ii. 2011 Osterman Research, Inc. 2
The Personal Information Protection and Electronic Documents Act is a Canadian privacy law that applies to all private companies operating in Canada. Like many other privacy laws, it requires that personal information be stored and transmitted securely. Two US states Nevada and Massachusetts have passed laws requiring that sensitive information about residents of the respective states be encrypted during transit. While classification does not encrypt content, it can classify content, either for individuals or DLP systems, to identify information that should be sent with encryption. ISO 27001 is an emerging Information Security Management System standard that requires the protection of information assets for risk avoidance. The system requires that organizations bring information security, including labeling and classification of emails and documents, under explicit management control. NERC is the organization responsible for the reliability and security of the bulk power system in North America. NERC standards define the reliability requirements for planning and operating the North American bulk power system. They have created a set of Critical Infrastructure Protection (CIP) standards that ensure the information and computer systems security for any entity that generates, distributes or transmits power across the grid. A key component of these standards is the information protection standard. This standard states that utility organizations must implement a program to identify, classify, and protect information. Classification of data is a key issue and content must be categorized based on business value. However, this was difficult with conventional classification technologies. We needed a solution that was easy to use to ensure that users would actually use it. G4S Security Services These are but a few of the many obligations that organizations have to protect content that they send or store. By minimizing the potential that data will be inadvertently leaked in violation of corporate policy or statute, organizations can dramatically reduce their risk exposure. The Benefits of Classification There are several benefits that any organization regardless of size or industry can realize through the use of a classification system: Classification protects data and makes breaches much less likely One of the primary benefits of classification is that it makes inadvertent data breaches much less likely simply because every email and file is clearly marked with a label based on the sensitivity of the content. While an intentional data breach can still occur when classification is used such as a user copying sensitive or confidential information to a USB drive or sending this content to a personal Webmail account accidental leaks become 2011 Osterman Research, Inc. 3
highly unlikely. Moreover, the combination of classification and DLP further improves protection against data leaks. Users become more aware of content sensitivity Because users are called upon to classify content, users become much more aware of the sensitivity of content they create, read, send and save. After classifying content for just a short while, users change their behavior simply because they are reminded on a regular basis to think about corporate data security policies and statutory obligations in the context of information that they process. This is particularly important when users are forwarding emails sent to them by others. For example, an email may contain sensitive information of which the user is unaware if they have not read all of the email threads on which they have been copied or if they don t fully read the attachments in an email. However, if the original and subsequent senders classify the content, it is much easier to determine just how sensitive the content is without scanning or reading all of it. DLP effectiveness is improved As noted earlier, DLP effectiveness can be improved dramatically by providing more information about content in an email or file. Moreover, DLP efficiency can be improved because deep content inspection is not required to nearly the same extent. For example, an email marked Confidential by a user does not need to be inspected by the DLP system because the email s status and, consequently, the necessary disposition of the email by the DLP system can be determined without any detailed inspection. This can dramatically improve the throughput of DLP systems because fewer CPU cycles are required to examine content. Moreover, an organization does not have to rely completely on a DLP system making the right call that something is confidential, thereby reducing the impact of false positives and false negatives. Data retention is made easier All organizations must retain their business records for long periods for reasons of regulatory or legal compliance, or simply because of corporate best practice. Classification makes data retention easier because there is more information available for a content archiving system and individual users to process when making decisions about the length of time that content should be retained. Automated Encryption Encryption solutions may be too complex for the average user. Classification of data can remove the complexity of encryption by prompting users to simply classify or categorize an email or document. These classification selections can then be configured to automatically trigger encryption or rights management protection based on the sensitivity of the data and the label applied to ensure protection of an organization's valuable information. In short, user classification of data raises users awareness of content sensitivity, adds visual markings to content about its sensitivity level, adds persistent metadata, protects against data breaches through email, and adds content protection, such as encryption or information rights management capabilities. 2011 Osterman Research, Inc. 4
Five Myths About Classification There are five myths about classification that are important to address because they can inaccurately impact decision makers perceptions about the decision to implement classification technology: 1. We can t trust users to classify things properly Organizations pay their information workers to create, read, process, send and otherwise manage emails, word processing documents, spreadsheets, presentations and various other types of content. An individual who can compose or read an email or file is certainly capable of classifying the sensitivity of the content contained within it. In fact, the individual who composes a particular piece of content is normally the one most knowledgeable about its sensitivity and, therefore, the best person to classify it. 2. Employees won t want to classify content That may be true to an extent, but there are two things to consider here. First, email classification is incredibly simple, requiring nothing more than selecting an option from a drop down list in an email client or a desktop productivity application. Second, users will benefit from classification because it will help them to avoid embarrassing mistakes and avoid leaking information that should be protected. Granted, there may be some initial resistance to the use of classification technology on the part of some users, but this opposition will be minimal and short-lived in almost every instance. 3. Classification is time-consuming and difficult This is simply not the case. While classification may require a couple of seconds per email sent or document created, it is not time-consuming and it definitely is not difficult. 4. Our DLP system is all we need to protect data As noted earlier, a classification system is complementary to a DLP system, not a substitute for it. In fact, Osterman Research recommends that organizations deploy both because of the synergies that are created when both technologies are used in tandem. 5. We just don t need to classify content Is there an organization that doesn t create business records, send confidential information via email, or at least occasionally receive sensitive content? In short, every organization sends, receives, creates and processes information that runs the gamut from general business content to sensitive information that must be protected from inadvertent data breaches and other unauthorized access. Summary Classification technology provides a number of important benefits to any organization, regardless of its size or the industry it serves. These benefits include sensitizing users to corporate data security policies and regulatory obligations to protect data, improving the ability to scan content using DLP systems, and improving the effectiveness of content archiving systems. Most importantly, classification makes inadvertent data breaches much less likely, thereby mitigating corporate risk. 2011 Osterman Research, Inc. 5
About TITUS TITUS is the leading provider of security and compliance software that helps organizations share information securely while meeting policy and compliance requirements. Their solutions enable military, government, and large enterprises to raise awareness and meet regulatory compliance by visually alerting end users to the sensitivity of information. Products include TITUS Classification, the leading message, document and file classification and labeling solutions; TITUS Aware, products that enhance Data Loss Prevention by detecting sensitive information at the desktop; and the TITUS family of classification and security solutions for Microsoft SharePoint. TITUS solutions are deployed to over 1.5 million users within our over 300 military, government and enterprise customers worldwide. We liked the TITUS solution because we found it simpler than competing solutions, it did not require any servers, and it was simple to install and configure. UniCredit Tiriac Bank 2011 Osterman Research, Inc. All rights reserved. No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of Osterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without prior written authorization of Osterman Research, Inc. Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this document or any software product or other offering referenced herein serve as a substitute for the reader s compliance with any laws (including but not limited to any act, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively, Laws )) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no representation or warranty regarding the completeness or accuracy of the information contained in this document. THIS DOCUMENT IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL. i ii http://servicealberta.ca/pipa/ http://www.archives.gov/cui/documents/2011-cuio-notice-2011-01-initial-guidance.pdf 2011 Osterman Research, Inc. 6