WHITE PAPER SPON. Information Security Best Practices: Why Classification is Key. Published November 2011 SPONSORED BY

Similar documents
EXECUTIVE BRIEF SPON. File Synchronization and Sharing Market Forecast, Published May An Osterman Research Executive Brief

EXECUTIVE BRIEF PON SPON. The Cloud Application Explosion. Published April An Osterman Research Executive Brief. sponsored by.

WHITE PAPER SPON. Do Ex-Employees Still Have Access to Your Corporate Data? Published August 2014 SPONSORED BY. An Osterman Research White Paper

User Driven Security. 5 Critical Reasons Why It's Needed for DLP. TITUS White Paper

WHITE PAPER SPON. Making File Transfer Easier, Compliant and More Secure. Published February 2012 SPONSORED BY!!! An Osterman Research White Paper

WHITE PAPER SPON. Business-Class File Sharing Best Practices SPONSORED BY. An Osterman Research White Paper. sponsored by.

WHITE PAPER SPON. Making File Transfer Easier, Compliant and More Secure. Published February 2012 SPONSORED BY!!! An Osterman Research White Paper

EXECUTIVE BRIEF SPON. Third-Party Archiving Solutions Are Still Needed in Exchange 2013 Environments. Published April 2015

WHITE PAPER SPON. The Cost and ROI Advantages of IronKey Workspace W300 for Windows to Go. Published May 2013 SPONSORED BY

SURVEY REPORT SPON. Identifying Critical Gaps in Database Security. Published April An Osterman Research Survey Report.

WHITE PAPER SPON. Achieving Rapid Payback With Mobile Device Management. Published November An Osterman Research White Paper.

WHITE PAPER. Taking a Strategic Approach to Unified Communications: Best of Breed vs. Single Vendor Solutions SPON. Published February 2013

SURVEY REPORT SPON. Security Awareness Training Effectiveness Report. Results of a Survey of KnowBe4 Customers and Non-Customers. Published July 2013

SURVEY REPORT PON SPON. Results of a Survey Conducted for Electric Cloud. Published January An Osterman Research Survey Report.

Titus and Cisco IronPort Integration Guide Improving Outbound and Inbound Security. Titus White Paper

WHITE PAPER SPON. Pain Free Unified Communications and Collaboration. Published May 2011 SPONSORED BY. An Osterman Research White Paper.

WHITE PAPER SPON. Archive Migration: Opportunities and Risks. Published February An Osterman Research White Paper.

The Cost Effective Migration to Integrated Hybrid SaaS Security

WHITE PAPER SPON. The Benefits of Vendor Consolidation and Centralized IT Management. Published June 2014 SPONSORED BY

Why You Need to Consider Virtualization

WHITE PAPER SPON. Considerations for Archiving in Exchange Environments. Published July 2013 SPONSORED BY. An Osterman Research White Paper

Cloud-Client Enterprise Security Impact Report Increased Protection at a Lower Cost

SURVEY REPORT SPON. Small and Medium Business: IT/Security Priorities and Preferences. Published September An Osterman Research Survey Report

WHITE PAPER SPON. Encryption is an Essential Best Practice. Published August 2014 SPONSORED BY. An Osterman Research White Paper.

WHITE PAPER SPON. What is the Total Value of Ownership for a Hosted PBX? Published September An Osterman Research White Paper.

Microsoft Lync Server 2010 and the Unified Communications Market Key Considerations for Adoption, Deployment and Ongoing Management

Using SaaS to Reduce the Costs of Security

Should You Install Messaging Security Software on Your Exchange Server?

Protecting Business Information With A SharePoint Data Governance Model. TITUS White Paper

EXECUTIVE BRIEF SPON. Third-Party Archiving Solutions Are Still Needed in Exchange 2010 Environments. Published March 2012

How To Calculate Total Cost Of Ownership (Tco) For Systems

Identifying Broken Business Processes

The Growing Problem of Outbound Spam

Total Cost of Ownership - SharePoint Security

Achieving Greater TCO Benefits Using a Secure Workspace Solution: Comparing TCO for Three Telework Approaches

Realizing the Cost Savings and Other Benefits from SaaS Archiving

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

WHITE PAPER SPON. The Need for IT to Get in Front of the BYOD Problem. Published October 2012 SPONSORED BY. An Osterman Research White Paper

WHITE PAPER SPON. A Cloud-Client Architecture Provides Increased Security at Lower Cost. Published January 2012 SPONSORED BY

Compliance and Security Solutions

Data Loss Prevention Program

WHITE PAPER SPON. Three Steps to Get Started With DLP. Published July 2013 SPONSORED BY. An Osterman Research White Paper.

Solving.PST Management Problems in Microsoft Exchange Environments

10 Steps to Establishing an Effective Retention Policy

WHITE PAPER SPON. Why Should You Encrypt and What Happens if You Don t? Published July An Osterman Research White Paper.

WHITE PAPER SPON. Dealing with Data Breaches and Data Loss Prevention. Published March An Osterman Research White Paper.

HiSoftware Policy Sheriff. SP HiSoftware Security Sheriff SP. Content-aware. Compliance and Security Solutions for. Microsoft SharePoint

Why You Need to Focus on Social Networking in Your Company

The Benefits of Unified Communications

The Cost Benefits of a Hybrid Approach to Security

WHITE PAPER SPON. Improving the Compliance Management Process. Published April 2014 SPONSORED BY. An Osterman Research White Paper.

Solving Key Management Problems in Lotus Notes/Domino Environments

A Buyer's Guide to Data Loss Protection Solutions

The Need for a Better Way to Send Files and Attachments an Osterman Research white paper sponsored by

WHITE PAPER SPON. What is the Total Value of Ownership for a Hosted PBX? Published September 2012 SPONSORED BY. An Osterman Research White Paper

How To Choose Between Onpremises Or Cloud Based

Best Practices for DLP Implementation in Healthcare Organizations

WHITE PAPER SPON. Managing Content in Enterprise Social Networks. Published August 2014 SPONSORED BY. An Osterman Research White Paper.

Current and Archiving Practices in the Enterprise an Osterman Research research summary

Compliance in 5 Steps

Achieving Regulatory Compliance through Security Information Management

WHITE PAPER SPON. A Comparison of and Collaboration Platforms. Published October 2012 SPONSORED BY. An Osterman Research White Paper

DATA LEAKAGE PREVENTION IMPLEMENTATION AND CHALLENGES

WHITE PAPER SPON. Securely Enabling Remote Workers at Lower Cost Than Traditional Approaches. Published January 2014 SPONSORED BY

Skybox Security Survey: Next-Generation Firewall Management

Muscle to Protect Your Grid July Sustainable and Cost-effective Muscle to Protect Your Grid

HIPAA Compliance & Privacy. What You Need to Know Now

The Impact of HIPAA and HITECH

Enterprise Data Protection

Data Classification Technical Assessment

WHITE PAPER PON SPON. Comparing the Cost of Alt-N MDaemon and Exchange. Published July 2013 SPONSORED BY. An Osterman Research White Paper

Cloud Computing: Legal Risks and Best Practices

Focusing on Value-Added Services in a Hosted Messaging Environment

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

SAME PRINCIPLES APPLY, BUT NEW MANDATES FOR CHANGE

WHITE PAPER. The Protection and Operational Benefits of Agentless Security in Virtual Environments SPON. Published March 2012 SPONSORED BY

RightsWATCH. Data-centric Security.

A Review of MessageSolution Enterprise Archive and Enterprise File Archive

Estate Agents Authority

Attestation of Identity Information. An Oracle White Paper May 2006

Integrating Records Management and ediscovery Processes for Greater Efficiencies

WHITE PAPER SPON. Why the Cloud is Not Killing Off the On-Premises Market. Published April 2011 SPONSORED BY. An Osterman Research White Paper

Osterman Research Executive Summary

THE EXECUTIVE GUIDE TO DATA LOSS PREVENTION. Technology Overview, Business Justification, and Resource Requirements

THE VALUE OF VOICE-ENABLING OFFICE 365. By Mike Osterman President Osterman Research

Secure Messaging is far more than encryption.

TITUS Data Security for Cloud Identify and Control Sensitive Data Sent to the Cloud

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions

WHITE PAPER SPON. Managing SharePoint Growth: Strategies for Planning and Governance. Published October An Osterman Research White Paper

Secure and Protect Sensitive Information Digitized on Multifunction Devices

Self-Service SOX Auditing With S3 Control

The Pros and Cons of DLP Tools

Data Loss Prevention Best Practices to comply with PCI-DSS An Executive Guide

RETENTION BEST PRACTICE. Issue Date: April 20, Intent and Purpose:

HIPAA Privacy Breach Notification Regulations

THE BENEFITS OF A CLOUD BASED PBX WITH HOSTED LYNC. By Mike Osterman President Osterman Research

Guidance for Data Users on the Collection and Use of Personal Data through the Internet 1

ITAR Compliance Best Practices Guide

Did security go out the door with your mobile workforce? Help protect your data and brand, and maintain compliance from the outside

Emerging Trends in Fighting Spam

Transcription:

WHITE PAPER N Information Security Best Practices: Why Classification is Key An Osterman Research White Paper Published November 2011 sponsored by SPONSORED BY SPON sponsored by Osterman Research, Inc. P.O. Box 1058 Black Diamond, Washington 98010-1058 USA Tel: +1 253 630 5839 Fax: +1 253 458 0934 info@ostermanresearch.com www.ostermanresearch.com twitter.com/mosterman

Executive Summary Is classification important? In a word, yes. Some believe, for example, that Wikileaks would not have gained access to US government documents if the appropriate classification technology had been deployed. Email messages and their attachments, production reports, legal briefs, press releases, job applications, tax documents, memos and other content have varying degrees of sensitivity: some content is highly sensitive and should never be sent outside of an organization or stored on internal systems without being encrypted or access-controlled, while other content contains no sensitive or confidential information of any kind. Additionally, there are other files on the network, such as surveillance or tactical combat videos, CAD diagrams and sensitive pictures. All have a level of sensitivity that should be managed. A classification system that permits users to tag this content based on its sensitivity or confidentiality can provide any organization with a number of important benefits: Users become more aware of corporate policies and regulatory obligations to protect data. Inadvertent leaks of sensitive data are reduced dramatically. Data loss prevention (DLP) systems can operate more effectively and efficiently. Archiving systems can retain content more accurately. KEY TAKEAWAYS All organizations should deploy a content classification system to protect against inadvertent data leaks and to help users become more aware of the sensitivity of the content they create, send, read and otherwise process in the course of doing their work. Classification systems are easy to use, do not impose a burden on users normal workflows, and complement an organization s existing (or to-be-deployed) DLP and archiving systems. Is classification important? Some believe that Wikileaks would not have gained access to US government documents if the appropriate classification technology had been deployed. ABOUT THE SPONSOR OF THIS PAPER This white paper was sponsored by TITUS, a leading provider of classification technology used across a wide range of industries. A brief overview of the company is included at the end of this document. What is Classification? The concept of classification in the context of security is quite simple: it is merely the tagging of messages and files based on the sensitivity of their content. An outgoing email, a file stored on a server or a document created using a desktop productivity application can be tagged with an appropriate label to ensure that the information contained within it is categorized and processed appropriately. Tags can be pre-established so that users simply select the appropriate option from a drop-down menu in an application or, in some cases, individual users can define tags. With the right technology, classification is a simple process that becomes part of users normal content sending, receiving and filing workflow. 2011 Osterman Research, Inc. 1

The fundamental reason for tagging for security purposes is to ensure that sensitive data is not inadvertently leaked through email or a file transfer system, or that sensitive data is not stored without appropriate access controls in place. A classification system is not intended to be a replacement for a DLP system in fact, a classification system actually makes DLP more effective and efficient by providing DLP systems with more information on which to base a routing, encryption or blocking decision. Conversely, DLP systems cannot be as efficient in the absence of classification simply because they lack important information about the content they scan. Why is Classification Important? There are a number of reasons that emails and files need to be classified based on the sensitivity of their content. For example, within and outside an organization there is information that is sensitive and access to which should be limited only to those with a specific need for it. This information might include personnel records, job applications, marketing plans, press releases, product announcements, discussions about trade secrets, discussions with auditors or legal counsel and other content for which access needs to be managed. More importantly, there are a variety of regulatory obligations imposed on virtually all organizations to protect data. For example: Forty-six of the 50 US states, as well as the US Virgin Islands, Puerto Rico and the District of Columbia, now have laws on the books that require individuals to be notified if a data breach has occurred. Alberta also passed a similar provision in 2010 that was incorporated into its Personal Information Protection Act i. The Gramm-Leach-Bliley Act requires that financial institutions protect information collected about individuals, including names, addresses and phone numbers; bank and credit card account numbers; income and credit histories; and Social Security numbers. The Payment Card Industry Data Security Standard encompasses a set of requirements for protecting the security of consumers and others payment account information. DLP solutions are not as effective without the additional information provided by a classification system. Classification gives DLP systems more information with which to manage content. The Health Insurance Portability and Accountability Act addresses the use and disclosure of an individual's health information. It defines and limits the circumstances in which an individual's protected health information (PHI) may be used or disclosed by covered entities, and states that covered entities must establish and implement policies and procedures to protect PHI. US federal agencies have an obligation to manage Controlled Unclassified Information (CUI) in a more cohesive way as a result of Executive Order 13556. The goal of this order is to categorize information in accordance with federal guidelines to safeguard and appropriately manage unclassified information ii. 2011 Osterman Research, Inc. 2

The Personal Information Protection and Electronic Documents Act is a Canadian privacy law that applies to all private companies operating in Canada. Like many other privacy laws, it requires that personal information be stored and transmitted securely. Two US states Nevada and Massachusetts have passed laws requiring that sensitive information about residents of the respective states be encrypted during transit. While classification does not encrypt content, it can classify content, either for individuals or DLP systems, to identify information that should be sent with encryption. ISO 27001 is an emerging Information Security Management System standard that requires the protection of information assets for risk avoidance. The system requires that organizations bring information security, including labeling and classification of emails and documents, under explicit management control. NERC is the organization responsible for the reliability and security of the bulk power system in North America. NERC standards define the reliability requirements for planning and operating the North American bulk power system. They have created a set of Critical Infrastructure Protection (CIP) standards that ensure the information and computer systems security for any entity that generates, distributes or transmits power across the grid. A key component of these standards is the information protection standard. This standard states that utility organizations must implement a program to identify, classify, and protect information. Classification of data is a key issue and content must be categorized based on business value. However, this was difficult with conventional classification technologies. We needed a solution that was easy to use to ensure that users would actually use it. G4S Security Services These are but a few of the many obligations that organizations have to protect content that they send or store. By minimizing the potential that data will be inadvertently leaked in violation of corporate policy or statute, organizations can dramatically reduce their risk exposure. The Benefits of Classification There are several benefits that any organization regardless of size or industry can realize through the use of a classification system: Classification protects data and makes breaches much less likely One of the primary benefits of classification is that it makes inadvertent data breaches much less likely simply because every email and file is clearly marked with a label based on the sensitivity of the content. While an intentional data breach can still occur when classification is used such as a user copying sensitive or confidential information to a USB drive or sending this content to a personal Webmail account accidental leaks become 2011 Osterman Research, Inc. 3

highly unlikely. Moreover, the combination of classification and DLP further improves protection against data leaks. Users become more aware of content sensitivity Because users are called upon to classify content, users become much more aware of the sensitivity of content they create, read, send and save. After classifying content for just a short while, users change their behavior simply because they are reminded on a regular basis to think about corporate data security policies and statutory obligations in the context of information that they process. This is particularly important when users are forwarding emails sent to them by others. For example, an email may contain sensitive information of which the user is unaware if they have not read all of the email threads on which they have been copied or if they don t fully read the attachments in an email. However, if the original and subsequent senders classify the content, it is much easier to determine just how sensitive the content is without scanning or reading all of it. DLP effectiveness is improved As noted earlier, DLP effectiveness can be improved dramatically by providing more information about content in an email or file. Moreover, DLP efficiency can be improved because deep content inspection is not required to nearly the same extent. For example, an email marked Confidential by a user does not need to be inspected by the DLP system because the email s status and, consequently, the necessary disposition of the email by the DLP system can be determined without any detailed inspection. This can dramatically improve the throughput of DLP systems because fewer CPU cycles are required to examine content. Moreover, an organization does not have to rely completely on a DLP system making the right call that something is confidential, thereby reducing the impact of false positives and false negatives. Data retention is made easier All organizations must retain their business records for long periods for reasons of regulatory or legal compliance, or simply because of corporate best practice. Classification makes data retention easier because there is more information available for a content archiving system and individual users to process when making decisions about the length of time that content should be retained. Automated Encryption Encryption solutions may be too complex for the average user. Classification of data can remove the complexity of encryption by prompting users to simply classify or categorize an email or document. These classification selections can then be configured to automatically trigger encryption or rights management protection based on the sensitivity of the data and the label applied to ensure protection of an organization's valuable information. In short, user classification of data raises users awareness of content sensitivity, adds visual markings to content about its sensitivity level, adds persistent metadata, protects against data breaches through email, and adds content protection, such as encryption or information rights management capabilities. 2011 Osterman Research, Inc. 4

Five Myths About Classification There are five myths about classification that are important to address because they can inaccurately impact decision makers perceptions about the decision to implement classification technology: 1. We can t trust users to classify things properly Organizations pay their information workers to create, read, process, send and otherwise manage emails, word processing documents, spreadsheets, presentations and various other types of content. An individual who can compose or read an email or file is certainly capable of classifying the sensitivity of the content contained within it. In fact, the individual who composes a particular piece of content is normally the one most knowledgeable about its sensitivity and, therefore, the best person to classify it. 2. Employees won t want to classify content That may be true to an extent, but there are two things to consider here. First, email classification is incredibly simple, requiring nothing more than selecting an option from a drop down list in an email client or a desktop productivity application. Second, users will benefit from classification because it will help them to avoid embarrassing mistakes and avoid leaking information that should be protected. Granted, there may be some initial resistance to the use of classification technology on the part of some users, but this opposition will be minimal and short-lived in almost every instance. 3. Classification is time-consuming and difficult This is simply not the case. While classification may require a couple of seconds per email sent or document created, it is not time-consuming and it definitely is not difficult. 4. Our DLP system is all we need to protect data As noted earlier, a classification system is complementary to a DLP system, not a substitute for it. In fact, Osterman Research recommends that organizations deploy both because of the synergies that are created when both technologies are used in tandem. 5. We just don t need to classify content Is there an organization that doesn t create business records, send confidential information via email, or at least occasionally receive sensitive content? In short, every organization sends, receives, creates and processes information that runs the gamut from general business content to sensitive information that must be protected from inadvertent data breaches and other unauthorized access. Summary Classification technology provides a number of important benefits to any organization, regardless of its size or the industry it serves. These benefits include sensitizing users to corporate data security policies and regulatory obligations to protect data, improving the ability to scan content using DLP systems, and improving the effectiveness of content archiving systems. Most importantly, classification makes inadvertent data breaches much less likely, thereby mitigating corporate risk. 2011 Osterman Research, Inc. 5

About TITUS TITUS is the leading provider of security and compliance software that helps organizations share information securely while meeting policy and compliance requirements. Their solutions enable military, government, and large enterprises to raise awareness and meet regulatory compliance by visually alerting end users to the sensitivity of information. Products include TITUS Classification, the leading message, document and file classification and labeling solutions; TITUS Aware, products that enhance Data Loss Prevention by detecting sensitive information at the desktop; and the TITUS family of classification and security solutions for Microsoft SharePoint. TITUS solutions are deployed to over 1.5 million users within our over 300 military, government and enterprise customers worldwide. We liked the TITUS solution because we found it simpler than competing solutions, it did not require any servers, and it was simple to install and configure. UniCredit Tiriac Bank 2011 Osterman Research, Inc. All rights reserved. No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of Osterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without prior written authorization of Osterman Research, Inc. Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this document or any software product or other offering referenced herein serve as a substitute for the reader s compliance with any laws (including but not limited to any act, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively, Laws )) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no representation or warranty regarding the completeness or accuracy of the information contained in this document. THIS DOCUMENT IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL. i ii http://servicealberta.ca/pipa/ http://www.archives.gov/cui/documents/2011-cuio-notice-2011-01-initial-guidance.pdf 2011 Osterman Research, Inc. 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information