Corporate Policies In Securing An Organization
Taking into account that more and more information is in electronic format, as professionals in the business sector and, specifically, in Information Security, our fundamental mission is to protect it. As we have heard or read on many occasions, the loss of sensitive information can occur accidentally or maliciously, but in any case, it can and often leads to economic and prestige damage, affecting the company and its associated brand. It really is simpler than it seems to lose sensitive information or leave it exposed to different risks and threats. Who, for example, has not sent an email to the wrong recipient? It is not very bold to say that it can be a usual situation for anyone who uses email intensively, even if it is sending little relevant information.
But, what would happen if the information sent in that email was confidential to the company? What if the transmission of that information without the consent of the owner of the same was breaking any law? Well, we would probably have a serious problem, either because such confidential information could fall into the hands of our competitors or those of possible cybercriminals. Obviously, the problem worsens depending on the type of information we handle, but in any case, we must take into account that we are human and, as such, sometimes we make mistakes. On the other hand, news is increasingly common related to intentional information leaks, industrial espionage cases or leaks of information by disgruntled workers who appropriate this sensitive information.
With a simple look at the daily reality of our work, and focusing on information technologies, we can see how we have more and more channels to manage and transfer information. Some very recent examples of this are social networks or mobile devices. The protection and monitoring of these channels and the information circulating through them is one of the great challenges that IT Security professionals have. For this, it is very important to be clear about the different information states depending on their location:
- Information at rest: Data residing in file systems, databases and any other traditional storage medium and usually housed in the data centers of companies.
- Information in transit: These are the data that moves outside the company through public networks, usually the Internet.
- Information in the endpoint (endpoint): This is data stored in the terminals of users or portable storage devices (for example: USB, CD or DVD, external hard drives, MP3 players, laptops or smartphones).
To try to avoid the loss of sensitive information, we must identify what information is really vital to the company, before we can adequately protect it. Obviously, this task is not simple and requires a detailed study in each case, but there is always an initial basis on which to start working, such as regulatory compliance or protection of intellectual property. At the moment we talk about information protection, we must keep in mind Data Loss Prevention (DLP) and Enterprise Data Right Management (EDRM) or Information Rights Management (IRM) technologies. Although the objective of both technologies is to protect information, they differ quite a bit in how they do it. DLP technologies are intended to protect information leaks by controlling the repositories and means of transmission within the company; while EDRM or IRM focus on the control of access and use of the files to be protected, regardless of where they are located.
Focusing on DLP technologies, and as its name suggests, its main challenge should be to facilitate the work of prevention and detection of information leaks. To do this, they must be able to identify, protect and supervise the actions carried out on sensitive or confidential information. These capabilities must be performed on the different states of information (stored, in transit or at the endpoint or endpoint).
Regarding the EDRM or IRM, its main mission is the protection of digital rights, both from external users and internal to the organization, regardless of where the information is located. When not importing the location of this one, they must have authentication mechanisms sufficiently robust and interoperable with the rest of the solutions of the organization. The use of these technologies should help us protect the privacy of data, intellectual property and regulatory compliance, allowing at all times to warn about access to protected information and, if necessary, the blocking of actions taken, if there is non-compliance of the company’s security policy or digital rights.
Given that both technologies have strengths and weaknesses and that, from a business perspective, the protection of sensitive information must have a global focus, everything indicates that they are technologies condemned to be understood and complemented.
As almost always in the world of Information Security, the solution to the problems raised can not be based on a tool or technology to be used, but on a series of policies, procedures and good practices that, relying on different technologies, allow us to improve the level of protection of our sensitive information, without forgetting that all this management is also based on the human link. Once again, we come to the conclusion that Information Security is a process in which we must combine different security measures to achieve our goal. Despite the benefits of DLP and EDRM or MRI technologies, they can not fulfill their purpose if we do not take into account other fundamental aspects:
- Have an Information Security policy.
- Have an identification system for the specific information that must be protected, including periodic reviews, that keep it as up-to-date as possible.
- Maintain procedures for the protection and control of protected information, so that it is only accessible by those who have the need to know it, transferring the duty to protect it. This duty, in some circumstances, may be imposed by law, but, in any case, must be established in the company as part of the confidentiality agreement with the employee.
- An alert and warning system that warns about the sensitivity of the information and the requirements established for its management. Usually, this is one of the functionalities of the DLP, but, anyway, it is important that the user knows that he is accessing sensitive information and how he must act during the treatment of it.
Therefore, and since it is not advisable to start the house on the roof, what we really have to do is correct management of the security of our information. To do this, we must rely on existing regulations and good practices, such as ISO 27001 and 27002, and, of course, on the different technological solutions that help us meet our final objective, which is to protect sensitive information in any format, avoiding possible misuse of it or its misplacement, either accidentally or intentionally.