Industry View
It's the Information, Stupid
Security pros won't succeed unless they broaden their focus from the infrastructure that houses information to the security of the information itself. BT Senior Security Consultant Jason Stradley explains how to get there.
By Jason Stradley, BT Senior Security Consultant
There are many egress vectors for information and data leakage. While certainly not a complete list some examples of these egress vectors include personal e-mail, P2P, unauthorized encrypted transmissions, malware infections in endpoint devices, unauthorized PDAs, smart phones and MP3 players, social engineering both electronic and non-electronic, faxing to personal e-mail, unauthorized media (CD/DVD, USB Drive, Memory Stick, etc., and traditional postal and overnight services.
In any given organization there are no doubt additional egress vectors for information and data leakage that may be specific to the type of business being conducted. The important thing is to understand what these outward vectors are such that appropriate controls can be defined and instituted to provide the required level of security to the majority of the information in the environment. The previous statement was crafted using the word "majority" for a good reason. That reason is that like any other set of security controls nothing should be considered fool-proof. While it is essential that an organization takes every reasonable precaution to protect its restricted data, it is impossible to ensure that all data is secure all of the time, especially if you are in a business that by its very nature is a target for information leakage.
How to protect against data leaks
Now that we have briefly visited the "How" that describes some of the more common information and data leakage sources, we move to the second part of "How." This second part of "How" will be an attempt to describe how to institute a set of controls that will provide the optimal level of protection for an organization.
The best chance of accomplishing this will be to remember that it is vital to not depend on any one type of solution or process. There are a variety of tools and techniques, both technical and non-technical to assist the security professional achieve the appropriate and reasonable level of security for the various types of information and data that typically exist in an enterprise.
The defense-in-depth concept is alive and well when it comes to protecting against information and data leakage. The only difference here is that when applied to infrastructure we tend to start at the outside and work our way to the inside. Assuming that we have done a reasonably good job of securing that infrastructure, for the purposes of data leakage we need to shift our thinking a bit and look to work from the inside to the outside.
information security
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
