Industry View
It's the Information, Stupid
Security pros won't succeed unless they broaden their focus from the infrastructure that houses information to the security of the information itself. BT Senior Security Consultant Jason Stradley explains how to get there.
By Jason Stradley, BT Senior Security Consultant
For those of you with technical backgrounds think of applying an access list on a device in a network or deploying an intrusion sensor. Ideally you want to deploy either as close to the source of what you are trying to monitor and protect as possible. The data is on the inside, therefore we should start at the inside and work our way outward. This concept is extremely important as we start to consider technology solutions to help us better manage the information and data leakage issue.
From an organizational perspective, there is one weapon that every security practitioner has at their disposal that in many instances is not optimally leveraged. This weapon is ultimately the first and last line of defense in the protection of corporate information and data, as well as being the most variable in its ability to perform. The weapon that I refer to is the people in an organization. The people in an organization are closest to the critical data, so when it comes to data leakage they can be security's best friend or its worst enemy.
It is vitally important that information and data leakage and its potential impact to both the individual and the organization are covered fully in any new hire orientation session. It is also important to mention the protection of corporate information in any type of annual policy review acknowledgement that may exist. If neither of these vital parts of any training and awareness program currently exists, the data leakage issue may serve as a good leverage point to have them instituted in an organization.
The second important facet of people's involvement in combating information and data leakage in an organization is to have a mature and effective incident response capability. This is a very important aspect of any security program and equally important to any information and data leakage program. Incident response capability is the absolute last line of defense in this effort to protect information and data. Security practitioners should not operate under any illusions and should set expectations with senior management that no matter how well thought out a security program is, eventually there will be an incident of some type. The maturity of the incident response capability within a security program will make the difference between a complete disaster and a bad situation that can be overcome over the long haul.
If employees and associates can be trained and incented to understand the importance of this issue and how it can affect them, it will go a long way toward reducing the overall risk of leaking information and data from the enterprise.
information security
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
