Home » Data Protection » Application Security

Industry View

It's the Information, Stupid

Security pros won't succeed unless they broaden their focus from the infrastructure that houses information to the security of the information itself. BT Senior Security Consultant Jason Stradley explains how to get there.

By Jason Stradley, BT Senior Security Consultant

Page 9

To achieve a reasonable level of information and data protection requires that the following are in place within an organization:

A work force that understands the importance of the various types of information and data in the enterprise;
Consequences for the individual and the organization for the misuse of this information;
Understanding all of the information egress vectors that exist in a given enterprise;
Developing the proper controls to address the information egress vectors that have been identified; and
Implementing the proper technology solutions to monitor and enforce those controls over time.

The basic elements of a data leakage prevention program consist of:

A data classification policy
A user training and awareness program
Inclusion of security in general and data leakage/protection of critical information in employee policy acknowledgements and as individual performance objectives
A mature identity infrastructure
A Digital Rights Management (DRM) Solution
A Data Leakage Prevention (DLP) Solution
Encryption on targeted devices based on risk
A mature incident response capability

Many organizations have at least some of these elements in place and at some level of functionality already. Based on an organization's risk tolerance, consideration should be given to adding those elements not already in place to any long term security strategy.

Jason Stradley is a senior security consultant for BT, providing executive-level strategic security and business consulting to Fortune 500 clients. He can be reached at jason.stradley@bt.com or by phone at (630) 525-1834.