Rolling Meadows, IL, USA (22 September 2010)—The increasingly blurred line between personal and business use of devices such as smart phones and netbooks is creating an environment ripe for potentially devastating corporate data leaks, according to ISACA, a nonprofit association of 95,000 IT professionals.
“While most enterprises employ safeguards to control sensitive information, these controls are often inconsistent or managed with an inadequate level of diligence and effectiveness,” said Tony Noble, an author of the new ISACA white paper Data Leak Prevention. “On any given business day, data can travel in many forms—e-mail messages, word processing documents, spreadsheets, databases, flat files and instant messaging are a few examples. The result is that, despite their efforts, enterprises around the globe leak significant amounts of sensitive information, which creates major financial and compliance risks.”
In Data Leak Prevention, available as a free download at www.isaca.org/dlp, ISACA offers the following tips to minimize this business problem:
- Create policies first. Prior to selecting and implementing DLP technology, create appropriate policies to govern its use. Business and IT staff should be involved in the initial policy development. The policy should take a risk-based approach, and organizations should conduct training for employees on any significant changes to business processes or procedures.
- Involve stakeholders beyond IT. Implementing a DLP solution is a complex undertaking that requires many preparatory activities, including policy development, business process analysis, and detailed inventories and analyses of the types of information used by the enterprise. These activities require participation from a broad base of stakeholders from IT and the business.
- Be aware of DLP technology limitations. While DLP solutions can help enterprises gain greater insight into and control of sensitive data, they also have current limitations that are important to understand. For example, DLP solutions can only inspect encrypted information that they can first decrypt. If users have access to personal encryption packages where keys are not managed by the enterprise and provided to the DLP solution, the files cannot be analyzed. DLP solutions also cannot intelligently interpret graphics files. Additionally, with the surge in mobile device use, there are invariably communications channels that DLP solutions cannot easily monitor and control. Finally, DLP technology is not yet sufficiently developed to deter more sophisticated methods of data theft, according to the ISACA white paper.
“Understanding the limitations of current DLP solutions is the first step in the development of strategies and policies that will help compensate for them,” said Noble.
In following the guidance presented in the ISACA white paper, enterprises help minimize the potential risks of DLP program implementation, including:
- Improperly tuned network DLP modules
- Improperly sized network DLP module
- Excessive reporting and false positives
- Conflicts with software or system performance
- Changes in processes or IT infrastructure that render DLP controls ineffective
- Improperly placed DLP network modules
- Undetected failure of DLP modules
- Improperly configured or incomplete directory services
Additional ISACA white papers on topics such as cloud computing, social media governance and mobile device security are available at www.isaca.org/downloads.
With 95,000 constituents in 160 countries, ISACA (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent ISACA hosts international conferences, publishes the ISACA Journal, and develops international IS auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It also advances and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC) designations.
ISACA continually updates COBIT, which helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to the business.
Follow ISACA on Twitter: http://twitter.com/ISACANews
Kristen Kessinger, +1.847.660.5512, email@example.com
Joanne Duffer, +1.847.660.5564, firstname.lastname@example.org