The need to protect data and information
As an industry we have done a very good job of defining a secure infrastructure. While there are challenges in each enterprise when it comes to implementing and maintaining it, there is an excellent framework that every organization can work toward.
Even though the game is changing, many in the industry have continued to embrace the concept of a secure infrastructure and have tried to evolve it to fit the new security paradigm facing the industry. This evolution has consisted of trying to emulate the secure perimeter in a world where that perimeter is increasingly fluid and can change very quickly. The introduction of numerous portable devices and access methods create what might be described as a variable perimeter. This variable perimeter has been extremely difficult to define and even more so to implement, maintain and adapt with constant change that is more the norm than the exception in today's business climate. Add to this the ever-changing mix of customers, business partners and suppliers and the fact that at any given time an organization can have all of these relationships with another organization, leaves us with the inescapable conclusion that it is the information that needs protection, not just the infrastructure that houses and transports the information throughout its lifecycle.
When those of us who have been in the industry for many years came to this realization, some earlier than others, it was an epiphany to be sure. Once over the initial shock, a natural question for a security practitioner might be to ask "How in the world do I do that?"
Before we can develop an intelligent answer to the "how," we need to have a better definition of the "what" and the "where" in this new reality. Information leakage has been happening for years and is not a new issue. What is different now is that there are a lot more people seeking to acquire information through illegitimate means. There are a lot more methods by which this can be accomplished and there are more regulations requiring organizations take the proper steps to keep this information leakage under control. Lastly, there are an ever increasing array of penalties and consequences for those organizations unable to or unwilling to comply. These trends will continue, so it is in everyone's best interest, except of course "the bad guys", for the industry to evolve with the times and get in front of this issue sooner than later.
Before an appropriate set of controls can be defined and deployed, we need to understand the value of what needs to be protected and, to the extent that we are able, where it is located. This is similar in nature to how we go about protecting the infrastructure. The information needs to be characterized in terms of its value to the organization and the impact of its disclosure to the public. This disclosure component is of critical importance to achieving compliance with many of the data protection and privacy regulations that currently exist, as well as those yet to come.
This characterization is typically expressed as a data classification policy. A typical data classification policy defines four levels of data within the enterprise: Public, Internal, Confidential, and Restricted. The headings may differ from one organization to another, but for our purposes these headings will suffice:
- Public data is typically defined as data that anyone can access and it may be disclosed to the general public without impact to the organization. Examples of this type of data may include product marketing materials, sales collaterals and for publically held companies the annual report.
- Internal data is typically defined as internal business correspondence, records and data that are created during the normal course of business which is not identified as confidential or restricted. Examples of data classified as Internal include business emails, correspondence with clients.
- Confidential data typically includes any and all of business, financial and technical information including, customer, product, pricing and product development plans, network and system diagrams or other non-Restricted data created in the normal course of business which if made public would cause harm the organization.
- Restricted data includes all information subject to restriction in access, storage or processing by law, or regulation, or by customer contract and any other information owned or under the stewardship of an organization that could cause significant harm if inappropriately disclosed, accessed or modified.
Another important aspect that is relevant to data leakage is to define a data lifecycle to determine when and how to appropriately retire and dispose of data that is no longer needed by the business. This should be addressed in an organization data retention policy. In many cases such a policy does not exist. The data leakage issue may be the key to convince an organization to develop a comprehensive and enforceable data retention policy.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.