Posts by author:

Amice Wong

IT governance and DLP

by Amice Wong on September 10, 2010

in Financial Services,Security

Working with security solutions has indeed made us realise a lot of things that pertain to IT governance. Like how people should start taking a broader view from it instead of getting their feet wet on many different security technologies at the onset. But one thing that I’ve been thinking about recently is that, in essence, data loss prevention (DLP) is a very good way to illustrate good IT governance.

To illustrate it, here are several steps for DLP security strategies development:

  • Regulatory Compliance. Many organizations need to comply with certain regulations, such as SOX, ISO, PCI DSS, or all the above. DLP strategies are becoming the most vital part to achieving regulatory compliance requirements. PCI DSS, for example, requires that stored credit card holder data must be protected. A DLP strategy is not only a way of protecting such information; it is also a decent compensating control to demonstrate that the organization is taking the appropriate steps.
  • Data classification. This is a hybrid activity involving people, process and technology. Although it is common knowledge that personal information of clients, employees, as well as business and financial data are confidential to the company, internal departments and applications are authorized to access different levels of data. Besides, the database crawling function of some DLP solutions would help to locate sensitive data on the network, based on people definition for a faster rollout.
  • DLP Risk Assessment. Any risk assessment on DLP would involve monitoring the type of data transmitting out from the company network, which would give an organisation a better understanding of its IT environment.  The assessment results are a strong support to the business’ investment on DLP solutions and required resources.
  • Endpoint DLP and Network DLP enforcement components. This may be the easiest part once an organisation requests for proposals from different providers. This Gartner paper serves as a reference. 
  • Encryption components. Ever misplaced a USB thumbdrive? This explains the reason behind organizations disallowing confidential data to be stored on personally owned removable storage devices which can be brought out of the office. This is despite the availability of media encryption products.

Some vendors and cloud providers promote a concept that “Confidential data should never leave the office”. To work remotely off-site, employees are encouraged to connect via securely remote access to the organisation’s network and data. Security host check and secure cache memory clearing features are also included in most of the remote access solutions these days.

Furthermore, database encryption solutions are drawing market interest. All records on enterprise database are encrypted and decrypted when called on by authorized applications. Applications may be required to be modified in order to obtain and update desired data records from the encrypted database. Furthermore, additional hardware module of server is required to minimize the performance degraded of applications and database.

  • User awareness training. It is a fact that most data loss incidents can be attributed to unintentional errors made by internal users.
  • Incidents management. This could be quite a large topic. In Hong Kong for example, the government has developed an Information Security Incident Handling Guideline for government agents.
  • Central monitoring and reporting. Most security solutions have monitoring and reporting tools. Besides Network DLP and End-Point DLP, one should also consider weekly checks of network vulnerabilities and important applications connected to backend database, when implementing data security strategies.

New threats are revealed everyday and these can be exploited by hackers any time. Along with DLP monitoring findings, such health checks would help a security manager form a boarder view for a security manager and is very useful for forensics and auditing.

Ideally, every project that pertains to IT investment must be supported by a business case. In my experience, I have come across clients who purchase IT solutions such as database encryption, but fail to implement them.

One thing that stood out to unify them was the lack of business case for the technology and deployment surrounding the solution, which eventually led to a communication breakdown. This eventually reached the point where related departments do not offer support upon realising the need to modify their application, to integrate a database with encrypted records.

The following points must be carefully considered and well communicated, in a business case of a DLP or data security:

  • Data protection is not a task that is given solely to the IT department, but also to the senior management. In SOX, for example, the CEO and CFO would be prosecuted in the event of unprotected listed company financial data or a breach in data integrity.
  • Unlike business processes, data risks cannot be outsourced. Even if the data processing is relegated (because it can be) to a service provider, the data owner (your company) would still be liable for the loss of any data.
  • A company with no budget for a complete data security risk assessment can still know its risks. Install a borrowed network DLP unit from a service provider/vendor on the main data pipe (the internal gateway) to monitor the network for approximately two weeks. This will provide a decent picture of your current data security events and the corresponding data value at risk.
  • Consult a trusted service provider, if your data security strategies aim for regulatory compliance. Advice from consultants is a good external source of information that will support an internal discussion on business cases.

Eventually, it boils down to the fact that business cases are significant to IT governance. Hence, we should always take note of them.

Amice Wong

Amice Wong is for security solution strategic marketing and sales planning for Datacraft Hong Kong, where she is also the primary spokesperson on security solutions and services. She was previously a Solution Sales Manager with PacNet before she joined Datacraft three years ago. Amice is a Certified Information System Auditor, with 10 years of sales and marketing experience in security solutions.


{ 1 comments }

IT Governance as a Starting Point

by Amice Wong on July 29, 2010

in Security

As a Security Solutions person, I think people should start with taking a broader view from IT governance instead focusing many different security technologies straight away.

To ensure a progressive and substantial development in IT Security, three specific areas related to security need to be addressed. Firstly, it is highly imperative to bring to awareness the importance of IT Governance. Bearing in mind that IT Security is not limited to merely avoiding and preventing hacking, it also serves to facilitate the management of an IT environment assessing and addressing any possible risk. In addition, such IT environments needs to be supervised under a specific regulative and thus the three areas have been consolidated, and termed as GRC – Governance, Risk, and Compliance.

The prospects and potential development of GRC is exhibited through recent acquisitions in the industry. Key security vendors in particular, are keen on acquiring GRC Solution with the intent of enriching their offerings. To name a few examples, McAfee’s acquisition of Solidcore, and EMC’s acquisition of Archer Technologies are merely two significant acquisitions of the many that have occurred in recent years.

The IT Governance comprises of an IT Framework, and five different domains. Chronologically, these five domains are:

  1. Strategic alignment of IT with the business
  2. IT Value delivery
  3. Management of IT risks
  4. IT Resource Management
  5. IT Performance measurement

A great resource to gain further insight on IT Governance would be a book entitled, “Board Briefing on IT Governance” by IT Governance Institute.

I would like to share some relevant pointers, as I feel will greatly aid your understanding in this context:

  • A CIO is no longer merely an IT Manager, but a Business Manager as well

IT should be regarded as a business and incorporating IT investment with business value is the key to success. Every project with regards to IT investment should most ideally be supported by a business case. Analyzing a business case enables one to generate the business value of that particular case, and it also coordinates and attunes expectations and requirements across the organization.

Investing on an intangible resource, for example, infrastructure, is usually challenging, but when the infrastructure is improved and is in accordance with the new system, business values will increase.

Reference: Building the Business Case for COBIT and Val IT: Executive Briefing, available as a free download.

  • Many business initiatives are supported by the IT team, but increasingly more business initiatives are being led by IT teams

Launching a new customer service portal would require the IT team to propose the latest and relevant technologies and protocol, to ensure that the portal will be able to meet business needs for the next 3 – 5 years. Therefore, it is essential that IT teams equip themselves with relevant business knowledge that will enable them to build the required architecture in future.

  • Enterprises should consider developing and/or customizing their own standards, instead of merely following customary standards

Firms most commonly adopt the customary standards set in their specific industries, as in this case, would be the common standards set for the framework of IT Governance. However, firms should realize and remember that they can customize these standards to fit their specific business environment and requirements. This is important because once standards have been altered to meet your business requirements; it would lead to efficiency and productivity.

  • There is more to Risk Management than just “Security”

It is commonly understood that security constitutes of Confidentiality, Integrity, and Availability (CIA). However, risk management is made up of Risk Evaluation, Risk Governance, and Risk Response. Therefore, it is important that individual business units, the entire business committee, and IT managers assume the responsibility of Risk Management all together.

  • Components of Resource management

Apart from human resource and capital investment, IT Resources includes infrastructure, information, application, process, partners and many more. The meaning of Resource Management is not to obtain as many resources as possible, but to identify and properly utilize available resources. For example, only authorised IT systems can access to backend data, therfore the backend database would not be abused.

Amice Wong

Amice Wong is for security solution strategic marketing and sales planning for Datacraft Hong Kong, where she is also the primary spokesperson on security solutions and services. She was previously a Solution Sales Manager with PacNet before she joined Datacraft three years ago. Amice is a Certified Information System Auditor, with 10 years of sales and marketing experience in security solutions.


{ 6 comments }