When we consider securing data from unauthorized users we most often think about the importance of protecting data from people or systems outside of our organization. And yet, many of the companies we speak to are also looking to prevent information from leaking between groups within their organization. While the need for ethical walls (sometimes referred to as “Chinese walls”) may be standard practice within the financial and legal professions, organizations from a variety of sectors have expressed a need to establish an information divide between internal groups. Research and development projects, financial auditing, and lawsuits are just some instances where an organization might seek to separate and restrict employee information sharing.
TITUS Classification Suite makes it easy to control and monitor the flow of information, ensuring the enforcement of ethical walls. The TITUS ECA (Event, Condition, Action) policy engine can take into account multiple system properties to enforce policy, such as the current user’s identity, the data creator’s identity, the content of the information, and the identity of the recipient. In addition to user and system properties, TITUS can automatically apply classification metadata to email and documents, providing further details which can be used to enforce information sharing policies between colleagues.
Let’s look at some examples of how TITUS can help prevent users from accidentally or intentionally breaching ethical walls:
- Alice works in the investment division of a financial institution. She is asked by her direct supervisor, Brenda, to provide a report detailing her planned investment targets for the next month. Alice creates her report in an Excel spreadsheet and TITUS automatically applies her department (“Investments”) as persistent metadata to the spreadsheet. Alice then attaches the report to an email and accidentally addresses the email to Brad the broker – not Brenda the supervisor (email autocomplete strikes again!). When Alice tries to send the email, TITUS checks the attachment metadata to verify that the recipient is entitled to the information. In this case, since Brad is part of the brokerage team, the email is immediately blocked and Alice is warned that the email cannot be sent to Brad because he is not part of the investments team.
- Imagine this scenario again, only this time Alice is sending an invitation to the company picnic in a Word document. As before, when Alice creates the invitation, TITUS automatically flags this file as being created by a user in the investment group. However, this time TITUS also prompts Alice to manually classify the sensitivity of the invitation. Because there is nothing sensitive or relating to investments within the invitation, Alice classifies it as “Public”. When Alice sends the invitation to both Brad and Brenda TITUS recognizes that “Public” documents are not subject to ethical division and allows the email to be sent.
- Finally, let’s consider an example where Alice intentionally sends privileged information about one of her investment dealings to Brad in violation of insider trading regulations. Alice re-classifies one of her internal investment reports as “Public” because she knows that documents so classified will get through the ethical wall and reach Brad in the brokerage group. However, what she does not know is that TITUS is also scanning the content of email and attachments for keywords, phrases, and other indicators of investment information. Where the company picnic invitation did not contain investment data, Alice’s investment plans and reports do. As a result, TITUS will identify the restricted content, block the email and prevent the insider trading violation from occurring. In addition to preventing the breach, Alice’s actions are logged by TITUS and available for reporting and behavioral analysis. By providing details about how users are handling your most sensitive files, it is possible to quickly identify and stop internal threats to data security. Without TITUS classification and activity logs, Alice could simply claim that she sent the file to Brad by accident. However, TITUS also recorded that she downgraded the report classification before it was sent, indicating an intent to circumvent policy.
These are just some basic examples of how TITUS can be used to help enforce ethical walls. The TITUS ECA policy engine is extremely flexible and can be customized to your particular business case and workflow.
Share with us your experiences and challenges with ethical walls or contact us to learn more about how TITUS can help provide permanence to your ethical walls.