Remember Tetris? Admit it – you’ve wasted hours on Tetris. Well, let me share with you something I like to call “Policy Tetris.”
Archive for the ‘Compliance’ Category
Mobile devices make it easy to access information from almost anywhere and to share it with just about everyone on earth. However, by their nature as small and highly portable, mobile devices are also more easily lost or stolen—and with them—the data they contain. For businesses, governments, militaries and other organizations that create and deal with sensitive information, mobile devices pose a huge security risk. While there are many solutions designed to protect data on mobile devices, what if you could delete sensitive data from the device before it is put at risk?
Think about this…on that special day when we are born our parents give us a name. Makes sense, right? Having a name keeps you from getting mixed up with the other babies. If you are late for supper and your mom needs to find you right away, she calls your entire name just to make sure the right “Mike” comes home. Should you get lost, it would be pretty difficult for your parents to say to police: “Well, he is 7 years old but doesn’t have a name. See if he answers to ‘Steve’. We always liked that name…”
Your company’s data isn’t much different, is it? Without a unique identifier your sensitive data is subject to misuse or improper handling. Everything from securing, storing and retrieving your information is much more difficult, time consuming, and less efficient without first properly identifying—or classifying —your data.
Many organizations are beginning to see the value in “naming their data”, or data classification, and are starting to do something about. However, there are still some organizations out there that do not classify their data. Here is a top 10 list of excuses why organizations DO NOT classify their data “babies”.
Next week, SC Magazine will be hosting a webinar on how Provident Bank transformed their information protection strategy [link updated to webinar recording]. While it might be a bit of a spoiler, I will let you know that Provident Bank thought enough of classification to make it central to their data protection transformation, as have many other financial organizations. I have worked with a number of different financial services companies, and while each might deal with much of the same kinds of data – payment card information (PCI), personally identifiable information (PII), and intellectual property (IP) – they all had their own unique drivers for implementing classification. It made me wonder — what are the top 5 reasons that financial organizations have asked TITUS to help them classify their data? Here is what I found:
In light of last week’s announcement that the records of 80 million customers were stolen from healthcare insurer Anthem, it is worth noting that healthcare organizations have a particularly heavy data protection burden to bear. As the NY Times reported, Protected Health Information (PHI) is incredibly valuable. Where credit card records were selling for just 33 cents each, a patient medical record on the black market sold for $251.
Why is PHI so valuable?
Last week, 451 Research analyst Daniel Kennedy released a report which revealed that corporate data protection is the top mobile concern for security managers. How much of a concern? Forty-two percent (42%) of the security managers they spoke to cited data security as the top priority. The next highest concern was user-owned devices (BYOD) at 11%. While I am not surprise that data security is the top concern and BYOD is second, I must confess that I find the huge delta between the two concerns surprising. With BYOD such a distant second, it is apparent that security managers do not feel that company data, such as PII, PHI, PCI and intellectual property (IP), is safe even on corporate-owned devices.
So why is this? (more…)
As the workforce becomes more mobile, enterprises wishing to facilitate a productive mobile workforce need to ensure that their workers have access to information. This means that mobile users must download and share information that could be detrimental to the organization if it is acquired by an outside agent. Yet, almost weekly we hear of another major breach of an organization’s central security perimeter. If the central data vault can be compromised, it raises the question: how safe is your data on mobile devices?
Mobile devices share information over public networks and they make it easy for users to share information with public cloud storage services. Worse still, they are easily lost or stolen. It makes a lot of sense, then, to leverage a tool like Microsoft Rights Management Services (RMS) to encrypt your most sensitive data—especially when it is shared with mobile users.
I’ve noticed a distinct theme throughout a number of different analyst report I’ve recently read – that the protection of information and data assets is a business task which needs guidance from the business unit leaders. Take as an example…
As executives see more and more media coverage of data breaches and security incidents, the inevitable question is: “What are we doing to make sure that doesn’t happen to us?”
Contrary to 2012 when privacy responsibility was shifting to an organization-wide accountability, in 2013 it’s falling more onto the security group within enterprises. [It’s] a matter of concern if more and more enterprises deem the security group fully responsible for privacy and regulations. Ensuring privacy requires a union of technology, policy, and culture, and a harmony between many business units from security to legal to HR to employees.
In October, there will be two new rules affecting the Export Control Reform made by the Departments of State and Commerce. On October 15, jurisdiction of many military items, which have been deemed less sensitive, will be moved from the U.S. Munitions List and governed by the State Department’s International Traffic in Arms Regulations (ITAR), to be on the Commerce Control List that is governed by the Commerce Department’s Export Administration Regulations (EAR). The 600 Series classification provisions will allow this to happen, as it will mandate sweeping changes to the affected items, such as a “catch-and-release” definition of items that are controlled for defense and trade purposes.
“While there is still more work to be done, taken together, these reforms will focus our resources on the threats that matter most, and help us work more effectively with our allies in the field,” President Obama said at the Department of Commerce Annual Export Controls Update Conference. “They’ll bring transparency and coherence to a field of regulation which has long been lacking both.”