Archive for the ‘Compliance’ Category

« Older Entries

TITUS Classification solutions provide compliance support for new UK government marking requirements

Friday, March 15th, 2013

Organizations throughout the world have the need to comply with various regulations in order to ensure that their most sensitive information is protected. In Australia, for example, Australian government departments use TITUS classification solutions to meet the requirements of the Email Protective Marking Standard (EPMS). For a number of years, TITUS has also been assisting our UK government customers by helping them to comply with the Government Protective Marking Scheme (GPMS).

In the UK, government agencies and public sector organizations need to comply with Her Majesty’s Government (HMG) Security Policy Framework to protect their most important assets. In order to comply with this requirement, departments and agencies must adopt policies in accordance with the Government Protective Marking System, which is designed to help staff determine and indicate to others the levels of protection required to help prevent the compromise of information via protective markings to emails and documents.

(more…)

Posted in Classification, Compliance, Email Security | No Comments »

TITUS continues to support Australian Standard – EPMS 2012

Thursday, September 13th, 2012

They were one of our first customers. Their requirements are one of the reasons that TITUS began developing email classification security software. From our relationship with them, a better classification product was born.

(more…)

Tags: , ,
Posted in Classification, Compliance, Email Security | No Comments »

Top Data Security Blog Posts for 2011: Data Classification, Mobile Security, Data Security and Compliance, Data Loss Prevention, and Cloud Data Security

Wednesday, December 28th, 2011

As 2011 draws to a close, I thought it would be interesting to provide a list of the most popular data security articles on this blog. Here are the topics and articles that were most popular with our readers:

1) Data Classification

More and more commercial organizations have started to see data classification as the foundation of their information protection strategy. We wrote several articles about this trend, including an article that described how to implement a data classification policy in 5 simple steps, and an article that recommended best practices for defining a data classification scheme. Readers were also interested in how to use classification software to bulk classify, mark, and label large numbers of files.

2) Mobile Security

Mobile security has become a hot topic, especially with the trend toward consumerization of mobile devices. (more…)

Posted in Classification, Cloud Data Security, Compliance, Controlled Unclassified Information (CUI), DLP, Email Security, ITAR / Export Control, Military Classification, Outlook Web Access Security, Prevent Wikileaks, Web Mail | No Comments »

New White Paper: 5 Easy Steps for Implementing a Classification Policy

Monday, December 5th, 2011

Most organizations have an established corporate information handling policy to protect sensitive and confidential information. This policy is typically expressed with a classification scheme that describes the handling procedure based on the sensitivity of the material in question. The challenge, however, has been implementing and enforcing this policy; in other words, ensuring that sensitive information is adequately protected on a consistent basis.

To address this challenge, organizations often make large investments in technologies such as data loss prevention (DLP) and information rights management (IRM) solutions. Unfortunately, these technologies are often implemented without classification as a first step, and therefore lack context about the information they are protecting. This results in inconsistent and inaccurate data protection, which increases the organization’s risk exposure, may reduce business velocity, and can make a large infrastructure investment a white elephant.

The solution to this challenge is to make classification the foundation of your information protection policy. Fortunately, implementing a classification policy is actually quite simple. In our new white paper entitled “5 Easy Steps for Implementing a Classification Policy”, we discuss how you can implement – and enforce – a classification policy that will increase user security awareness, enhance DLP and IRM solutions, and protect your organization against data loss. (more…)

Posted in Classification, Compliance, Email Security, ITAR / Export Control, Military Classification, Protective Marking | No Comments »

Controlled Unclassified Information(CUI): The CUI Registry is out!

Tuesday, November 8th, 2011

On November 4, 2011, the National Archives and Records Administration (NARA) released the first-ever registry for Controlled Unclassified Information(CUI) for records that are not classified as top secret or secret, but require some protection. The release of this registry meets one of the first targets of President Obama’s Executive Order on Controlled Unclassified Information.

The order stated that “Within 1 year of the date of this order, the Executive Agent shall establish and maintain a public CUI registry reflecting authorized CUI categories and subcategories”. Although much work remains, the new registry “is certainly an important milestone,” according to John Fitzpatrick, the office’s director. Looking back at the origin of this registry, one of the key reasons to move forward with this initiative was that executive branch performance “suffers immensely from interagency inconsistency” in the CUI arena. And no wonder– there were 117 different markings. The results were inconsistent marking and safeguarding of documents, which led to unclear or unnecessarily restrictive dissemination policies, and created impediments to authorized information sharing. 

The new CUI registry provides a common definition, standardizes processes and procedures and breaks CUI down into 15 subject categories, such as law enforcement, immigration and privacy, followed by 85 subcategories (“privacy-contract use,” privacy-financial,” and so on.) It also justifies each with a reference to a specific law, regulation or government-wide policy. The next major steps (more…)

Posted in Compliance, Controlled Unclassified Information (CUI) | No Comments »

Best Practices for Defining a Classification Scheme

Wednesday, November 2nd, 2011

In my previous blog post, 5 Easy Steps for Implementing a Classification Policy, I discussed the importance of starting with a simple set of classification labels. In this post, I will expand on the topic of classification schemes, especially as they apply to commercial organizations.

At TITUS, we recommend that organizations try to keep the number of classification options down to four or fewer. We find that the simpler your classification scheme, the easier it will be for users to decide which category to use. Later, as your users become used to classifying content, you can add additional categories.

Many organizations use three categories:

1) A category such as “Public” to indicate non-sensitive information
2) An “Internal” category for information that should stay within the organization
3) A category such as “Confidential” or “Restricted” for information that is particularly sensitive

Surprisingly, the “Public” category is often what causes the most debate in commercial organizations. (more…)

Posted in Classification, Compliance, Controlled Unclassified Information (CUI), ITAR / Export Control, Secure Email Gateway | No Comments »

Is Your Agency Ready for CUI Compliance? Meet Your December 6th Deadline

Thursday, October 13th, 2011

On November 4, 2010, U.S. President Barack Obama signed a new Executive Order to establish a uniform policy for the government treatment of “Controlled Unclassified Information” (CUI).  This framework standardizes practices around the sharing of Controlled Unclassified Information, with the goal of improving the sharing of information within the executive departments of the U.S. Federal Government.

Government agencies must complete a number of deliverables as part of the CUI implementation plan. In May 2011, agencies were required to submit a catalogue of proposed Controlled Unclassified Information categories to the National Archives and Records Administration (NARA). The next step is for agencies to develop a CUI compliance plan, which is due by December 6, 2011.

TITUS has partnered with PKH Enterprises to help agencies develop their CUI compliance plan. In a joint white paper with Patricia Hammar, executive secretary of the CUI Presidential Task Force, we provide expert advice, templates, and best practices from governments that have implemented similar initiatives. The white paper, called “Protect Your CUI Data: 5 Steps to Implementing Your Controlled Unclassified Information Plan”, includes the following content: (more…)

Posted in Classification, Compliance, Controlled Unclassified Information (CUI), Email Security | No Comments »

5 Easy Steps for Implementing a Classification Policy

Tuesday, September 27th, 2011

“We’ve had a classification policy for 30 years, but we’ve never been able to enforce it.”

Does this quote sound familiar to you? It’s very common for organizations, especially in the commercial space, to have a classification policy but no way to implement it. Instead, organizations often move directly to the data protection stage, investing in large infrastructure projects such as DLP and IRM. But without classification as the foundation of their information protection strategy, it’s impossible for organizations to know what to protect.

Fortunately, implementing a classification policy is actually quite simple. Based on our experience in helping hundreds of organizations, here are our five recommended steps for implementing a classification policy:

(more…)

Posted in Classification, Compliance, DLP, Email Security, Information Spillage, Metadata, Microsoft Office Security, Protective Marking | No Comments »

Controlled Unclassified Information (CUI) Initial Implementation Guidance

Tuesday, June 21st, 2011

On June 9, NARA released an implementation guidance document to help agencies prepare to meet Executive Order 13556.  The guidance document provides agencies with some key information needed for them to prepare their CUI implementation plans.  These plans are due to NARA in early November of this year.  

 Here are some of the highlights:

  •  They give guidance on how to handle legacy documents.  This has been area of great interest to the government folks that we have been speaking with – they will appreciate the clarity. 
  • Safeguarding of CUI per existing OMB and NIST direction (a good thing – don’t think anyone wanted new standards).
  • De-control dates for each category (welcome for various open government advocates). 
  • View into marking format: CUI//Authorized Category-Subcategory.  Everyone’s been waiting for this one!
  • They encourage portion marking.  Portion marking refers to applying paragraph level markings that may be different than other markings within the same document or email.  Portion marking is widely used across the intelligence and DoD community. It will be interesting to see this leveraged on the civilian side of things – end user training and education will be paramount to successful adoption.

Overall, this helps set the stage for what is to come.  Expect to see more guidance issued as we get closer to the registry live date (November 2011, if they keep on track).  The registry will hold all the approved CUI markings and be available to the public.

 The guidance can be found at:  http://www.fas.org/sgp/cui/guidance.pdf

Tags: , ,
Posted in Classification, Compliance, Information Spillage | No Comments »

How Classification Labels Enable End-User Security Awareness

Friday, June 17th, 2011

As much as we’d like it to, technology simply can’t protect our data 100 percent of the time. When it’s in databases, or travelling over a network, data can be encrypted, or can be protected with strict access controls. However, at some point in time, most of our business processes involve documents such as reports, spreadsheets, presentations and emails. Whenever we put information into these kinds of portable formats, it becomes harder to protect with technology. Applying classification labels to documents when they are created enables a level of security awareness among users.  This extends our security policies into the realm of human information exchanges (as opposed to electronic exchanges between systems).

While the big picture view of security awareness and data classification may not be obvious, it’s worthwhile looking at the parallels between automated and manual information exchanges to appreciate the critical elements on the human side. 

(more…)

Posted in Classification, Compliance, Protective Marking | No Comments »

« Older Entries