I was first introduced to information lifecycle management about 15 years ago when I was a sales rep for an SAP consulting company. Because SAP generates huge volumes of data that eventually clogs up the system, we helped companies archive the old data into offline document management systems for easy location and retrieval if/when needed. As I learned more about document management systems, I expanded my focus from selling just archiving solutions to selling complete content management solutions that would control the lifecycle of corporate documents –from creation, through revisions, approvals, archiving and eventual destruction.
Archive for the ‘Compliance’ Category
Data privacy in the cloud continues to be a hot topic for regulators. This week, I’d like to cover two important data privacy developments that have a tie-in to concerns about US surveillance programs and cloud data. The first is the US Email Privacy Act, and the second is the revocation of the US-EU Safe Harbor agreement.
Email Privacy Act
The Email Privacy Act is a proposed US Federal law that would require the government to obtain a warrant before accessing email, text messages, and other private content stored in the cloud by Internet Service Providers.
If your organization is a bulk power system owner or operation in North America, then you probably already know that you need to be compliant with NERC CIP v5 by April 1, 2016.
For readers who are not familiar with the topic, North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory authority whose mission is to assure the reliability of the bulk power system in North America. NERC develops and enforces Reliability Standards, including Critical Infrastructure Protection (CIP) standards to secure cyber assets essential to the reliable operation of the electric grid.
It’s time to start getting serious about Controlled Unclassified Information (CUI) and the implementation of a solution that ensures compliance. It is expected that the 32 Code of Federal Regulations (CFR) 2002 will be completed in the November-December 2015 time frame. With the rules and markings in place, the National Archives and Records Administration (NARA) will release the official Marking Handbook to kick off the phased implementation process.
TITUS Classification software can help any department easily comply with these regulations. By using the TITUS classification and marking solution, organizations can enhance their overall security program and realize the following benefits:
Remember Tetris? Admit it – you’ve wasted hours on Tetris. Well, let me share with you something I like to call “Policy Tetris.”
Mobile devices make it easy to access information from almost anywhere and to share it with just about everyone on earth. However, by their nature as small and highly portable, mobile devices are also more easily lost or stolen—and with them—the data they contain. For businesses, governments, militaries and other organizations that create and deal with sensitive information, mobile devices pose a huge security risk. While there are many solutions designed to protect data on mobile devices, what if you could delete sensitive data from the device before it is put at risk?
Think about this…on that special day when we are born our parents give us a name. Makes sense, right? Having a name keeps you from getting mixed up with the other babies. If you are late for supper and your mom needs to find you right away, she calls your entire name just to make sure the right “Mike” comes home. Should you get lost, it would be pretty difficult for your parents to say to police: “Well, he is 7 years old but doesn’t have a name. See if he answers to ‘Steve’. We always liked that name…”
Your company’s data isn’t much different, is it? Without a unique identifier your sensitive data is subject to misuse or improper handling. Everything from securing, storing and retrieving your information is much more difficult, time consuming, and less efficient without first properly identifying—or classifying —your data.
Many organizations are beginning to see the value in “naming their data”, or data classification, and are starting to do something about. However, there are still some organizations out there that do not classify their data. Here is a top 10 list of excuses why organizations DO NOT classify their data “babies”.
Next week, SC Magazine will be hosting a webinar on how Provident Bank transformed their information protection strategy [link updated to webinar recording]. While it might be a bit of a spoiler, I will let you know that Provident Bank thought enough of classification to make it central to their data protection transformation, as have many other financial organizations. I have worked with a number of different financial services companies, and while each might deal with much of the same kinds of data – payment card information (PCI), personally identifiable information (PII), and intellectual property (IP) – they all had their own unique drivers for implementing classification. It made me wonder — what are the top 5 reasons that financial organizations have asked TITUS to help them classify their data? Here is what I found: