Archive for the ‘Email Security’ Category

« Older Entries

TITUS Classification solutions provide compliance support for new UK government marking requirements

Friday, March 15th, 2013

Organizations throughout the world have the need to comply with various regulations in order to ensure that their most sensitive information is protected. In Australia, for example, Australian government departments use TITUS classification solutions to meet the requirements of the Email Protective Marking Standard (EPMS). For a number of years, TITUS has also been assisting our UK government customers by helping them to comply with the Government Protective Marking Scheme (GPMS).

In the UK, government agencies and public sector organizations need to comply with Her Majesty’s Government (HMG) Security Policy Framework to protect their most important assets. In order to comply with this requirement, departments and agencies must adopt policies in accordance with the Government Protective Marking System, which is designed to help staff determine and indicate to others the levels of protection required to help prevent the compromise of information via protective markings to emails and documents.

(more…)

Posted in Classification, Compliance, Email Security | No Comments »

TITUS continues to support Australian Standard – EPMS 2012

Thursday, September 13th, 2012

They were one of our first customers. Their requirements are one of the reasons that TITUS began developing email classification security software. From our relationship with them, a better classification product was born.

(more…)

Tags: , ,
Posted in Classification, Compliance, Email Security | No Comments »

Why Isn’t My DLP Investment Paying Off?

Wednesday, January 4th, 2012

It’s a common scenario: a large organization invests millions of dollars in a DLP solution, only to leave it in “watch mode” because the rate of false positives is too high to enable full blocking. The result is a DLP investment that becomes a white elephant: a promising technology that does not pay off in actually preventing data loss.

The problem often begins with an over-reliance on automated scanning to prevent data loss. The DLP system is expected to automatically identify all sensitive content, which requires IT administrators to translate business processes and policies into automated rules for every data loss scenario. This is an impossible task, which usually results in overly restrictive rules that block non-sensitive data (false positives) or overly permissive rules that mistakenly release sensitive data (false negatives).

The impact of false positives can be just as detrimental to the business as the data loss caused by false negatives. False positives disrupt business agility and productivity, and can impact collaboration, innovation, and business growth. As well, false positives can actually lead to increased data loss, with users looking for alternative, less secure methods to get around restrictions and carry out their business tasks.

The best way to address this problem is for organizations to identify their information appropriately. The sensitivity of each piece of information must be identified, or ‘classified’. Information classification is crucial for proper handling, and for the ultimate security of an enterprise’s information. Classification provides context to unstructured data such as email and business documents, making it possible for DLP solutions to know how to protect your organization’s sensitive information. (more…)

Posted in Classification, DLP, Email Security, Protective Marking | No Comments »

Top Data Security Blog Posts for 2011: Data Classification, Mobile Security, Data Security and Compliance, Data Loss Prevention, and Cloud Data Security

Wednesday, December 28th, 2011

As 2011 draws to a close, I thought it would be interesting to provide a list of the most popular data security articles on this blog. Here are the topics and articles that were most popular with our readers:

1) Data Classification

More and more commercial organizations have started to see data classification as the foundation of their information protection strategy. We wrote several articles about this trend, including an article that described how to implement a data classification policy in 5 simple steps, and an article that recommended best practices for defining a data classification scheme. Readers were also interested in how to use classification software to bulk classify, mark, and label large numbers of files.

2) Mobile Security

Mobile security has become a hot topic, especially with the trend toward consumerization of mobile devices. (more…)

Posted in Classification, Cloud Data Security, Compliance, Controlled Unclassified Information (CUI), DLP, Email Security, ITAR / Export Control, Military Classification, Outlook Web Access Security, Prevent Wikileaks, Web Mail | No Comments »

New White Paper: 5 Easy Steps for Implementing a Classification Policy

Monday, December 5th, 2011

Most organizations have an established corporate information handling policy to protect sensitive and confidential information. This policy is typically expressed with a classification scheme that describes the handling procedure based on the sensitivity of the material in question. The challenge, however, has been implementing and enforcing this policy; in other words, ensuring that sensitive information is adequately protected on a consistent basis.

To address this challenge, organizations often make large investments in technologies such as data loss prevention (DLP) and information rights management (IRM) solutions. Unfortunately, these technologies are often implemented without classification as a first step, and therefore lack context about the information they are protecting. This results in inconsistent and inaccurate data protection, which increases the organization’s risk exposure, may reduce business velocity, and can make a large infrastructure investment a white elephant.

The solution to this challenge is to make classification the foundation of your information protection policy. Fortunately, implementing a classification policy is actually quite simple. In our new white paper entitled “5 Easy Steps for Implementing a Classification Policy”, we discuss how you can implement – and enforce – a classification policy that will increase user security awareness, enhance DLP and IRM solutions, and protect your organization against data loss. (more…)

Posted in Classification, Compliance, Email Security, ITAR / Export Control, Military Classification, Protective Marking | No Comments »

Is Your Agency Ready for CUI Compliance? Meet Your December 6th Deadline

Thursday, October 13th, 2011

On November 4, 2010, U.S. President Barack Obama signed a new Executive Order to establish a uniform policy for the government treatment of “Controlled Unclassified Information” (CUI).  This framework standardizes practices around the sharing of Controlled Unclassified Information, with the goal of improving the sharing of information within the executive departments of the U.S. Federal Government.

Government agencies must complete a number of deliverables as part of the CUI implementation plan. In May 2011, agencies were required to submit a catalogue of proposed Controlled Unclassified Information categories to the National Archives and Records Administration (NARA). The next step is for agencies to develop a CUI compliance plan, which is due by December 6, 2011.

TITUS has partnered with PKH Enterprises to help agencies develop their CUI compliance plan. In a joint white paper with Patricia Hammar, executive secretary of the CUI Presidential Task Force, we provide expert advice, templates, and best practices from governments that have implemented similar initiatives. The white paper, called “Protect Your CUI Data: 5 Steps to Implementing Your Controlled Unclassified Information Plan”, includes the following content: (more…)

Posted in Classification, Compliance, Controlled Unclassified Information (CUI), Email Security | No Comments »

5 Easy Steps for Implementing a Classification Policy

Tuesday, September 27th, 2011

“We’ve had a classification policy for 30 years, but we’ve never been able to enforce it.”

Does this quote sound familiar to you? It’s very common for organizations, especially in the commercial space, to have a classification policy but no way to implement it. Instead, organizations often move directly to the data protection stage, investing in large infrastructure projects such as DLP and IRM. But without classification as the foundation of their information protection strategy, it’s impossible for organizations to know what to protect.

Fortunately, implementing a classification policy is actually quite simple. Based on our experience in helping hundreds of organizations, here are our five recommended steps for implementing a classification policy:

(more…)

Posted in Classification, Compliance, DLP, Email Security, Information Spillage, Metadata, Microsoft Office Security, Protective Marking | No Comments »

Data Loss and Other Risks – Employees Sending Email to Their Home Computer for Business Purposes

Thursday, September 1st, 2011

It can be very tempting for employees to use their personal email accounts to do corporate business. The typical scenario is that they didn’t quite get all their work done on a document in the office, so they send that document to their personal email account, where they can pick it up at home and continue working on it.

In this article, we’ll have a look at why employers should have a policy against employees using this practice. Having a clear policy might save some embarrassment, financial penalties or even legal difficulties,  and might help people understand why it’s important.

(more…)

Posted in DLP, Email Security | No Comments »

Oh no! – Email Auto-Complete – Helping Users Prevent Data Leakage to Unintended Email Recipients

Thursday, August 11th, 2011

Most of us have inadvertently sent email to an unintended recipient due to the fateful “Reply All” button, or as a result of a hastily typed recipient name that gets “Auto-Completed” with the email address of somebody who has a similar name to the intended recipient. The result can be not only embarrassment, but actual data leakage that should be treated as a security incident or breach.

This blog discusses how common mistakes including inserting the wrong email address and sending emails that contain sensitive and restricted data to the wrong recipient(s),can impact an organization, and how the TITUS Aware for Microsoft Outlook product can  prevent these kinds of incidents.

 

When the convenience of auto-completed Email recipients turns into a data breach

The results were disastrous in 2010 for the Gwent Police Department in the UK, when an unencrypted spreadsheet containing the results of criminal record checks was accidentally sent by a police department employee to a newspaper, instead of an internal departmental recipient. The culprit was the “Auto-Complete” feature in their email program that filled in, or suggested, the newspaper’s email address as a CC recipient, rather than the intended internal recipient.

The file contained Personally Identifiable Information (PII) of 10,000 citizens who had applied for jobs that required criminal record checks. For a brief summary of the story, click HERE.  If only the unfortunate police department employee had been warned that they were about to make this mistake, the incident would certainly have been avoided by alerting the user before they send an email to correct the recipient list.

The ultimate unintended Reply-All ruins a legal case

Imagine being an attorney working on a legal case when you respond to a colleague’s email with the Reply-All button, and realize that the recipient list included a member of the opposing counsel. This could be the ultimate breach of attorney-client privilege. In such a case (click HERE), the judge, when asked to rule that the email’s content was inadmissible, noted that this was not the first incident of this type for the attorney in question. Clearly, a firm is expected to be diligent with its email communications.

How TITUS Aware for Microsoft Outlook can help solve inadvertent email misdirection

TITUS Aware for Microsoft Outlook is a powerful email tool for preventing data leakage. Policies can be defined to warn an users or to prevent email from being sent when certain rules are violated.

For example, in the case of the Outlook Auto-Complete problem, any email recipient that is not within predefined SMTP “Safe Domains” (e.g. the employer’s corporate domain) can trigger a pop-up warning to the user to inform them of the potential data loss and asking how they wish to proceed. Giving users a second chance to review the recipient list, to make sure that there are no unintended external recipients,  can prevent massive breaches such as occurred in the Gwent Police Department story above.

The image below shows a typical warning, to a user, that a recipient selected via Auto-Complete is actually an external Hotmail user.

Policy Warnings Dialog

Figure 1 – Safe Domains in TITUS Aware for Microsoft Outlook

The risk of accidentally using the Reply All button can also be mitigated through the use of the “Maximum Recipients” feature in TITUS Aware for Microsoft Outlook. When a message has more than a certain number of recipients, a rule can be triggered that presents a warning dialog to the user. This gives users a warning that they might be sending the email to more recipients than they had planned. This can be enough of a reminder that the user will correct the recipient list.

The administrative setting shown in the image below allows for a maximum number of message recipients. Whenever the number of recipients exceeds this value, the user will see the warning dialog.

Maximum Recipients Dialog

Figure 2 – Maximum Recipients Setting in TITUS Aware for Microsoft Outlook

These are just a couple of examples of how TITUS Aware for Microsoft Outlook can guide users to making good security decisions when working in a high-pressure environment. Overall, the aim is to create a decision point for the user, encouraging them to review what they plan to send and to whom. This increases users’ responsibility and helps to correct any digressions from the company’s security policy before an incident happens.

How soon do you think the next preventable email incident will occur in your organization? Having an automatic reminder can really reduce the chances of it actually happening. In addition this will empower the user and enable IT to focus on more strategic tasks

If you’d like more information on how the TITUS products can help implement recipient list validation to improve DLP, please use the coordinates on our Contact Us page to let us know.

Posted in DLP, Email Security | No Comments »

Redaction for Microsoft Outlook email – How it Can Support Data Loss Prevention

Monday, July 25th, 2011

Since there are a number of ways to implement Data Loss Prevention (DLP) within an enterprise, it is important to understand the value of different approaches. One approach to DLP is called “Redaction”, which involves blacking out the characters in a message or document, so that future consumers of the document can’t see sensitive portions of the document. The image below shows how a redacted message might look. Redaction has been mostly used in highly sensitive government or military environments for documents, but redaction can also be used in commercial organizations where the loss of sensitive information via email is a concern.

Clearly, in order to effectively redact content, some kind of rules must be applied to determine which portions should be blacked out. Once the sensitive portions have been identified, a number of different actions are usually taken to ensure that the sensitive information is not released. This article focuses on why redaction is an important option to have in an email system, and how it can be automated to help users protect sensitive information.

(more…)

Posted in DLP, Email Security, Information Spillage | No Comments »

« Older Entries