Archive for ‘Protective Marking’

Why Isn’t My DLP Investment Paying Off?

Wednesday, January 4th, 2012

It’s a common scenario: a large organization invests millions of dollars in a DLP solution, only to leave it in “watch mode” because the rate of false positives is too high to enable full blocking. The result is a DLP investment that becomes a white elephant: a promising technology that does not pay off in actually preventing data loss.

The problem often begins with an over-reliance on automated scanning to prevent data loss. The DLP system is expected to automatically identify all sensitive content, which requires IT administrators to translate business processes and policies into automated rules for every data loss scenario. This is an impossible task, which usually results in overly restrictive rules that block non-sensitive data (false positives) or overly permissive rules that mistakenly release sensitive data (false negatives).

The impact of false positives can be just as detrimental to the business as the data loss caused by false negatives. False positives disrupt business agility and productivity, and can impact collaboration, innovation, and business growth. As well, false positives can actually lead to increased data loss, with users looking for alternative, less secure methods to get around restrictions and carry out their business tasks.

The best way to address this problem is for organizations to identify their information appropriately. The sensitivity of each piece of information must be identified, or ‘classified’. Information classification is crucial for proper handling, and for the ultimate security of an enterprise’s information. Classification provides context to unstructured data such as email and business documents, making it possible for DLP solutions to know how to protect your organization’s sensitive information. (more…)



New White Paper: 5 Easy Steps for Implementing a Classification Policy

Monday, December 5th, 2011

Most organizations have an established corporate information handling policy to protect sensitive and confidential information. This policy is typically expressed with a classification scheme that describes the handling procedure based on the sensitivity of the material in question. The challenge, however, has been implementing and enforcing this policy; in other words, ensuring that sensitive information is adequately protected on a consistent basis.

To address this challenge, organizations often make large investments in technologies such as data loss prevention (DLP) and information rights management (IRM) solutions. Unfortunately, these technologies are often implemented without classification as a first step, and therefore lack context about the information they are protecting. This results in inconsistent and inaccurate data protection, which increases the organization’s risk exposure, may reduce business velocity, and can make a large infrastructure investment a white elephant.

The solution to this challenge is to make classification the foundation of your information protection policy. Fortunately, implementing a classification policy is actually quite simple. In our new white paper entitled “5 Easy Steps for Implementing a Classification Policy”, we discuss how you can implement – and enforce – a classification policy that will increase user security awareness, enhance DLP and IRM solutions, and protect your organization against data loss. (more…)



How Classification Labels Enable End-User Security Awareness

Friday, June 17th, 2011

As much as we’d like it to, technology simply can’t protect our data 100 percent of the time. When it’s in databases, or travelling over a network, data can be encrypted, or can be protected with strict access controls. However, at some point in time, most of our business processes involve documents such as reports, spreadsheets, presentations and emails. Whenever we put information into these kinds of portable formats, it becomes harder to protect with technology. Applying classification labels to documents when they are created enables a level of security awareness among users.  This extends our security policies into the realm of human information exchanges (as opposed to electronic exchanges between systems).

While the big picture view of security awareness and data classification may not be obvious, it’s worthwhile looking at the parallels between automated and manual information exchanges to appreciate the critical elements on the human side. 




Bulk Classification – Classifying and Marking / Labeling Large Numbers of Files

Friday, March 4th, 2011

As organizations mature their content protection strategies, they typically establish policies that ensure that all newly created documents and emails include proper classification. Once the information is classified, organizations’ can implement information security controls matched to the classification of the information.

However, most organizations have a large volume of legacy documents that have never been classified. This poses a problem for the organization’s information security policy. How can we bulk classify large numbers of legacy files so appropriate security controls can also be applied to these documents?




Security Risks and Considerations with Outlook Web Access – Part 2

Thursday, December 9th, 2010

In last week’s post, I discussed several ways to improve the security of Outlook Web Access. With built-in features like forms-based authentication, WebReady Document Reading, and OWA Segmentation, organizations have several configuration options for reducing the risk of web-based email. 

But what about security risks that aren’t so straightforward for technology to detect – risks like discussing corporate secrets in public places, or carelessly forwarding a sensitive email to the wrong recipients? Maybe back in the office users are more risk sensitive, but when they are in informal environments such as airports and home offices, their sense of caution is often minimized. This is where some well-timed, user-based education and warnings can really play a role in reducing the risk of inadvertent disclosure. 

Titus Message Classification for OWA is an important piece of this security puzzle. As a Carnegie Mellon University research experiment showed, if users are warned ahead of time about the security risks of sending sensitive information over the internet, they will be much less likely to send it. This is what Titus Message Classification for OWA does: it makes users stop and think before they send an email, helping them to make the right decisions for protecting their organization’s valuable information.  (more…)



Export Control: Involve Your Users to Reduce Your ITAR and EAR Risk

Thursday, November 18th, 2010

If you work in the aerospace and defense industry, you’ve almost certainly heard of the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR). These U.S. regulations strictly control the import and export of defense-related equipment, software, and technology. With complicated rules and time-consuming compliance requirements, the ITAR and EAR pose a challenge for every organization that does business with the U.S. military.

But it’s not just companies working directly with the U.S. military that need to care about these regulations. You need to consider ITAR and EAR requirements if any of the following are true:

  • Your company is part of the global supply chain for an organization that works with the U.S. military. This includes suppliers who develop military components for larger aerospace and defense organizations. It can also include suppliers involved in non-manufacturing activities, such as translating manuals and designing product brochures.
  • Your (non-U.S.) company sends defense-related information to U.S. recipients, even if the information was developed completely outside of the U.S.
  • You are an individual who decides to start selling on eBay the military equipment that your brother stole from the U.S. Marine Corps (see story here, and eBay export control regulations here).

The consequences for non-compliance are high: fines, possible jail time, and potential debarrment from exporting defense articles (a business killer for any aerospace and defense company).

So where do you start?

It may help to think of ITAR and EAR regulations as being similar to airport security regulations. Everyone hates airport security, just like no one particularly enjoys complying with ITAR and EAR. But the stakes are high: public safety, national security, and in some cases, global security.

With millions of travelers passing through airport security each day, the potential for security violations is high. Likewise, with employees exchanging technical information through electronic media such as email and web sites, the possibility of ITAR and EAR violations is enough to keep most export control officers up at night. As one ITAR official said about her company, “We have 91,000 potential violations per day – otherwise known as employees.”

The only scalable way to enforce the regulations is to involve the users. By starting with the user, you can drastically cut down on the number of inadvertent policy violations.

Airport security measures provide us with important lessons for how to do this:

  1. Educate users up front. Throughout the airport, prominent signs remind travelers what they can and can’t bring in their luggage. Travelers are given several chances to remove any forbidden items before they enter the security line. Similarly with export control, users can be reminded before they send an email or document that they need to comply with export policy. This provides users with an opportunity to fix any problems before the information is sent.
  2. Allow users to identify sensitive content. Maybe you really do need to bring that firearm to your next destination. But to avoid fines and a possible criminal charge, you had better identify your restricted luggage contents before you check your baggage. Similarly, there are many reasons why you may need to send export-controlled information through email or web collaboration tools. For example, your organization may need to communicate design details to multiple suppliers involved in a military project. That information needs to be properly identified and marked to establish that it is export controlled and requires special handling.

By involving the user up front, it is now easier to take the following steps to enforce policy downstream in the process:

  1. Apply special handling based on the content. Once the traveler has identified their restricted content, special handling rules can be applied. In the firearm example above, there are specific rules for how the firearm must be packaged and transported. Similarly, restricted content in email and documents can be given special protection, such as encryption and digital rights management.
  2. Examine the sender and destination. Before you fly, your name is checked against the No Fly list. You will also be asked about your destination – where you are going, where you’re staying, the purpose of your trip. Similarly, with export control, you can enforce policy based on both the sender and recipient. Does the sender have clearance to send this export-controlled information? Are any of the recipients a “foreign person”? Is the email going to a high-risk destination?
  3. Use technology to catch mistakes and intentional violations. It’s not enough to rely on the user 100%. People make mistakes, and sometimes they intentionally violate policy to achieve their goals. That’s why it’s not enough to declare that you are carrying no restricted items in your luggage; your luggage has to be screened by machines. It’s the same with export control; there is still a role for automated scanning of email and documents to detect restricted content before the information is sent. This serves as an extra check for the user, and deters malicious users from intentionally violating policy.
  4. Audit user behaviour. Just as a traveler’s travel history can be used to assess risk, an employee’s behaviour while handling email and documents can identify unusual activities and/or opportunities for education. By involving the user up front, you can also avoid the excuse of “I didn’t know” and make the user more accountable for their actions.

Let’s not kid ourselves: ITAR and EAR compliance, just like airport security, is not easy and it’s not cheap. But when you involve the user, you have the potential to dramatically lower the cost and increase the effectiveness of your compliance program.

In my next post, I will discuss specific technologies for how you can involve your users in your export compliance program. In particular, I will show how Titus security and compliance solutions address each of the items above, to provide a low cost, high impact solution that reduces your ITAR and EAR risk.



ISO27001 – The difference between practicing and managing information security

Wednesday, November 10th, 2010

You’ve probably heard of ISO 27001, and may even recognize that it is just one in a series of ISO standards for Information Security. But learning a new standard can always be daunting, especially if you don’t have an incentive to do so. In this article, I’ll present some aspects of the ISO 27000 family of standards that make them worth learning and using in your organization.

Most importantly, organizations that have been “practicing” security for some time may find that they have not been getting much traction or return on their efforts. This could be because their information security practices are not being “managed”. This is where the concept of the Information Security Management System (ISMS), a core part of the ISO 27001 standard, comes in.




CUI: Unclassified Information Isn’t Always Public

Tuesday, November 2nd, 2010

The United States Government is currently going through a review of how it labels and handles “Controlled Unclassified Information”. In May 2008, President George W. Bush issued a Memorandum for the Heads of Executive Departments and Agencies on the Designation and Sharing of Controlled Unclassified Information (CUI) to replace the existing “Sensitive But Unclassified” (SBU) Information Sharing Environment. The National Archives and Records Administration (NARA) was appointed as the Executive Agent for implementation and oversight of the CUI program. In this article we’ll look briefly at some of the important elements of the CUI Framework, and their impacts on how unclassified information is handled in the US Government.




Information Marking for Greater Security Awareness

Tuesday, September 7th, 2010

It’s hard to expect staff to handle a document securely if there aren’t any security markings on it. One of the original and most important purposes for document security classification – even before computers began relying on it for enforcement of policy – was to inform readers of a document’s sensitivity, and how to handle it securely. As unreliable as it may sound, people were actually the first enforcers of security policies. This means that no matter who handled the document, it had to be easy for them to recognize its classification and decide on which handling procedures were applicable. That’s why you may see (if you have the appropriate clearance) sensitivity markings such as TOP SECRET in large text on the front cover and on every page of a very sensitive military document.