Proactively keeping non-public information out of the public realm.May 29, 2007 at 01:19 PM By now, it should not surprise you that sensitive and confidential data is on your network. Corporate strategy and intellectual property, staff working and personnel files, customer and partner account requirements, client identification numbers and histories, even competitor documents? you name it, it is out there somewhere, on your network. The fact that it is there is not always your fault; often staff make exposed copies, without your knowledge, in the process of doing business. However, whether or not it was your decision to have and hold the data, it is your responsibility to secure and protect it. Failing to do so surely will cost your organization. The manner and integrity with which you do this-how well you control this data and what practices and technology you use to manage it ongoing-makes all the difference to regulators, and your bottom line. The Illusive il·lu·sive adj. Illusory. il·lu  sive·ly adv.il·lu Data-at-Rest While all critical data must be sheltered, the real information security challenge centers on that truly illusive data set: the unstructured portion of the data pool (we are talking about the millions of files scattered across your network storage devices, servers, laptops, and desktops), into which organizations have little visibility. These files (PDF (Portable Document Format) The de facto standard for document publishing from Adobe. On the Web, there are countless brochures, data sheets, white papers and technical manuals in the PDF format. , PST PST Paroxysmal supraventricular tachycardia, see there , Excel, Word, etc.) often encompass 70 to 80 percent, on average, of an organization's data pool and almost always represent multiple terabytes, even petabytes, in volume. This information often is described as "data-at-rest" (as opposed to "in-motion") because it sits on disk drives, waiting to be accessed by the right- or wrong-person. In its March 2006 report, "Protecting Confidential Data," the Enterprise Strategy Group estimated 95 percent of unstructured data Data that does not reside in fixed locations. Free-form text in a word processing document is a typical example. Contrast with structured data. See free-form database. types are confidential in nature. Even a slightly smaller percentage remains startling star·tle v. star·tled, star·tling, star·tles v.tr. 1. To cause to make a quick involuntary movement or start. 2. To alarm, frighten, or surprise suddenly. See Synonyms at frighten. . Under most traditional scenarios, however, this data-contained in documents, emails, spreadsheets and the like-is accessible yet especially difficult to identify, track, and, therefore, protect. Even the most stringent intent to protect and the most calculated data storage policy can be exposed, even deteriorate, by the sheer nature of the data and its use, again, which stem from the classic necessities of doing business. Operational realities-such as the need to consider, copy, manipulate, share, update, and review information as well as the likelihood of dispersed storage and multiple, often disk-drive-based, copies-put chinks in the armor of traditional best-practice data security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security . The bottom line is, despite best efforts, for the largest slice of the data pie, most organizations do not know all of the places where sensitive and confidential data resides, let alone, have the chance to incorporate it into reliable information security practices. When it comes to information security, typically, unstructured data has the least visibility and, therefore, generally, the lowest level of protection. Hey, Breach Happens Specifically unattended to, whether aware of it or not, the large majority of entities experience a data-at-rest security breach. End of story. Breaches happen. Without a targeted, all-encompassing, automated, proactive solution-a dependable method of finding and protecting unstructured data regardless of locale-an information security breach is a given for this data class. The most common concerns are exposing non-public information and the possibility of data being corrupt or lost forever, whether due to unintentional error or outright theft. Equally concerning is the possibility that inappropriate materials reside on the network. Whether it is a client's credit card number, new product design specifications, or an inappropriate employee download, largely unidentified and unsecured, every organization in practically any industry, faces increasing risk and liability because someone who should not have access to information might gain access. Each day brings news of serious violations. Behind the scenes, real-world examples of potential breaches discovered before they could occur include an audit at an accounts receivable accounts receivable n. the amounts of money due or owed to a business or professional by customers or clients. Generally, accounts receivable refers to the total amount due and is considered in calculating the value of a business or the business' problems in paying company, which exercised legislative compliance and demonstrated its ability to protect client data to its auditors. The discovery revealed approximately 4,000 violations in 400,000 files searched. In another real-world case, a payroll processing company discovered the social security number of its own CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. was out on the corporate network. The Law Is Not on Your Side Because risk is assumed, in order to defend those affected by a security breach and to encourage organizations into better solutions, a growing list of regulations (primarily federal, but also global and stateside state·side adj. 1. Of or in the continental United States. 2. Alaska Of or in the 48 contiguous states of the United States. adv. Informal 1. ) are emerging to address the common failure points and the possible negative consequences. All corporations have heard of the Sarbanes-Oxley Act See SOX. , SEC 17a-4, and the Statement on Auditing Standards. Customer-focused organizations know about Gramm-Leach-Bliley. Those in healthcare adhere to adhere to verb 1. follow, keep, maintain, respect, observe, be true, fulfil, obey, heed, keep to, abide by, be loyal, mind, be constant, be faithful 2. HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, . The financial services The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. sector deals with the Payment Card Industry Data Security Standard. And, in one of the very newest regulatory developments, on May 3, 2007, lawmakers in the nation's capital took the first step in passing the overarching o·ver·arch·ing adj. 1. Forming an arch overhead or above: overarching branches. 2. Extending over or throughout: "I am not sure whether the missing ingredient . . . Personal Data Privacy & Security Act and the Notification of Risk to Personal Data Act (which were passed by Senate committee and introduced into the full Senate). Meant to be a double-fisted punch in the fight against identity theft, the laws specify directives and increase liability associated with breaches to the protection of individually identifying data. Both the party failing to protect and any party or parties benefiting from that failure can be prosecuted. So, while certain industries are subject to very particular laws, and personal data is to be protected with the utmost care, all organizations must take and demonstrate effort to prevent a data-at-rest information security breach. No matter what type of business or industry, data that is meant to be maintained as private cannot go public due to an obvious neglect. A savvy organization will act fast to protect (or eliminate, should it wish) sensitive, unstructured data on the network. A Breach Will Cost You While published estimates of the actual cost of a single data breach (inclusive of inclusive of prep. Taking into consideration or account; including. direct and indirect costs Indirect costs are costs that are not directly accountable to a particular function or product; these are fixed costs. Indirect costs include taxes, administration, personnel and security costs. See also
intr.v. en·sued, en·su·ing, en·sues 1. To follow as a consequence or result. See Synonyms at follow. 2. To take place subsequently. . And, should the breach be severe, or, perhaps go uncorrected for long enough, the implications are much worse. A systemic breach problem may cost your business. Per incidence, a few expected costs may include legal and public relations public relations, activities and policies used to create public interest in a person, idea, product, institution, or business establishment. By its nature, public relations is devoted to serving particular interests by presenting them to the public in the most fees as well as costs associated with changes in auditing processes, security procedures, or customer notifications. While immediate order cancellations can be tracked, lost opportunity costs Opportunity costs The difference in the actual performance of a particular investment and some other desired investment adjusted for fixed costs and execution costs. It often refers to the most valuable alternative that is given up. , which will vary by industry and circumstance based on supplier switching ease, are the biggest unknown. Even the mere mention of a breach opportunity coming to pass can cause long-term organizational credibility and valuation to plummet. Those trying to develop a methodology for calculating organization-specific costs can follow industry analyst group guidelines, including some suggestions put forth in the April 10, 2007 Forrester Research Forrester Research is an independent technology and market research company that provides its clients with advice about technology's impact on business and consumers. Corporate facts
Take Proactive Action Without question, unstructured data security best-practices incorporate detailed assessment services aimed at determining the level of threat and actions to take. The newest federally proposed personal data protection legislation actually requires a risk assessment to identify reasonably foreseeable vulnerabilities. Being proactive in complying with regulatory requirements Regulatory requirements are part of the process of drug discovery and drug development. Regulatory requirements describe what is necessary for a new drug to be approved for marketing in any particular country. as well as avoiding business bottom-line perils means any actionably valuable assessment must include the following: ? Definition of what is at risk (by file type, search term, location area) ? Identification of all non-public data ? Calculation of risk exposure as well as estimate of data disclosure or loss ? Labeling of approved storage available for indexing, archival ? Establishment of policies, procedures, practices, and continuous solution plan ? Presentation of analysis and findings With an assessment in hand, so data protection is up-to-date, implementation of any solution plan must include determination of how to safely automate ? Identification processes, ? Migration processes, ? Encryption methods, and ? Access permissions. Without technology-based automation, organizations leave room for manual inaccuracy in·ac·cu·ra·cy n. pl. in·ac·cu·ra·cies 1. The quality or condition of being inaccurate. 2. An instance of being inaccurate; an error. . As such, even the most comprehensive assessment can fail to equip a company. The Pivotal Role of Technology While enterprise content management (ECM (1) (Enterprise Change Management) See version control and configuration management. (2) (Error Correcting Mode) A Group 3 fax capability that can test for errors within a row of pixels and request retransmission. ) solutions do something to assist in the unstructured data identification process, ECM carries an organization only part-way to where it needs to go. On average, an organization may only have 5 to 10 percent of its files in an ECM repository, leaving the large majority of files, and any associated sensitive and confidential information Noun 1. confidential information - an indication of potential opportunity; "he got a tip on the stock market"; "a good lead for a job" steer, tip, wind, hint, lead , unidentified and, thus, open to security breach. Tested technologies, from dependable companies with top-tier solution partners, are on the market today to automate and fully carry out the task of attending to all files scattered across enterprise networks and not residing in an ECM repository. The right technology solution also will ? Increase visibility and understanding of files on corporate networks, ? Reduce discovery times, ? Reduce unnecessary stores (duplicate/outdated copies, inappropriate downloads), ? Limit sensitive and confidential data proliferation Data proliferation refers to the unprecedented amount of data, structured and unstructured, that business and government continue to generate at an unprecedented rate and the usability problems that result from attempting to store and manage that data. on a regular, scheduled basis, and ? Deliver reports for auditing purposes. The best technology ? Addresses a comprehensive list of data types, ? Performs irrespective of irrespective of prep. Without consideration of; regardless of. irrespective of preposition despite physical location and among distributed architecture, ? Centralizes unstructured data protection, ? Deploys quickly and easily, ? Integrates with existing infrastructure, and ? Scales to future requirements. Most importantly Adv. 1. most importantly - above and beyond all other consideration; "above all, you must be independent" above all, most especially , a combined assessment-technology solution permits an organization to stop harmful practices in their tracks, before they cost a cent in liability or loss. Questions to Ask When Determining Your Ideal Unstructured Data Management Solution When searching for the ideal unstructured data management solution to install on your network, ask yourself the following questions: ? Does the solution crawl, classify, tag, and report on sensitive data? - Does it offer support for various file types, including .doc, .pdf, .pst, and more (including DICOM (medical, standard) DICOM - (From Digital Imaging and COmmunications in Medicine) A standard developed by ACR-NEMA (American College of Radiology - National Electrical Manufacturer's Association) for communications between medical imaging devices. , MS Access, FoxPro)? - Does it include terminology/keyword searching, Boolean support, pattern matching 1. pattern matching - A function is defined to take arguments of a particular type, form or value. When applying the function to its actual arguments it is necessary to match the type, form or value of the actual arguments against the formal arguments in some definition. , and rule-based extraction? ? Is the search process automated? - Is continuous security scanning and monitoring included? ? Is the data easily managed, to enforce policies and permissions? - Is the data moved to the approved storage location? - Do options include copy, delete, migrate, and encryption? - Is manual intervention allowed? ? Can the solution scale to identify and index billions of documents? ? Is the product non-disruptive to my existing environment architecture? Does it require additional software? Lastly, look for a vendor that has industry partnerships with large, established vendors to offer increased integration into different types of environments, and a proven track record to validate product excellence. Despite the product you choose to get the job done, it is possible to keep non-public information out of the public realm with the right solution. Hear this: the unstructured data challenge can be met. Michael Marchi is vice president of solutions marketing at Kazeon Systems. www.kazeon.com |
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion