Strategies To Mitigate Information Risk: Data Loss Prevention And .
Strategies to Mitigate Information Risk:Data Loss Prevention and EnterpriseRights ManagementAn ENTERPRISE MANAGEMENT ASSOCIATES (EMA ) White PaperPrepared for RSA, The Security Division of EMCand Microsoft CorporationJune 2009IT MANAGEMENT RESEARCH,INDUSTRY ANALYSIS AND CONSULTING
IT MANAGEMENT RESEARCH,INDUSTRY ANALYSIS AND CONSULTINGTable of ContentsExecutive Summary.1Introduction.1Bringing a Strategy Together: A Closer Look at Preferred Tools.2Data Loss Prevention.2Enterprise Rights Management.3Better Together: A Coordinated Approach to Combined DLP-ERM .3Protecting Customer Information.4In Health Care: Medical Records and Patient Information.5Protecting Valuable Intellectual Property.6Protecting Sensitive Data with the Integrated Microsoft AD RMS and RSAData Loss Prevention Solution.7EMA Perspective.8About RSA, The Security Division of EMC.9About Microsoft Corporation.9Strategies to Mitigate Information Risk: Data Loss Prevention and Enterprise Rights Management 2009 Enterprise Management Associates, Inc. All Rights Reserved.
IT MANAGEMENT RESEARCH,INDUSTRY ANALYSIS AND CONSULTINGExecutive SummarySensitive information risk control has become one of the top priorities in nearly every organization. From customer data to intellectual property, confidential communications, and proprietaryknowledge, privileged information is the lifeblood of many enterprises in today’s knowledgedriven world.The challenge is compounded by the fact that information can be found almost everywhere, fromthe data center to a wide and increasing range of endpoints and personal systems. It is shared andreproduced among business partners and customers as well as within the enterprise. Addressingthis challenge requires more than a piecemeal collection of tools. It demands that every availableresource be coordinated in an information risk control strategy.Today, the technologies of Data Loss Prevention (DLP) and Enterprise Rights Management (ERM)have become increasingly important to businesses seeking to gain the upper hand on informationrisk. Though each is valuable in its own right, their value can be amplified significantly when usedin concert together.In this paper, Enterprise Management Associates (EMA) highlights the complementary values ofData Loss Prevention and Enterprise Rights Management, when integrated in a strategic approachto information risk control. Specific examples are offered of how DLP can leverage and apply anERM policy to enable the persistent protection of information discovered by DLP technology.Those responsible for the protection of information will gain a greater appreciation of how anintegrated DLP-ERM solution improves the efficiency and value of these technologies throughexpanded content and identity awareness of both working together, strengthening the foundationsof information risk management strategy.IntroductionIn the modern enterprise, sensitive data can be found just about everywhere. The data center maybe at the heart of information processing on which the business depends, but people interactwith it on endpoints ranging from fully equipped desktops to kiosk browsers and increasinglyfunctional mobile devices. Data is communicated via secure tunnels and purpose-built applications, but it may just as often be shared among corporate staff or delivered to business partners,customers or others via email or an increasing variety of other communications media, often in aclearly human-readable format accessible to anyone. Web applications manage and deliver a largeproportion of the most sensitive information—but so does everything from community portalsto desktop spreadsheets.As newer forms of interaction such as social networks make themselves felt in the enterprise,these additional channels raise the ante on information protection—particularly considering theoften viral way in which new tools for information sharing can proliferate. Even within the moredisciplined world of the data center, sensitive information may be distributed across storage, application and networking systems, and may or may not be adequately secured, regardless whether atrest or in transit and use.Strategies to Mitigate Information Risk: Data Loss Prevention and Enterprise Rights Management 2009 Enterprise Management Associates, Inc. All Rights Reserved.Page
IT MANAGEMENT RESEARCH,INDUSTRY ANALYSIS AND CONSULTINGThis is the information risk management challenge. It is one of the greatest facing the enterprisetoday, as evidenced by an astounding number of data breaches that continue to plague organizations worldwide. According to the Privacy Rights Clearinghouse , more than 261 million datarecords of U.S. residents have been exposed due to security breaches since January 2005—a figurethat represents only part of a global total that some estimate to be significantly higher.The sheer scope and scale of the challenge means that businesses must consider every weaponavailable to combat information threats. Too often, however, tools are deployed in isolation fromeach other, without adequate coordination of their mutual strengths. Such approaches are not onlyinefficient, they can also introduce coverage gaps and frustrateefforts to follow the movement of sensitive information whereverit may be found, however it may be used. This calls for a strategyDLP and ERM are twofor coordinating protection, rather than a piecemeal approach.technologies that can beleveraged along with othertechnologies, process changes,and end-user education aspart of an overall strategy forinformation risk control. Usedtogether, they can protectsensitive data more effectively.Bringing a Strategy Together:A Closer Look at Preferred ToolsData Loss Prevention (DLP) and Enterprise Rights Management(ERM) are two technologies that can be leveraged along with othertechnologies, process changes, and end-user education as part ofan overall strategy for information risk control. Used together,they can protect sensitive data more effectively.Data Loss PreventionThe technology of DLP is purpose-built to automate a wide range of information risk management objectives. Today’s DLP tools incorporate the content-aware ability to recognize, find andclassify sensitive information; correlate user identity with policy and identify actions that poserisk; apply appropriate policy enforcement; and increase awareness of information risk eventsthroughout the enterprise. The rise of DLP technologies can be attributed directly not only to thealarming increase in data breaches, but also to a realization that individuals can handle sensitiveinformation inappropriately for a number of reasons, from truly malicious threats to inadvertentdisclosure. In a time of economic turmoil such as the present, these risks are amplified while theability of the enterprise to tolerate and absorb them is sharply diminished.This means that in the current economic climate, enterprises are looking to DLP to address a number of information risk challenges. The fact that companies are laying off substantial numbers ofstaff means that corporate executives will be highly concerned about the sensitive information thatformer employees may be taking with them. For this reason, today’s sponsors of a DLP budgetmay well be in the highest levels of an organization.Most DLP products are designed to work across a range of environments, from the data centerto the network and individual endpoints, often integrating directly with storage and documentmanagement systems where many enterprises manage their most privileged information assets.This positions DLP well for controlling risk at the point of information access or use as well as http://www.privacyrights.orgStrategies to Mitigate Information Risk: Data Loss Prevention and Enterprise Rights Management 2009 Enterprise Management Associates, Inc. All Rights Reserved.Page
IT MANAGEMENT RESEARCH,INDUSTRY ANALYSIS AND CONSULTINGat network gateways. But loss prevention must extend to wherever sensitive information moves,particularly when it leaves the direct control of the organization. This requires tools that assurethe consistent application of policy that follows information objects such as files and documents,wherever they go or however they are used.Enterprise Rights ManagementThis is where the technology of Enterprise Rights Management (ERM) can help. ERM offersa way to apply policy directly to information throughout the lifecycle of creation, access, sharing, modification, storage, and expiration. ERM offers information creators and owners controlover the ability to read, write, modify or distribute digital information objects such as files anddocuments, or to transform them into other formats such as hardcopy printouts. It does this byintegrating usage controls directly into tools such as word processing applications, spreadsheet andemail programs, collaboration portals, or other information creation, access and editing environments. As with DLP, this requires a strong linkage with identity management to correlate policywith individual actions and use. Content owners can select an appropriate set of rights dependingon the nature of the information and its intended recipients and use. Policy is evaluated whenrecipients (or others) seek access, and enforcement is applied at the point of access. This enablesinformation risk control to travel with sensitive information, regardless how widely distributed itmay be—even when beyond the boundaries of the enterprise.ERM supports a content-aware information risk strategy by linking technologies such as identitymanagement and encryption with usage restrictions, which helps to close one of the most troublesome gaps in an information risk control strategy. It can also extend a strategy by protectinginformation regardless of location, whether inside or outside the enterprise. This is particularlyimportant in light of the increased emphasis enterprises place on information sharing and collaboration, both internally as well as with business partners. ERM can help control the circulation anddistribution of information shared in a collaborative environment, which can increase the confidence placed in collaboration. This helps businesses make the most of collaboration opportunitieswhile providing a greater measure of policy control over shared information.What would make the application of content-aware ERM policy even more comprehensive andconsistent? One potentially very potent answer lies in the ability of DLP to automate the applicationof information risk control policy throughout the enterprise based on sensitivity of the data itself.Better Together: A Coordinated Approach to CombinedDLP-ERMMany enterprises may not yet fully recognize that the technologies of DLP and ERM are highlycomplementary. DLP can automate the consistent application of policy based on a number offactors such as the nature of the information; when, where and how it can be shared appropriately;its legitimate recipients; and the media used to communicate. Thissimplifies data protection since it helps to relieve reliance on endusers to apply the appropriate ERM policy to protect sensitiveMany enterprises may notdata. When coupled with the capabilities of ERM for applyingyet fully recognize that thepersistent protection to information regardless where or how it maytechnologies of DLP and ERMare highly complementary.Strategies to Mitigate Information Risk: Data Loss Prevention and Enterprise Rights Management 2009 Enterprise Management Associates, Inc. All Rights Reserved.Page
IT MANAGEMENT RESEARCH,INDUSTRY ANALYSIS AND CONSULTINGbe used, these two technologies can together provide more comprehensive coverage for sensitiveinformation throughout its lifecycle, regardless whether at rest, in use, or in transit, wherever itmay go.For example, a DLP policy can be created to discover and protect sensitive information. With anERM policy imported into the DLP system, ERM can be engaged by DLP to apply persistentERM protection automatically to discovered content. DLP discovery capabilities can extend ERMeven further, by applying ERM protection to content created before the introduction of ERM in theenvironment, as well as to content created in an enterprise where ERM already exists. DLP augments this control with identity-aware enforcement of policy in the proper handling of information. Together, integrated DLP and ERM provide content- and identity-aware policy enforcementfor information at rest, both in the data center and at the endpoint, as well as when informationis communicated via a network. Such an integrated approach enables an application of policythat is both consistent (thanks to the enterprise-wide scope of current DLP approaches) as well aspersistent (owing to the capabilities of ERM).The combination of these technologies can do more than expand the consistency of policy enforcement, close risk exposure gaps, and increase confidence in information sharing and collaboration.It can also make policy definition and enforcement more efficient, which may in turn contribute todriving down the total cost of comprehensive policy assurance by optimizing technology integration. A number of examples can be called upon to illustrate these values.Protecting Customer InformationNearly every industry has a mandate to protect the sensitive information of its customers. Virtuallyevery entity that accepts payment cards must comply with the requirements of the Payment CardIndustry (PCI) Data Security Standard, while a given vertical market may have its own requirements, such as the Gramm-Leach-Bliley Act (GLBA) in banking and financial services. A growingnumber of US states have adopted their own privacy regulations, but on a multi-national scale, theEuropean Union’s Data Privacy Directive has been on the books for years. Even when requirements are not as explicit as these examples, regulators such as the US Federal Trade Commissionhave made it clear that they will pursue the mishandling of sensitive information as part of theirenforcement of fair trade practices.Many compliance mandatesspecifically reference encryptionas part of their requirements—but the inconsistent applicationof encryption can lead to gapsin compliance strategy.Many compliance mandates specifically reference encryption aspart of their requirements—but the inconsistent application ofencryption can lead to gaps in compliance strategy. Furthermore,encryption is but one tool available for tackling the challenge ofinformation risk—and its effectiveness may be limited if appliedwithout awareness of the sensitivity of content, and the identitiesand privileges of information owners and recipients alike. Giventhe scope of the challenge, an effective strategy must take advantage of as many opportunities to protect customer informationas possible.Strategies to Mitigate Information Risk: Data Loss Prevention and Enterprise Rights Management 2009 Enterprise Management Associates, Inc. All Rights Reserved.Page
IT MANAGEMENT RESEARCH,INDUSTRY ANALYSIS AND CONSULTINGThis is where DLP and ERM can complement each other in the comprehensive protection ofinformation, particularly when customer information is shared among a number of groups orbusiness partners. Customer data may be collected in the sales process, but it will not disappearonce an order or request is fulfilled. It will be retained to provide customer support, and may beshared with external contractors or other partners as part of long-term customer satisfaction.Once obtained, the Personally Identifiable Information (PII) of customers can be used to capitalize on future opportunities—a fact not lost on departing personnel who may seek to exploit theiraccess to customer information.DLP can invoke ERM to apply persistent protection to customer information throughout itslifecycle. This assures that those having authorized access to customer data do not continue tohave access once their employment changes or is terminated. When access is legitimate and authorized, DLP can assure that it is not handled inappropriately or distributed beyond the enterprisein conflict with policy. When it may be shared, ERM can help assure that persistent protectionremains with the information, even in a partnership or collaborative environment so that onlyauthorized recipients can access. In addition, ERM can determine the current status of an accessrequestor and deny access when appropriate, even when protected customer information is storedoutside the enterprise—a particular concern in light of continuing layoffs.In Health Care: Medical Records and Patient InformationRecent attention has focused on the dire need in the health care industry to move records away fromlegacy paper documents (still almost unbelievably prevalent in this industry), and toward a moremodern approach to digital information management. With the passage of the Health InformationTechnology for Economic and Clinical Health (HITECH) Act as part of the American Recoveryand Reinvestment Act of 2009 (ARRA), the health care industry has been both funded as wellas mandated to modernize health care information. It has also been mandated to protect thatinformation, with encryption specifically referenced by initial guidance from the US Departmentof Health and Human Services for those subject to the requirements of the Health InsurancePortability and Accountability Act (HIPAA). However, without an approach that gives the enterprise realistic control over its obligations throughout the lifecycle of health care information,adapted to the ways people actually use that information, these initiatives are at risk of stumblingover the same obstacles that have hamstrung data privacy initiatives in the past.With an approach that integrates DLP with ERM, health care organizations can go far towardmeeting their information privacy requirements. Equipped with a designated ERM policy, DLPcan automate the application of encryption to sensitive documents such as patient data, as well asa range of other ERM protections such as copy or print prevention at the time when health careinformation is first collected—at an initial patient visit at a practitioner’s office, for example, orduring inpatient evaluation in a hospital equipped with mobile devices for caregivers. These ERMprotections remain persistent throughout the lifecycle of health care information. They protectpatient data when shared in a collaborative environment—during a specialist consultation or alliedpractitioner referral, for example—while DLP can enforce limitations on copying data to prohibited devices or emailing protected information beyond approved environments such as authorizedhealth care applications or collaboration platforms. Authorized individuals or groups may be per egies to Mitigate Information Risk: Data Loss Prevention and Enterprise Rights Management 2009 Enterprise Management Associates, Inc. All Rights Reserved.Page
IT MANAGEMENT RESEARCH,INDUSTRY ANALYSIS AND CONSULTINGmitted to modify information, updating medical history or treatment plans as needed, while othercontent remains secured. These protections remain persistent in storage as well as in use or intransit. When data retirement is required, documents can be expired through ERM policy.Protecting Valuable Intellectual PropertyOne of the greatest concerns of those who create and implement ideas is the protection of intellectual property. The viability of the business itself may depend directly on the ability to control uniqueor patentable work, or on the protection of creative content. Indeed, in industries from aerospaceto pharmaceutical, lives may depend on the integrity of formulas and designs, as well as the researchdata on which they are based. These matters, too, may be subjectto regulation, as with pharmaceutical companies who must complywith 21 CFR 11 in the US.A content-aware DLP systemcan recognize and discoverintellectual property in its manyvariants, and can engage anERM policy to apply controlsdirectly to files, documents,designs, and other itemsIntellectual property is not always manifested as a formal design,formula, or other work. These final forms of IP are the fruitof a much greater body of information developed over time. Acontent-aware DLP system can recognize and discover intellectual property in its many variants, and can engage an ERM policyto apply controls directly to files, documents, designs, and otheritems considered a corporate intellectual asset. ERM can assurethis protection in the long term, in many cases regardless how orwhere information is managed, while DLP can control how information is handled when access isappropriate. Both can leverage awareness of identity controls to link content-specific policy withidentity and access privileges.These factors become even more significant when intellectual property such as an aircraft or weapons design, software source code, or formula must go through the scrutiny and modificationof a number of groups throughout its lifecycle and when manufacturing involves an extendedsupply chain. These information assets may themselves be made up of a number of componentsprovided by suppliers, contractors or other partners, who may also have their own concerns aboutthe protection of their rights in intellectual property.Here too, DLP can discover information that should be given this level of protection, and apply anERM policy to items that may go through considerable transformation throughout their lifecycle,both inside the enterprise and beyond. DLP can place controls on how and where this informationtravels, and the conditions under which it can be appropriately accessed by partners and personnel alike. ERM can augment that control with protection for this information beyond enterpriseboundaries and with granular usage policies; when in the hands of potential customers, reviewers,or other third parties; or in collaborative environments where control may be shared.Strategies to Mitigate Information Risk: Data Loss Prevention and Enterprise Rights Management 2009 Enterprise Management Associates, Inc. All Rights Reserved.Page
IT MANAGEMENT RESEARCH,INDUSTRY ANALYSIS AND CONSULTINGProtecting Sensitive Data with the Integrated MicrosoftAD RMS and RSA Data Loss Prevention SolutionRecognizing these many synergies, RSA and Microsoft have partnered to help companies reduceinformation risk through just such an integration of their data security solutions. The RSA DataLoss Prevention Suite comprises a comprehensive data loss prevention solution that discovers,monitors and protects sensitive data from loss or misuse whether in a data center, on the networkor at the end points. Microsoft Active Directory Rights Management Services (AD RMS) inWindows Server 2008 helps safeguard digital information from unauthorized use—both onlineand offline, inside and outside of the firewall, by protecting information through encryption andpersistent usage policies.Figure 1: The integration of Data Loss Prevention (DLP) and Enterprise Rights Management (ERM) enablesthe consistent and automated application of policy to persistent protection for sensitive information.Together, the integration of the RSA DLP Suite and Microsoft AD RMS helps customers automatically discover sensitive documents at rest and automatically apply RMS protection using acentrally managed set of policies. This reduces risk of leakage and helps meet compliance requirements by protecting the most important data based on content and identity awareness.With the integrated solution provided by Microsoft and RSA, customers can: F ind and protect their most important information today with best in class DLP and ERMsolutions Leverage data security processes and workflows already in place Reduce the cost and complexity of securing information across the enterpriseStrategies to Mitigate Information Risk: Data Loss Prevention and Enterprise Rights Management 2009 Enterprise Management Associates, Inc. All Rights Reserved.Page
IT MANAGEMENT RESEARCH,INDUSTRY ANALYSIS AND CONSULTINGEMA PerspectiveThe information risk challenge is broad and daunting. It is one of the primary mandates of ChiefInformation Security Officers (CISOs), Chief Privacy Officers, and other risk management executives on whom fall the responsibilities of guiding an informationrisk control strategy. Those who fail to think in terms of a comprehensive strategy approach that embraces every available assetA combined DLP-ERMsimply do not understand the scope and scale of the challenge.solution can further extendthe values of other weaponsin the risk control arsenal.This is the appeal of a combined approach that integrates thecomplementary strengths of Data Loss Prevention and EnterpriseRights Management. As the focus of strategy, a combined DLPERM solution can further extend the values of other weapons inthe risk control arsenal. It expands the reach and impact of identity and access management, forexample, with actionable tools that directly control access to information itself through ERM, andcorrelate identity and access privileges with the appropriate handling of information through DLP.One of the most important aspects of risk management is the visibility throughout the environment required to understand the reality of information risk. When, for example, encrypted channels constrain visibility, organizations need a more complete set of tools to balance their privacyrequirements with the need to maintain awareness of security and risk events throughout theenvironment. This is where a combination of tools such as integrated DLP and ERM can providea greater range of options for how and where the usefulness of encryption is applied, providingcontent-specific protection that limits the need to encrypt network traffic meaningful to securityoperations teams. Other tools such as Security Information and Event Management (SIEM) canfurther enhance visibility in a combined DLP-ERM environment, alerting the enterprise whenDLP policy issues arise, or when ERM controls are put to work. It can also put a finger on exactlywhen and where encryption has been applied, which improves risk event awareness while enablingthe organization to make the most of privacy enforcement. SIEM further supports more completevisibility into information risk issues with data concerning the integrity of the IT resources thatstore, manage and process information, as well as detailed documentation of information accessand use. These capabilities can also help the organization maintain a more granular record of riskcontrol, which supports more comprehensive compliance.As the centerpiece of a strategic approach to information risk management, an integrated DLPERM solution such as that offered by the integration of RSA Data Loss Prevention and MicrosoftActive Directory Rights Management Services offers distinctive benefits for safeguarding information from unauthorized use. Such an approach provides persistent as well as dynamic protection,enabling greater confidence in the secure sharing of valuable information. When automated byintegrated DLP and ERM controls, the approach enables the enterprise to define a centralizedpolicy based on a practical risk model, protecting against sensitive information abuses and leaks,and helping to meet a wide range of compliance requirements.Together, these tools represent an important fundamental step toward embedding security directlyinto infrastructure, helping policy management to align more closely with information itself.Strategies to Mitigate Information Risk: Data Loss Prevention and Enterprise Rights Management 2009 Enterprise Management Associates, Inc. All Rights Reserved.Page
IT MANAGEMENT RESEARCH,INDUSTRY ANALYSIS AND CONSULTINGAbout RSA, The Security Division of EMCRSA, the Security Division of EMC, is the premier provider of security solutions for businessacceleration, helping the world’s leading organizations succeed by solving their most complexand sensitive security challenges. RSA’s information-centric approach to security guards the integrity and confidentiality of information throughout its lifecycle—no matter where it moves, whoaccesses it or how it is used. RSA offers industry-leading solutions in identity assurance & accesscontrol, encryption & key management, compliance & security information management andfraud protection. These solutions bring trust to millions of user iden
Data Loss Prevention (DLP) and Enterprise Rights Management (ERM) are two technologies that can be leveraged along with other technologies, process changes, and end-user education as part of an overall strategy for information risk control. Used together, they can protect sensitive data more effectively. Data Loss Prevention
The central part of a risk management plan is a document that details the risks and processes for addressing them. 1. Identify and assess the Risks 2. Determine Risk Response Strategy Avoid the risk Transfer the risk Mitigate the risk Accept the risk 3. Execute a risk management plan 4. Monitor the risks and enhance risk management plan
Risk Matrix 15 Risk Assessment Feature 32 Customize the Risk Matrix 34 Chapter 5: Reference 43 General Reference 44 Family Field Descriptions 60 ii Risk Matrix. Chapter 1: Overview1. Overview of the Risk Matrix Module2. Chapter 2: Risk and Risk Assessment3. About Risk and Risk Assessment4. Specify Risk Values to Determine an Overall Risk Rank5
Risk is the effect of uncertainty on objectives (e.g. the objectives of an event). Risk management Risk management is the process of identifying hazards and controlling risks. The risk management process involves four main steps: 1. risk assessment; 2. risk control and risk rating; 3. risk transfer; and 4. risk review. Risk assessment
work/products (Beading, Candles, Carving, Food Products, Soap, Weaving, etc.) ⃝I understand that if my work contains Indigenous visual representation that it is a reflection of the Indigenous culture of my native region. ⃝To the best of my knowledge, my work/products fall within Craft Council standards and expectations with respect to
81. Risk Identification, page 29 82. Risk Indicator*, page 30 83. Risk Management Ω, pages 30 84. Risk Management Alternatives Development, page 30 85. Risk Management Cycle, page 30 86. Risk Management Methodology Ω, page 30 87. Risk Management Plan, page 30 88. Risk Management Strategy, pages 31 89. Risk
1.5 Tactical Risk Decisions and Crisis Management 16 1.5.1 Risk preparation 17 1.5.2 Risk discovery 17 1.5.3 Risk recovery 18 1.6 Strategic Risk Mitigation 19 1.6.1 The value-maximizing level of risk mitigation (risk-neutral) 19 1.6.2 Strategic risk-return trade-o s for risk-averse managers 20 1.6.3 P
Depositary Receipts (ADRs, EDRs and GDRs) Derivatives XX X Hedging XX X Speculation XX X Risk Factors in Derivatives XX X Correlation Risk X X X Counterparty Risk X X X Credit Risk XX X Currency Risk Illiquidity Risk X X X Leverage Risk X X X Market Risk X X X Valuation Risk X X X Volatility Risk X X X Futures XX X Swap Agreements XX X
Risk analysis Process to comprehend the nature of risk and to determine the level of risk Risk appetite Amount and type of risk that the organization is prepared to take in order to achieve its objectives. Risk assessment Overall process of risk identification , risk analysis and risk eva
