This page contains a Flash digital edition of a book.
Make a start by writing down answers to the following:


• Where is confidential information kept in your organisation?


• In how many different places can it currently be found?


• Are multiple copies routinely created of confidential information?


• How many different access methods are there to this information?


• What size community of users has access to it?


• What controls are there over who can access what, where, and when?


Armed with your answers you may begin a process of prioritisation, focusing on where your most leak-worthy data is kept. Target areas where the greatest quantity of the most confidential information is held, made available to the largest user community, with the minimum of controls.


2. Know if you are a target


Some organisations attract leaks because they are repositories for particular confidential information, or because the information they hold is highly newsworthy, others find themselves subject to leaks because their employees sometimes struggle with difficult and conflicting concerns about the nature of their work. While your newsworthiness may fluctuate over time, certain sectors tend to experience a perennial popularity with leakers. If you are in the energy, pharmaceutical, government, or banking sectors, you should consider yourself a prime candidate for leaks at this time. Companies engaged in arms manufacture or doing any kind of business in troubled parts of the world are likewise a target. Are you an aggregation point for sensitive information from several of the sources above? If you operate a law or consultancy firm, or other business where you are entrusted with sensitive information from clients in these industries or geographies, then you will be a target for leaks.


3. Diligence and statutory obligations (Compliance)


As a minimum, you, as the designated Information Security officer, should ensure your organisation's awareness of, and adherence to, the minimum standards for compliance. As CSO (or equivalent, most UK firms do not have a CSO), failure to do so will eventually end up being a problem that lands at your office door. Confidentiality and privacy are key tenets of several pieces of compliance legislation designed to protect the information of individuals, particularly where you may be required to hold personally identifiable information. However, you may have obligations even if you do not handle


© CI TY S ECURI TY MAGAZ INE – SUMMER 2015


this kind of information. Of particular relevance to UK companies are the Data Protection Act, the UK Corporate Governance Code, the Freedom Of Information Act, and for many, PCI. All of these have Information Security connotations although some more oblique than others.


4. Segment your data


Do you currently segment your sensitive information, or do you maintain a single monolithic store for all confidential material?


If a potential leaker were to gain access to that store, what is the scope of disclosure that you might suffer? By segmenting your sensitive data you have a better chance of limiting the scope of a leak.


• Segment by status: active client versus inactive/former clients.


• Segment by "security level" of the information: secret, confidential, unclassified.


• Segment by time: don't keep files for completed projects with the currently open client files.


• Segment by user/group: litigation versus patent, analysts versus sales, buy-side versus sell-side.


Segmenting your sensitive information sounds complicated but it can be as simple as not keeping project files older than 3 months in the same place as current files, along with a process for individuals to obtain access to the archive with the proper authorisation and oversight. Increasingly, Email is used as a long term information store, ignoring the huge problems created by doing that; secure Email archiving and retrieval products can facilitate the same segmentation of Email that you would have with traditional file stores.


Enforcing the most basic file-folder security on drive shares (by user, by group), or more complex access control lists (if supported by your storage), can dramatically reduce your vulnerability to a leak.


Finally, do you individually encrypt the most sensitive documents or indeed any documents in your organisation? Encryption of individual documents, or individual client folders is another way of limiting widespread uncontrolled disclosure of confidential information. It is not difficult to imagine a regime of individual passwords for individual projects, clients, or business units.


5. The human element, a matter of staff maturity and common sense


Don't give low-level or casual staff a high level of security clearance, this includes staff working in IT. Of course in order for the phrase "low or high level" to have any meaning at all, you first need to have implemented something from (4).


Regardless of employee seniority or access, www. c i t y s e cur i t yma ga z ine . com


some staff may still feel compelled to leak. What then? Consider establishing an internal ethics board where staff can take their concerns and have them heard. However, your best chance of preventing information leaks comes during the initial staff recruiting and vetting process. Do you vet staff who regularly handle highly sensitive or client confidential information?


Some organisations have a regular rotation of staff, preventing any one person getting too comfortable (and possibly carefree) with sensitive information. In some cases this is an option, but for most firms it does not fit their operational model.


6. Handling a leak


Sooner or later your confidential information will escape either accidentally or with help from an external hacker or an insider with access. Once this happens, it is the way in which your organisation handles the leak that partly determines total cost to your organisation in terms of reputation and revenue loss.


• At what point do you inform your clients if there are potential implications for them?


• Who will handle enquiries from the press?


• What assurances will you offer partners, suppliers, and customers/clients that information concerning your business dealings will be better protected in future?


• How can you "get ahead of the story" and start taking control of the incident?


• Put a plan in place now • Rehearse that plan periodically


• Use external professional crisis management if you lack relevant experience in-house


• Understand any legal obligations to clients, partners, and the regulator


• Ensure the right personnel are press/media trained


Bring in a professional response team that has handled these types of situations before. Most managers are not trained in dealing with the media and can quickly find themselves in an awkward position without proper preparation.


While it may be impossible to guarantee that your confidential information will stay that way, by working with an information security professional to implement the advice in this article, you can significantly reduce the chances of the kind of widespread leak experienced by many UK companies in recent years.


Nick Hutton Director at 360is Limited


www.360is.com > 29


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36