TODO
identify - sensitive and high-value data discover - location and accessibility of sensitive data classify - data according to value to the organisation secure - employ security controls and protection measures monitor - measure and evolve security practices
First, you need to build a strong foundation of knowledge around your data, to understand exactly what you hold and the potential risks to its security. identifying the types of data that are of greatest importance to the business, so you can pinpoint where you need to focus protection and controls.
Unknown data makes you vulnerable to attack. Cut retention costs, too, by disposing of redundant data
You need to establish:
what data you hold what is being collected what is being created where it's stored or located why you have it how sensitive it is, and who is accessing, using or sharing it.
Data discovery examine file stores and databases, scanning for certain types of information, key words, criteria and classification metadata.
Data needs to be classified according to its importance or sensitivity to ensure data is appropriately controlled. at the point of creating, editing, sending or saving.
automate the process, and human input.
who should have access to each type of data.
decide how many categories you’ll have. Aim for three or four such as Confidential, Internal only and Public. category relating to information that’s subject to regulatory controls – such as EU GDPR, ITAR controlled or HIPAA/HITECH restricted.
The EU General Data Protection Directive (Directive 95/46/EC) is designed to protect all personal data collected for, or about, citizens of the EU, in particular as it relates to processing, using, or exchanging data.
The US Health Insurance Portability and Accountability Act (HIPAA) is intended to improve the efficiency of the U.S. health care system by encouraging the widespread use of electronic data.
Data loss prevention (DLP) solutions. shield the business against intentional and accidental data loss by, for example, blocking employees from uploading a file marked ‘Confidential’ to Dropbox, or stopping a file containing credit card numbers from being emailed to a third party.
Email gateways which will automatically encrypt any file marked ‘Confidential’.
Discovery tools – enabling employees to rapidly locate information and understand instantly how it can be used.
Security incident and event monitoring (SIEM) tools that pick up on potentially risky user behaviour before a breach occurs – flagging up, for example, if someone keeps copying sensitive documents to a storage device.
Data governance - Who is accessing sensitive information, and who might be violating policy,
Data retention. Retention rules can also be set for different classifications.
To classify incoming and outgoing emails.
Advanced attack defence focusing on the application content
Allow releasable data to pass from a “high” system to a “low” system. For example “SECRET” content is always blocked from being released to “lowsystem.com” whilst “PUBLIC” content is allowed.
Allow safe data to pass from a “low” system to a “high” system
ATTACHMENT INVENTORY Append details of attached files (including their classification) to the end of an email - provides an attachment history and maintains awareness of original content, even when printed
Application of a Microsoft Rights Management Service (RMS) policy or invoke S/MIME encryption and digital signing
Apply security policy decisions before sensitive data either leaves or enters the organisation.
AUDITING & REPORTING Records classification events to support audit and management reporting requirements, providing visibility of user behaviour and allowing better targeting of security training and improved understanding of compliance position.
Automatically encrypt critical data automatically apply S/MIME protection according to the message classification.
Block messages and attachments containing viruses and dirty words
CLASSIFICATION ENFORCEMENT Option to require a user to classify each message – automating compliance with data classification and information assurance policies.
Classification of any attachments - including any nested content, whether inside another email or a zipped archive.
CONTENT CONSISTENCY Detect content that is inappropriate for a chosen label and advise the user on remediation. Checking is applied to the text of an email plus the content of over 65 attachment types – from simple text files through to complex documents and media files.
Different modules are available to enable specific features meeting requirements of standards including STANAG 4406, ACP123 and S/MIME Version 3 and RFC 6477 messaging standards
Ensure that only those with the relevant clearance levels are able to access documents.
METADATA MARKING Record classifications as metadata markings within the message headers – invoking and enabling other technologies such as Digital Rights Management, encryption and DLP.
Portion marking apply different classifications to sections of a message- providing granular control over the information
Users are warned when they try to send emails to recipients without the relevant permissions.
Visual and metadata marking which can apply security policy decisions before sensitive data either leaves or enters the organisation.
VISUAL MARKING Visual marking of messages mean that users are continually reminded of the importance of the information they’re sharing, making them more likely to value and protect it.
Where a message remains undelivered or unread after a set period of time, the message is forwarded onto a mailbox monitored 24 hours a day where action is guaranteed. Intended message recipients are sent a message explaining what has happened to the message.