So how do we get employees to think about the issues clearly? By implementing consistently enforced policies and user education/outreach. The following sequence defines the “best practice” steps for implementation. Most enterprises follow a “crawl, walk, run” approach to implementing data loss prevention by progressing through managed steps. (See my last post, Preventing Data Leaks Before They Occur, Part I, I asked the question, how do we get employees to not become our biggest threat?)
Identify and classify all your information assets. This becomes the foundation for creating consistent policies for data at rest and data in motion. This should identify the information sources and who should have access. Establish the risks of exposure for each asset. Document how each asset is accessed to ensure there is appropriate protection in place to mitigate an attack or unintentional leak. System available by remote access must be secured with appropriate controls such as firewalls and should only provide access through encrypted tunnels.
Establish your access controls using a “deny by default” philosophy. While large organizations need to use role based security from a manageability perspective, the roles should be managed for specific need and not provide users with access to more data than they require for their job.
Educate users on the proper handling of data, and how to act if they know of or suspect a data leak. The information must be institutionalized throughout the organization. There must be an easy way of finding out what is expected of users, and who to contact for help. Give users tools for remediating some actions, like stopping an email, on their own. Implementing a passive set of actions for detecting, logging, monitoring and reporting can help strengthen your policies and better educate the enterprise. This could be as simple as logging user access to known malicious sites. (At Unisys there is a mandatory on-line course for all users. The training system records when each user passes the course. It is managed by the Unisys CISO.)
Implement a level of automated enforcement that is outside of user control. High level controls that block access, enforce data encryption or stop redistribution (like IRM) can be very effective against incidents from insiders. You could consider not allowing the user to have administrator privileges on their system. This could prevent unwanted software installation.
In my next blog post we shall discuss what kind of controls and user training have proven to be most useful.