Posted by: Arian Eigen Heald
information security policy, Start Laughing Now
Back from a lovely vacation on a lake (where there are no computers or TVs allowed) I am struck once again by a terrible case of whimsy. Thus the title of this entry, which I truly could not resist.
There is an odd marketing marriage of some “security” terms. I put security in quotes because it’s so hard to identify the real security issues from the marketing of the latest security product. How often have security software vendors come up with a new “issue” or “risk” only to follow that up with the product that will address it?
This problem has been around for a long time. It could be called “industrial espionage,” “data theft,” or “poor data management,” or even a lack of data classification. “Leakage” just sounds newer, and, well, more catchy. It all comes down to good security practices, which are less catchy, but just as effective.
If you know what your confidential data is, where your confidential data is, who has access to it, and when they accessed it, you are halfway to your own “data leakage prevention system.” Then, implement hardware policy controls (i.e., external drives, CDs/DVDs) and Internet access. Not to mention that a good Information Security Policy that is reviewed and signed off by your employees annually emphasizes your corporate due diligence. The Policy needs to be very clear about confidential data and what employees can do with it.
Still, people will send out data in email, won’t they? (I’m thinking of doctors, lawyers and professors) Good email filtering with appropriate filter keywords can capture a great deal. But ultimately, it also includes education.( It’s still absolutely amazing what gets put on corporate web servers.)
All these activities are a LOT more work, but much more valuable than putting in a system that is fundamentally a detective control. rather than a preventive set of practices.
I do, however, prefer “data leakage prevention” to “extrusion prevention system.” What an expression!