Sensitive information is becoming one of the key areas for organizations to protect. Sensitive information includes personal information, such as customer data, personnel data, health information, financial information, credit card information, intellectual property etc. Most of this information is now stored electronically, and breaches occur often. See for example this article in computerworld. This problem has traditionally been solved by implementing firewalls and other controls. These controls can only solve parts of the problem. Look for example at the loss of credit card data from the security vendor Guidant’s customers . Data loss happens through external breaches such as hacks, and internal theft or misuse.

Sensitive data could be placed into four major groups, Personally Identifiable Information, PII, Intellectual Property, IP, Financial Information, and Business Intelligence. PII could consist of name, social security number, credit information, health information etc. Health information is usually described as Personal Health Information, PHI. IP is broken into five groups, trade mark, trade secrets, industrial secrets, patents, and copy right.
Loss of this type of data can have serious financial and legal implications if it is lost. If customer data is lost, the losses can be in real losses trying to recover the information, fines, legal cost, opportunity cost, loss of goodwill and customers. This is something that keeps business managers up at night worrying.

In the coming weeks and months, I will discuss:
Risk methodology to identify the risk exposure of an organization
Legal risk, financial risk
Key concerns of an organization
Governance and sensitive data
How to conduct a proof of concept
Solutions evaluations
Necessary additions for an enterprise
How to tie it all together
How it all looks like in production

Olav

My name is Olav Opedal, and I work with protecting sensitive data for Microsoft, at the information security group.

This blog will discuss problems and solutions used to solve the unstructured sensitive data problem found in today's corporations. All opinions are my own, and not those of my employer or any other organization.












Terms of Use and disclaimers:

All posts are © their respective author. All original content may be quoted, provided a link to the site appears with the quote.

In exchange for access to this site, you agree not to sue the owner or authors of this site. Information obtained on or through this site is not intended to be, and in no way should be construed as, legal advice or counsel. This site assumes no responsibility for the accuracy of information provided by other authors. Likewise, other authors assume no responsibility for the accuracy of information provided by others.

We make no warranty regarding availability or accessibility to this site.

THE POSTINGS ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS REGARDING ANY AND ALL POSTINGS ON THIS SITE.

I am not responsible for the comments, writings and links left by others in the comments section. All email will be considered for publication. Use of this site indicates acceptance of these terms.