Friday, November 17, 2006

Sensitive information is becoming one of the key areas for organizations to protect. Sensitive information includes personal information, such as customer data, personnel data, health information, financial information, credit card information, intellectual property etc. Most of this information is now stored electronically, and breaches occur often. See for example this article in computerworld. This problem has traditionally been solved by implementing firewalls and other controls. These controls can only solve parts of the problem. Look for example at the loss of credit card data from the security vendor Guidant’s customers . Data loss happens through external breaches such as hacks, and internal theft or misuse.

Sensitive data could be placed into four major groups, Personally Identifiable Information, PII, Intellectual Property, IP, Financial Information, and Business Intelligence. PII could consist of name, social security number, credit information, health information etc. Health information is usually described as Personal Health Information, PHI. IP is broken into five groups, trade mark, trade secrets, industrial secrets, patents, and copy right.
Loss of this type of data can have serious financial and legal implications if it is lost. If customer data is lost, the losses can be in real losses trying to recover the information, fines, legal cost, opportunity cost, loss of goodwill and customers. This is something that keeps business managers up at night worrying.

In the coming weeks and months, I will discuss:
Risk methodology to identify the risk exposure of an organization
Legal risk, financial risk
Key concerns of an organization
Governance and sensitive data
How to conduct a proof of concept
Solutions evaluations
Necessary additions for an enterprise
How to tie it all together
How it all looks like in production

Olav

No comments: