Thursday, January 03, 2008

How to tie it all together?
The way to tie it together is to find a vendor who is willing to expose their APIs so that you can call these APIs with the information you need so you can support the work flow you need for a full compliance solution to your sensitive information.

When you go through your first initial investigation, you should map out the business processes creating sensitive information, and develop a business process for compliance management and remediation. The compliance work flow should include reporting based on business groups, regional reporting, roll ups for each business manager so problem areas can be pin pointed. Furthermore, as you start scanning, you must be ready for business processes that may not be documented, or work differently than how they are documented. Your solution must be able to facilitate on-boarding of new business processes as they are discovered.

For data at rest, a good way to manage this information, is to first detect the sensitive information in its repositories. Second is to notify the owner of the share or site that sensitive information resides in the repository. Thirdly, enable the owner to set the appropriate classification level and accompanying classification level. This step has to be intuitive and easy to perform for the end user, and must not impact the business process the repository is a part of. For this reason, the user should be given ample time to classify and protect the site, and a roll back function must enable roll back in case of adverse affect to the business process.

Measure everything – Determine what the key performance criteria are, then
constantly measure and analyze them. Integrate your findings into your operations. The best way to achieve this goal is to be able to create good reports from all the data you are gathering. By combining information from the DLP solution with your directory services, network information, repository owner information, and remediation efforts made by your compliance workflow, enables very detailed information which allows you to redirect your efforts towards your bottlenecks and highlight high risk areas you were not previously aware of.

Drive Awareness – It is my belief that without awareness in your organization of your policies and how to protect sensitive information, you will have inadvertent loss of sensitive information, possibly leaving your company non compliant with regulatory requirement, or the company looses information enabling other organizations to capitalize on the information your company worked so hard to obtain.

No comments: