Thursday, January 15, 2009

Information protection, DLP, Identity Management, outsourcing and vendor management, what is in store for the Enterprise for 2009 and future?

Information gleaned from several surveys gives a dismal outlook for data breaches.

In a survey by Enterprise Strategy Group, 50% of their respondents said internal breaches were the direct cause of loss of confidential data, while 19 % were caused by external attacks and 11 % were a combination of external and internal attacks. 14 % of the respondents said data loss came as a result of losing a device containing confidential data.

In a 2007 study by the Ponemon Institute, "the notification cost for a first party data breach is $197 per a record lost and for third party data breach is $231 per a record lost. (A third party organization includes professional services, outsourcers, vendors, business partners and others who possessed the data and was and responsible for its protection.)"

In a November survey by SailPoint Technologies of Fortune 1,000 companies shows that most of them are grossly unprepared to manage information technology (IT) security risk. They polled IT managers and directors and found that out of 116 respondents, 44 percent said that they could not “immediately remove all access privileges for terminated employees” if the company had a massive layoff. More than 65 percent reported that they would not be able to “present a complete record of user access privileges for each employee” if the company’s chief information officer wanted it that same day. And 46 percent said their company “failed an IT or security audit because of a lack of control around user access” in the past five years.

The good news is of course that DLP vendors have started to integrate with identity management systems help, but there is a long way to go before the problem is solved. The not so good news is that most enterprises do not have a good understanding of who has access to what information. This means that a loss could go undetected for a long time, and cause a higher cost to the enterprise. With the current financial situation with large layoffs, this becomes even more critical to solve.

The approach I would recommend to solve this issue, is to start cataloging and classifying information and information systems, and tying it to identity management information. Then as the business processes are understood, the principle of least privilege access should be used to manage these systems.


Even though this case is a stand alone case, former Boeing Employee charged in data theft case, it shows that actively monitoring who has access to sensitive information, and evaluating whether this is appropriate access is paramount. It is an established best practice for fraud prevention, and is a requirement for SOX compliance for financial systems. The issue is of course that enterprises today, do not safeguard critical business information in the same manner as they safeguard SOX information.

This of course leads one to look at Governance, Risk, and Compliance, to see how risk management can be streamlined for all sensitive information, not just information required by law or regulation to be safeguarded. This will drive down the cost of compliance, improve governance, and reduce the overall risk of loss of information.

No comments: