The data discovery and identification aspect of data loss prevention (DLP) capability is just the beginning. Once you know what data you have and where it lives, you’re finally in a position to accomplish two crucial things:

1. Manage and enforce security policies. DLP makes it possible to manage and apply security policies across the enterprise, reducing burdens on IT staff while boosting compliance. For instance, solid DLP solutions automatically encrypt sensitive data to regulatory and compliance standards, and those focused on data in motion come with on-board email encryption that integrates with leading encryption services.
   
   This ability to manage not just security policy but also security enforcement is especially important, given the proliferation of employee communication venues (e.g., email, IM, the Web, social media), work locations, and devices, some of which are employee-owned and inevitably used for personal activities.
   
2. Monitor and regulate how sensitive data gets used, moved, and stored. With DLP, you’ll not only gain visibility into policy violations, you’ll be able to automatically enforce policies and compliance (and get employees to behave when it comes to data use). 
   
   DLP enables you to secure data proactively via automatic quarantine, relocation, and support for policy-based encryption. You can enable active blocking at the network as well as endpoint to prevent data from inappropriately leaving the organization. And you’ll know who attempted what and when.

“We have spent over 12 years building our reputation and trust;
it is painful to see us take so many steps back due to a single incident.”

— Tony Hsieh, CEO, Zappos, after the company suffered a data breach in which 24 million customer records were stolen

More...

It’s appropriate, I suppose, to think of Quest’s list of 10 ways to boost security as layers: Strategy and guiding principles first, then infrastructure basics you may not have considered much. And now a couple of layers that address some of what are sure to rank among 2012’s imminent threats …

#5 Deploy computer security incident response capabilities to better address advanced persistent threats. 

Too often, attacks and breaches take weeks, months, and even years to be uncovered.  According to Verizon’s 2011 Data Breach Investigations Report (which includes information from the U.S. Secret Service and the Dutch National High Tech Crime Unit as well as Verizon’s information), 38% of data breaches aren’t discovered for weeks, and 36% aren’t discovered for months.

More...

Last time, I described the first two backup/recovery best practices. Here are the next three:

#3 Make sure your backup/recovery strategy adheres to all governance and compliance rules that apply to your organization.

Rules abound about data privacy, security, retention — and vary by industry and region.

Look for a reputable advisor who has the experience needed to understand your compliance environment and who successfully completes SAS-70 Type II audits.

More...

How secure are the data, applications, systems, and networks your business depends on? If you’re like too many of the executives I talk to, you may believe all is well — but only because you haven’t asked the right questions.

One executive told me recently, “We’re cool; we haven’t had to touch our firewalls in three years.”

Another ticked off all the security products his IT guys have installed — but, it turns out, without ever changing the manufacturers’ default passwords.

More...

Our Chief Technical Officer, Mike Dillon, estimates that the number of infected sites is growing by 20% to 25% a year. “If your company is shifting more toward cloud services and hasn’t addressed security, you will be attacked,” he says.

So here are the (non-technical) questions you need to ask and get answered to protect your business:

More...

It’s easy to tumble backwards into information security, to let yourself get sidetracked into arcane, hard-to-follow discussions about the innards of technologies and products when in fact you need to be thinking through higher-level strategy and policy.

If, for instance, you don’t actually know yet whether your business would benefit from using encryption, listening to the sales pitches of competing encryption product vendors is a waste of time.

So start with straightforward non-technical questions that your IT people should answer in a straightforward, non-technical way. When they backslide into techno-babble make them translate (they can use the practice).

1. What data is business critical? What data is sensitive? Who ‘owns’ or has access to our business-critical data? Our sensitive data?
2. What sort of assurances of confidentiality and integrity do we need to provide for each type of data?
3. How long do we want to retain data?
4. How do we want to control data access and permissions?
5. How do we want to authenticate users?
6. What kind of security training should we provide employees?

You’ll also want to pose questions about the security of your information infrastructure as well as how to cope with cloud computing and social networks. Check my next post for those 9 questions.