Successfully reported this slideshow.

Data Leakage Prevention


Published on

This paper describes how we implement our inherent Data leakage prevention program that enables your organisation prospective compliance from implementation day.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Data Leakage Prevention

  1. 1. Inherent Data LeakagePrevention Program (IDLPP) By Ben Oguntala Solutions Director 07812039867 1
  2. 2. Introduction We take standard data leakage prevention and convert them into automated processes that are linked up as part of your organisation’s Data Leakage Prevention strategy.Management Business processes End devices Network systems Comms Suppliers IDLPP in IDLPP activated IDLPP activated & IDLPP baseline IDLPP provisions IDLPP automatedmanagement & automated in automated within on all comms on all suppliers business processes decisions end devices the network systems contractsRe-uses incumbent Activated and Compatible with Embedded within technology automated the DLP strategy the organisation 2
  3. 3. What is the Data Leakage Strategy? The Data Leakage strategyDLP policy & DLP baseline & DLP Riskprocedures enforcement monitoring management• All assets that • All assets will • Integration of • To ensure that are considered in have DLP IDLPP to your once the scope will have a baseline or current standard is set DLP policy. adopt a hybrid monitoring there is feature. solution. continuous risk assessment in place. 3
  4. 4. IDLPP overview DMZ tier Middle tier Database tier Data Intranet Extranet Business processes Data IDLPP in ingress and egress trafficIDLPP is embedded with each aspect of your network to ensure holistic approach 4
  5. 5. IDLPP featuresIDLPP product features Data loss prevention Firewall DMZ tier Middle tier Database tier Intranet Anti-spam Data Host IPS Anti-malware Encryption Device control Extranet Network access control Web filtering Servers Desktop Compliance Data Application control Laptops 5
  6. 6. Integration of IDLPP into management decisions.Management Business process will include DLP into their considerations. IDLPP features (2)Business processes Servers, workstations, Laptops and Mobiles will all have IDLPP embedded End devices Network systems like Switches, Routers, firewalls, IPS, IDS will have an element of IDLPPNetwork systems IDLPP policies and procedures will be applied to comms devices e.g. Email, printers and mobiles Comms IDLPP will be included in contracts with suppliers and self audit capability to report on compliance 6 Suppliers
  7. 7. 3rd parties and extranets 3rd party hosting facility Customer intranet Supplier Extranet Extranet Internet- IDLPP will allow you to audit 3rd party suppliers on an ongoing basis.- Via contract, IDLPP will be able to extend from customer intranet to their suppliers and 3rdparty hosting facilities. 7
  8. 8. Applicable standards Several Data FSA Data Data seal RegulatoryPCI DSS SOX 404 ISO27001 Protection Act security (DMA) requirements Policies, procedures & baselinesNetwork Change Security Data Data Compliancesecurity mgmt mgmt security securityBusiness Project Compliance 3rd party Changeprocess Data security cycle security mgmtsecurity Access Data Privacy End point End point Data control impact security security securitysecurity assessment 3rd party 3rdparty security Access Access3rd party security 3rd party control controlsecurity security End Data End security Access Security point End point control mgmt point security securitysecurity Change mgmt MonitorMonitor Change mgmt Monitor 8
  9. 9. IDLPP change management Data FSA Data Data sealPCI DSS SOX 404 ISO27001 Protection security (DMA) Act Project/Change Each requires operational risk Currently manual and assessment assessments on an ongoing basis. not cohesive Each requires supplier audits & pre- Costly to carry out 3rd party audits engagement and in flight visits, uncoordinated Compliance Each requires a compliance Disparate views and reporting operation and reporting framework tools Management Notification Each requires a supplier to requirements to be requirements reporting incidents notified 9
  10. 10. IDLPP for Laptops • OS Security build specification • Hardware security baseline • Remote wipe enabled Build • Registration on Asset register AccessHard controldisk • Fettered ingress and egress traffic • Auto lock down of all unauthorised connectivity • Authorised USB access only connectivity • secure connectivity USB devices • Encryption policy enforcement • Data encryption in transit and stationary • Access control ( 2 factor authentication)connectivity • Remote wipe functionality Data • Hard disk encryption 10
  11. 11. Benefit to Sophos CustomerCompliance automation Automatic enforcement Automatic reporting Automatic auditing Automated consolidation Automatic breach reporting Policies Procedures ISO SOX PCI DPA 3rd parties DS FSA 11
  12. 12. Is the network segregated card holder data adequately secured? PCI DSS Are there risk management processes, change control and Governance in the organisation? SOX 404 Are there policies and procedures that ensures adequate engagement exists between management & business units as well as ISO27001 procedures to support the policies. How much information Assets do I have and with whom am I sharing them. Data What sort of privacy impact assessments are carried out for projects & changes? Protection Act Are there adequate Governance, risk management and adequate security for FSA related confidential & financial information security FSA Data about clients? Does the company have adequate data security controls in place to cater for customer data Key questions from regulations (DMA) they are handling? Data seal12
  13. 13. IDLPP Gap analysis Countermeasures & Key areas Risks Recommendations Network infrastructure Business processes Software Asset Register Gap Hardware Assetanalysis Register Project 3rd party implementation suppliers Data flow definition Policies & procedures Risk Management 13
  14. 14. Engagement timelineProject scope definition (2 man days)• Questionnaire• 2 face to face meeting• Objective definitionGap analysis and fact finding (20 man days)• Mapping out your current network infrastructure• Business processes• Software Asset Register• Hardware Asset Register• 3rd part supplier Assessment• Data flow definition• Risk management process assessment• Policies and processing assessmentAudit report (5 man days)• Gap analysis report• Risks and countermeasures• Recommendations and work streamsProject implementation• Dependent on work streams 14
  15. 15. THE END 15