Successfully reported this slideshow.

Data Leakage Prevention

1

Share

Loading in …3
×
1 of 15
1 of 15

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Data Leakage Prevention

  1. 1. Inherent Data Leakage Prevention Program (IDLPP) By Ben Oguntala Solutions Director www.dataprotectionofficer.com Ben.oguntala@dataprotectionofficer.com 07812039867 1
  2. 2. Introduction We take standard data leakage prevention and convert them into automated processes that are linked up as part of your organisation’s Data Leakage Prevention strategy. Management Business processes End devices Network systems Comms Suppliers IDLPP in IDLPP activated IDLPP activated & IDLPP baseline IDLPP provisions IDLPP automated management & automated in automated within on all comms on all suppliers business processes decisions end devices the network systems contracts Re-uses incumbent Activated and Compatible with Embedded within technology automated the DLP strategy the organisation 2
  3. 3. What is the Data Leakage Strategy? The Data Leakage strategy DLP policy & DLP baseline & DLP Risk procedures enforcement monitoring management • All assets that • All assets will • Integration of • To ensure that are considered in have DLP IDLPP to your once the scope will have a baseline or current standard is set DLP policy. adopt a hybrid monitoring there is feature. solution. continuous risk assessment in place. 3
  4. 4. IDLPP overview DMZ tier Middle tier Database tier Data Intranet Extranet Business processes Data IDLPP in ingress and egress traffic IDLPP is embedded with each aspect of your network to ensure holistic approach 4
  5. 5. IDLPP features IDLPP product features Data loss prevention Firewall DMZ tier Middle tier Database tier Intranet Anti-spam Data Host IPS Anti-malware Encryption Device control Extranet Network access control Web filtering Servers Desktop Compliance Data Application control Laptops 5
  6. 6. Integration of IDLPP into management decisions. Management Business process will include DLP into their considerations. IDLPP features (2) Business processes Servers, workstations, Laptops and Mobiles will all have IDLPP embedded End devices Network systems like Switches, Routers, firewalls, IPS, IDS will have an element of IDLPP Network systems IDLPP policies and procedures will be applied to comms devices e.g. Email, printers and mobiles Comms IDLPP will be included in contracts with suppliers and self audit capability to report on compliance 6 Suppliers
  7. 7. 3rd parties and extranets 3rd party hosting facility Customer intranet Supplier Extranet Extranet Internet - IDLPP will allow you to audit 3rd party suppliers on an ongoing basis. - Via contract, IDLPP will be able to extend from customer intranet to their suppliers and 3rd party hosting facilities. 7
  8. 8. Applicable standards Several Data FSA Data Data seal Regulatory PCI DSS SOX 404 ISO27001 Protection Act security (DMA) requirements Policies, procedures & baselines Network Change Security Data Data Compliance security mgmt mgmt security security Business Project Compliance 3rd party Change process Data security cycle security mgmt security Access Data Privacy End point End point Data control impact security security security security assessment 3rd party 3rdparty security Access Access 3rd party security 3rd party control control security security End Data End security Access Security point End point control mgmt point security security security Change mgmt Monitor Monitor Change mgmt Monitor 8
  9. 9. IDLPP change management Data FSA Data Data seal PCI DSS SOX 404 ISO27001 Protection security (DMA) Act Project/Change Each requires operational risk Currently manual and assessment assessments on an ongoing basis. not cohesive Each requires supplier audits & pre- Costly to carry out 3rd party audits engagement and in flight visits, uncoordinated Compliance Each requires a compliance Disparate views and reporting operation and reporting framework tools Management Notification Each requires a supplier to requirements to be requirements reporting incidents notified 9
  10. 10. IDLPP for Laptops • OS Security build specification • Hardware security baseline • Remote wipe enabled Build • Registration on Asset register Access Hard control disk • Fettered ingress and egress traffic • Auto lock down of all unauthorised connectivity • Authorised USB access only connectivity • secure connectivity USB devices • Encryption policy enforcement • Data encryption in transit and stationary • Access control ( 2 factor authentication) connectivity • Remote wipe functionality Data • Hard disk encryption 10
  11. 11. Benefit to Sophos Customer Compliance automation Automatic enforcement Automatic reporting Automatic auditing Automated consolidation Automatic breach reporting Policies Procedures ISO SOX PCI DPA 3rd parties DS FSA 11
  12. 12. Is the network segregated card holder data adequately secured? PCI DSS Are there risk management processes, change control and Governance in the organisation? SOX 404 Are there policies and procedures that ensures adequate engagement exists between management & business units as well as ISO27001 procedures to support the policies. How much information Assets do I have and with whom am I sharing them. Data What sort of privacy impact assessments are carried out for projects & changes? Protection Act Are there adequate Governance, risk management and adequate security for FSA related confidential & financial information security FSA Data about clients? Does the company have adequate data security controls in place to cater for customer data Key questions from regulations (DMA) they are handling? Data seal 12
  13. 13. IDLPP Gap analysis Countermeasures & Key areas Risks Recommendations Network infrastructure Business processes Software Asset Register Gap Hardware Asset analysis Register Project 3rd party implementation suppliers Data flow definition Policies & procedures Risk Management 13
  14. 14. Engagement timeline Project scope definition (2 man days) • Questionnaire • 2 face to face meeting • Objective definition Gap analysis and fact finding (20 man days) • Mapping out your current network infrastructure • Business processes • Software Asset Register • Hardware Asset Register • 3rd part supplier Assessment • Data flow definition • Risk management process assessment • Policies and processing assessment Audit report (5 man days) • Gap analysis report • Risks and countermeasures • Recommendations and work streams Project implementation • Dependent on work streams 14
  15. 15. THE END http://www.dataprotectionofficer.com/Data-Leakage.aspx 15

×