Information Leakage & DLP


Published on

Published in: Education, Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Information Leakage & DLP

  1. 1. Information Leakage & Data Loss Prevention ACC626 Presented by: Carol Qianyun Lu July 23rd, 2013
  2. 2. Agenda What is Information Leakage? How and when it occurs? Impact on organizations Frameworks & DLP tools Implications for CA Conclusion
  3. 3. What is Information Leakage? Information leakage is an alternate term for information exposure Information exposure is the intentional or unintentional disclosure of information to a party that does not have access to that information (CWE, 2008) Common form of data loss Severity range widely depending on type of information that is revealed
  4. 4. How and when it occurs? External hack to organization’s confidential information Occur during outsourcing Acts of consultants who works for different firms concurrently Relevant to CAs who works as consultants and C-Suite Executive Between alliances and collaborating companies Leak from inside by employees
  5. 5. Leak from Inside Ways information can be leaked: Flash drives , USB devices, Other “lifestyle” devices iPods Bring-Your-Own-Device Former employees – Internal Control Deficiency Cyberspace Online Storage (e.g. Google – Gmail) Instant messages, emails, blogs
  6. 6. Impact on Organizations Financial and reputational loss Small leaks accumulate to big loss Loss of customer and employee private information Loss of competitive position Lawsuits or regulatory consequences
  7. 7. Frameworks The Privacy Act of 1974 – U.S. The Payment Card Industry Data Security Standards – U.S. Sarbanes-Oxley Act (SOX) – U.S. Federal Information Security Management Act (FISMA) – U.S.
  8. 8. DLP Tools Full DLP suites McAfee Data Loss Prevention - Commercial email security platform Controls for emails Websense TruWeb DLP, CISCO IronPort email and Google – Postini Stand-alone DLP products Code Green Networks, intrusion Inc., Workshare
  9. 9. Additional DLP Tools Internal Security Control Digital forensic techniques Network Security Solution E.g. Fidelis Security System’s XPS Deploy DLP tools as part of larger security suite
  10. 10. Implication on CA Safe environment for internet accounting information system Relevant to accounting profession Third party specialized auditor to appraise system Effective network security audit
  11. 11. Conclusion Extremely important for C-Suite executives to: understand information leakage Realize impact on organizations Utilize DLP tools Continuous effort to protect confidential information Combination of effective DLP implementation and best management practices
  12. 12. Work Cited Alawneh, M. & Abbadi I. (2008). “Preventing Information Leakage Between Collaborating Organizations”. Proceedings of the 10th International Conference on Electronic Commerce. No. 38. Pp. 1-10. Retrieved June 1, 2013, from ACM Digital Library: Baek, E. & Kim. Y. & Sung L. & Lee, S. (2008). “The design of framework for detecting an insider’s leak of confidential information”. 1st international conference on forensic applications and techniques in telecommunications, information, and multimedia and workshop. No.14. pp. 1-4. Retrieved June 1, 2013, from ACM Digital Library: Chen, A. & Chu, H. (2012). “Against the breaches: data loss prevention for online travelling services”. Information Security and Intelligence Control (ISIC). Pp.282-285. Retrieved June 1, 2013, from IEEE Xplore Digital Library: nst+the+breaches%3A+data+loss+prevention+for+online+travelling+services CWE-200. (2008). “Information Leak (Information Disclosure)”. Common Weakness Enumeration. Retrieved June 1, 2013, from CWE: Garretson, C. (2008). “Data-leak Prevention: Pros and Cons”. Network World. 25.1. pp. 1-39, Retrieved June 1, 2013, from ABI/Inform Global Database:
  13. 13. Work Cited He, Q. & Chen, G. (2011). “Research of security audit of enterprise group accounting information system under internet environment”. Second international conference on Artificial Intelligence, Management Science and Electronic Commerce (AIMSEC). Pp. 516-519. Retrieved June 1, 2013, from IEEE Xplore: urity+Audit+of+Enterprise+Group+Accounting+Information+System+under+Internet+Environment Hoecht, A. & Trott, P. (2006). “Outsourcing, information leakage and the risk of losing technology-based competencies”. European Business Review, Vol. 18 Iss:5. Pp.395-412. Retrieved June 1, 2013, from Emerald: 534X&volume=18&issue=5&articleid=1567303&show=abstract Irwin, K. & Yu, T. & Winsborough, WH. (2008). “Avoiding information leakage in security-policy-aware planning”. 7th ACM workshop on Privacy in the electronic society. Pp. 85-94. Retrieved June 1, 2013, from ACM Digital Library: Lawton, G. (2008). “New Technology Prevents Data Leakage”. Computer. Vol. 41 Iss: 9. Pp. 14-17. Retrieved June 1, 2013, from IEEE Xplore Digital Library Prevents+Data+Leakage: Lee, H-J. & Won, D. (2011). “Protection profile for data leakage protection system”. Proceedings of the Third international conference on Future Generation Information Technology. Pp. 316-326. Retrieved June 1, 2013, from ACM Digital Library: 256 Liu, S. & Kuhn, R. (2010), “Data Loss Prevention”. IT Professionals, Vol. 12 No.2. pp. 10-13. Retrieved June 1, 2013, from IEEE Xplore Digital Library: tion
  14. 14. Work Cited Murphy, J. (2008). “Data Loss Prevention: An Elixir for Privacy Compliance Headache?”. The EDP Audit, Control and Security Newsletter. Vol. XXXVIII, No. 6. Pp. 1-7. Retrieved June 1, 2013, from Scholars Portal: Norman, P. (2004), “Knowledge acquisition, knowledge loss and satisfaction in high technology alliances”, Journal of Business Research, Vol. 57 No. 6, pp. 610-9. Retrieved June 1, 2013, from ABI/Inform Global Database: 4906# Oxley, J. and Sampson, R. (2004), “The scope and governance of international R&D alliances”, Strategic Management Journal, Vol. 25 Nos 8/9, pp. 723-49. Retrieved June 28, 2013, from Deep Blue: S-Koromina,V. et al., (2012). “Insider threats in corporate environments: a case study for data leakage prevention”. Proceedings of the Fifth Balkan Conference in Informatics, pp.271-274. Retrieved June 1, 2013, from ACM Digital Library: EN=52641256 Wuchner, T. & Pretschner, A. (2012). “Data Loss Prevention based on data-driven Usage Control”. IEEE 23rd International Symposium on Software Reliability Engineering. Pp. 151-160. Retrieved June 1, 2013, from IEEE Xplore Digital Library: +Loss+Prevention+based+on+data-driven+Usage+Control Zinkewicz, P. (2009). “Dealing with Data Leakage”. Rough Notes, 152(4), 82-83. Retrieved June 1,2013, from Proquest: