Mar 12 2019

Firefox Send’s free encrypted file transfers are now available to all

Category: data securityDISC @ 10:26 am

Source: Firefox Send’s free encrypted file transfers are now available to all


Feb 15 2019

3 data leaks that could be undermining your online privacy

Category: data securityDISC @ 1:02 pm

Protecting your online privacy is important. There has been a lot of discussion in recent years about how to stay safe online, and an increasing number of people are turning to Virtual Private Netw…

Source: 3 data leaks that could be undermining your online privacy

DISC InfoSec 🔒 securing the business 🔒  Data Security

 


Jan 31 2019

The biggest ever data dump just hit a colossal 2.2 billion accounts

Category: data security,Security BreachDISC @ 11:12 am

  • Data Security

    • Thought Collection #1 was big? Collection #2-5 just dwarfed it

    Source: The biggest ever data dump just hit a colossal 2.2 billion accounts


    Tags: Data dump, data privacy, data security

    Sep 20 2018

    Equifax fined by ICO over data breach that hit Britons

    Category: Cyber Insurance,data security,GDPR,Security BreachDISC @ 10:02 am

    Equifax

    Credit rating agency Equifax is to be fined ÂŁ500,000 by the Information Commissioner’s Office (ICO) after it failed to protect the personal data of 15 million Britons.

    A 2017 cyber-attack exposed information belonging to 146 million people around the world, mostly in the US.

    The compromised systems were also US-based.

    But the ICO ruled Equifax’s UK branch had “failed to take appropriate steps” to protect UK citizens’ data.

    It added that “multiple failures” meant personal information had been kept longer than necessary and left vulnerable.

    Originally, Equifax reported that fewer than 400,000 Britons had had sensitive data exposed in the breach – but it later revealed that the number was nearly 700,000.

    A further 14.5 million British records exposed would not have put people at risk, the company added last October.

    The ICO, which joined forces with the Financial Conduct Authority to investigate the breach, found that it affected three distinct groups in the following ways:

    • 19,993 UK data subjects had names, dates of birth, telephone numbers and driving licence numbers exposed
    • 637,430 UK data subjects had names, dates of birth and telephone numbers exposed
    • Up to 15 million UK data subjects had names and dates of birth exposed

     

    Guard let down

    Equifax had also been warned about a critical vulnerability in its systems by the US Department of Homeland Security in March 2017, the ICO revealed.

    And appropriate steps to fix the vulnerability were not taken, according to the ICO.

    Because the breach happened before the launch of the EU’s General Data Protection Regulation (GDPR) in May this year, the investigation took place under the UK’s Data Protection Act 1998 instead.

    And the fine of ÂŁ500,000 is the highest possible under that law.

    “The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce,” said information commissioner Elizabeth Denham.

    “This is compounded when the company is a global firm whose business relies on personal data.”

    An Equifax spokesperson said the firm was “disappointed in the findings and the penalty”.

    “As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect.

    “The criminal cyber-attack against our US parent company last year was a pivotal moment for our company. We apologise again to any consumers who were put at risk.”

    By BBC.com


    Aug 23 2018

    Secure File Sharing from any device

    Category: Access Control,App Security,data securityDISC @ 4:36 pm

    Easy Desktop Access to Cloud Files

    Ditch Email Attachments. With your files in the cloud, you can easily share them with anyone — even if they’re outside your company firewall — with a simple link via email or straight from Box.

    Keep Everybody on the Same Page. Easily share files and folders, and add, move or edit files while always having the latest file version on hand.

    Preview Files Without Download. With Box, you can view 120+ types of files, including Word, Excel, PDF, AI, EPS, PSD, photos and more—without downloading a single file.

    Easily Share Your Workspace. Right click any folder to share instantly or open on box.com and invite your team to view, edit and upload files, turning folders into collaborative workspaces.

    Never Lose Files. A stolen laptop or hard drive crash doesn’t mean you lose your files. Safely store all of your work documents and projects in Box Drive.

     

    Box enables secure file sharing and collaboration so you can get real work done with anyone, from any device.

     

    • Secure File Sharing. Easily and securely share files—even sensitive or confidential ones—without worry.
    • Hassle-Free File Sharing. Ditch email attachments! Share any file with a simple link or straight from Box, with anyone you want.



    An Introduction to Box: The Modern Content Management Platform

    Discover how Box can solve simple and complex challenges, from sharing and accessing files on mobile devices to sophisticated business processes like data governance and retention.


    Apr 20 2018

    Nine Things That Are Poised To Impact Cybersecurity

    Category: cyber security,data securityDISC @ 6:18 pm

    Read Forbes Technology Council list nine things that can impact cybersecurity on Forbes :

    From the Equifax breach this past September to the recent hack of MyFitnessPal data through Under Armour, the number of high-profile cyberattacks has continued to climb in recent months. Every company, regardless of size, must be prepared for the possibility that they may be the next victim.

    Read the full article here.

    Tags: Business Insider Intelligence, data breach, equifax

    Dec 13 2017

    Top 5 Programming Languages In 2018

    Category: App Security,data securityDISC @ 6:14 pm
    English: A selection of programming language t...

    English: A selection of programming language textbooks on a shelf. Levels and colors adjusted in the GIMP. Français : Une Ă©tagère en bois de houx naturel lacquĂ© : PrgrammĂ© en java pour avoir l’AIR rĂ©el. Ainsi que quelques livres (Photo credit: Wikipedia)

    Top 5 Programming Languages In 2018

     Eslam Medhat 

    Programming world is rising exponentially with every passing year. With over 600 unique programming languages. The main question which comes to everyone’s thought is which language is most appropriate given the current and future market needs.

    Let’s see which programming languages are popular enough today to deserve your attention:

    1. Java:
    There is no doubt that Java is keeping its place as the most popular language from long time. It is still the most favored language for building the backends for modern applications.

    2. Python:
    One of the main reasons as to why python became so common is the tons of frameworks available for actually anything ranging from web applications to text mining.

    3. JavaScript:
    Every web browser supports JavaScript, it’s used by over 80% of developers and by 95% of all websites. With the ability of node.js, even the backend can also be developed using JavaScript.

    4. C++:
    This language is regularly used for application software, game development, drivers, client-server apps and embedded firmware. According to Coding Dojo, C++ continues in use in several legacy systems at large enterprises,

    5. C#:
    An object-oriented language from Microsoft designed to run on the .NET platform, This language is designed for use in developing software and it is also massively used in video game development.


    Tags: C++, Java, JavaScript, Python

    Oct 18 2017

    GDPR essentials and how to achieve compliance

    Category: data security,GDPRDISC @ 9:51 am

    gdpr

    The GDPR will replace these with a pan-European regulatory framework effective from 25 May 2018.  The GDPR applies to all EU organizations – whether commercial business or public authority – that collect, store or process the personal data (PII) of EU individuals.

    Organizations based outside the EU that monitor or offer goods and services to individuals in the EU will have to observe the new European rules and adhere to the same level of protection of personal data. This potentially includes organizations everywhere in the world, regardless of how difficult it may be to enforce the Regulation. Compliance consultant must know the following 9 tenants of the GDPR.

     

    • Supervisory Authority – A one-stop shop provision means that organizations will only have to deal with a single supervisory authority, not one for each of the EU’s 28 member states, making it simpler and cheaper for companies to do business in the EU.

     

    • Breach Disclosure – Organizations must disclose and document the causes of breaches, effects of breaches, and actions taken to address them.

     

    • Processor must be able to provide “sufficient guarantees to implement appropriate technical and organizational measures” to ensure that processing will comply with the GDPR and that data subjects’ rights are protected. This requirement flows down the supply chain, so a processor cannot subcontract work to a second processor without the controller’s explicit authorization. If requested by subject you must cease processing and using his or her data for some limited period of time.

     

    • Data Consent – The Regulation imposes stricter requirements on obtaining valid consent from individuals to justify the processing of their personal data. Consent must be “freely given, specific, informed and unambiguous indication of the individual’s wishes”. The organization must also keep records so it can demonstrate that consent has been given by the relevant individual. Data can only be used for the purposes that data subject originally explicitly consented. You must obtain and document consent for only one specific purpose at a time.

     

    • Right to be forgotten – Individuals have a right to require the data controller to erase all personal data held about them in certain circumstances, such as where the data is no longer necessary for the purposes for which it was collected. If requested by subject, you must erase their data on premises, in apps and on devices.

     

    • Data portability – Individuals will have the right to transfer personal data from one data controller to another where processing is based on consent or necessity for the performance of a contract, or where processing is carried out by automated means

     

    • Documentation – The Regulation requires quite a bit of documentation. In addition to the explicit and implicit requirements for specific records (especially including proof of consent from data subjects), you should also ensure that you have documented how you comply with the GDPR so that you have some evidence to support your claims if the supervisory authority has any cause to investigate.

     

    • Fines – Major noncompliance of the law will be punishable by fines of up to either 4% or €20 million of group annual worldwide turnover.

     

    Data protection by design – Organization must ensure data security and data privacy across cloud and endpoints as well as design their system and processes that protects from unauthorized data access and malware.  Specifically, organizations must take appropriate technical and organizational measures before data processing begin to ensure that it meets the requirements of the Regulation. Data privacy risks must be properly assessed, and controllers may use adherence to approved codes of conduct or management system certifications, such as ISO 27001, to demonstrate their compliance.

     

    How to improve information security under the GDPR

    Although many businesses understand the importance of implementing the right procedures for detection, report and investigate a data breach, but not many are aware of how to go about this effectively, especially during implementation phase.

     

    Seven steps that can help you prevent a data breach:

    1. Find out where your personal information resides and prioritize your data.
    2. Identify all the risks that could cause a breach of your personal data.
    3. Apply the most appropriate measures (controls) to mitigate those risks.
    4. Implement the necessary policies and procedures to support the controls.
    5. Conduct regular tests and audits to make sure the controls are working as intended.
    6. Review, report and update your plans regularly.
    7. Implement comprehensive and robust ISMS.

     

    ISO 27001, the international information security standard, can help you achieve all of the above and protect all your other confidential company information, too. To achieve GDPR compliance, feel free to contact us for more detail on implementation.

    Related articles on GDPR and ISO 27k

    The GDPR and Personal Data…HELP! from Cloud Security Alliance

    Tags: gdpr, gdpr compliance

    Sep 27 2017

    Data flow mapping under the EU GDPR

    Category: data security,GDPR,Security ComplianceDISC @ 8:56 am

    As part of an EU General Data Protection Regulation (GDPR) compliance project, organisations will need to map their data and information flows in order to assess their privacy risks. This is also an essential first step for completing a data protection impact assessment (DPIA), which is mandatory for certain types of processing.

    The key elements of data mapping

    To effectively map your data, you need to understand the information flow, describe it and identify its key elements.

    1. Understand the information flow

    An information flow is a transfer of information from one location to another, for example:

    • From inside to outside the European Union; or
    • From suppliers and sub-suppliers through to customers.

    2. Describe the information flow

    • Walk through the information lifecycle to identify unforeseen or unintended uses of data. This also helps to minimise what data is collected.
    • Make sure the people who will be using the information are consulted on the practical implications.
    • Consider the potential future uses of the information collected, even if it is not immediately necessary.

    3. Identify its key elements

    Data items

    • What kind of data is being processed (name, email, address, etc.) and what category does it fall into (health data, criminal records, location data, etc.)?

    Formats

    • In what format do you store data (hardcopy, digital, database, bring your own device, mobile phones, etc.)?

    Transfer method

    • How do you collect data (post, telephone, social media) and how do you share it internally (within your organisation) and externally (with third parties)?

    Location

    • What locations are involved within the data flow (offices, the Cloud, third parties, etc.)?

    Accountability

    • Who is accountable for the personal data? Often this changes as the data moves throughout the organisation.

    Access

    • Who has access to the data in question?

     

    The key challenges of data mapping

    • Identifying personal data Personal data can reside in a number of locations and be stored in a number of formats, such as paper, electronic and audio. Your first challenge is deciding what information you need to record and in what format.
    • Identifying appropriate technical and organizational safeguards The second challenge is likely to be identifying the appropriate technology – and the policy and procedures for its use – to protect information while also determining who controls access to it.
    • Understanding legal and regulatory obligations Your final challenge is determining what your organisation’s legal and regulatory obligations are. As well as the GDPR, this can include other compliance standards, such as the Payment Card Industry Data Security Standard (PCI DSS) and ISO 27001.Once you’ve completed these three challenges, you’ll be in a position to move forward, gaining the trust and confidence of your key stakeholders.

     

    Data flow mapping

    To help you gather the above information and consolidate it into one area, Vigilant Software, a subsidiary of IT Governance, has developed a data flow mapping tool with a specific focus on the GDPR.

     

    Order Today

     


    Tags: data flow mapping, data privacy, data security, gdpr

    Mar 06 2017

    Secure usb flash drive – password protected and Encrypted

    Category: data securityDISC @ 2:01 pm

    Encrypted Flash Drives

    Top Rated
    Kingston Digital 8GB Data Traveler AES Encrypted

    Tags: encrypted usb drive, password protected usb, protected flash drive, USB flash drive

    Nov 15 2016

    Encryption keeps you safe from malware

    Category: data securityDISC @ 1:02 pm

     

    Cryptographically secure pseudorandom number g...

    Cryptographically secure pseudorandom number generator (Photo credit: Wikipedia)

    The Electronic Frontier Foundation aims to protect Web traffic by encrypting the entire Internet using HTTPS. Chrome now puts a little warning marker in the Address Bar next to any non-secure HTTP address. Encryption is important, and not only for Web surfing. If you encrypt all of the sensitive documents on your desktop or laptop, a hacker or laptop thief won’t be able to steal your identity, or takeover your bank account, or perhaps steal your credit card information. To help you select an encryption product that’s right for your situation, we’ve rounded up a collection of current products.

     

    Available Encryption Software to protect your information assets:

     

    Folder Lock can lock access to files for quick, easy protection, and also keep them in encrypted lockers for serious protection. It combines a wide range of features with a bright, easy-to-use interface. Read the full review ››

     

    Cypherix PC creates encrypted volumes for storing your sensitive files. Lock the volume and nobody can access the files. It does the job, though it lacks secure deletion. Read the full review ››

     

    Cypherix SecureIT  handles the basic task of encrypting and decrypting files and folders in a workmanlike fashion, but it lacks advanced features offered by the competition.  Read the full review ››

     


    Tags: data encryption, disk encryption and file encryption, encryption, Identity Theft, Information Privacy, privacy

    Mar 30 2014

    The Protection of Personal Information Act (POPI) in South Africa – Benefits and Challenges

    Category: data security,Security and privacy Law,Security BreachDISC @ 10:14 pm

    POPI

    by Ilenia Vidili

    In South Africa the Protection of Personal information Act (POPI) aims to regulate how companies secure the integrity and confidentiality of their data assets by taking technical and organisational measures to prevent the loss of, and damage and unauthorised access to, personal information. POPI was signed into law on 26th November 2013 but the commencement date is yet to be announced; companies have been given a year to achieve compliance with the Act. Penalties for failing to comply with the Act include prosecution, with possible prison terms of up to 12 months, and fines of up to R10 million. I believe that POPI will make life easier for IT organisations in South Africa.

    Why is it so important for organizations to keep personal information safe?

    Data breaches, and the resultant loss of information assets, can lead to huge financial losses for companies as well as the reputational damage and a loss of customer trust.  The lack of robust Information Security Management Systems (ISMS) can leave organisations of any size and sector open to data breaches. POPI’s objective is to regulate the way personal information is collected and stored by organizations, which will in turn increase customer confidence in the organizations. The Act will apply to all organizations, regardless of size or sector, whether public or private, including the Government. As a reminder of the importance of data security, the City of Johannesburg suffered a massive data breach in August 2013 which allowed anyone to read citizens’ personal billing information on the Council’s website, including full names, account numbers, addresses, and contact details. Anything could have happened to that information, including targeted phishing attacks, and the production of fake ID books and proof of residence, which could have been used for terrorist purposes.

    POPI’s challenges

    The major challenge of POPI is that companies will have to change the way they collect and store customer information as soon as possible: organizations have been given only a year to be compliant before the Act is enforced. Given the extent of changing business processes and employees’ attitudes it will be a serious challenge to reach compliance in only a year.

    PwC’s “journey of implementation” report found that the majority of organizations in South Africa believe it will take several years to achieve compliance with POPI.

    55

    Source: PwC “The journey to implementation”

    One way for South African organizations to make compliance with POPI easier would be to implement the international information security standard ISO27001, which sets out the requirements against which an organization’s information security management system can be independently audited and certified. Implementing the standard will help South African businesses fulfil the compliance requirements of any related legislation (including the Protection of Personal Information Act). Moreover, by implementing ISO27001, businesses ensure that they have effective controls in place to manage risk and protect personal information.

    How to prepare for POPI

    IT Governance SA has developed a wide range of ISO27001 books, training and tools to help organisations with weak information security management system, and recommends that companies look at the useful information about ISO27001 available on the company’s website.

    Related articles

    Tags: Information Security Management System, isms, POPI, Protection of Personal information Act, South Africa

    Mar 26 2014

    Most common type of data breaches

    Category: data security,Security BreachDISC @ 9:24 pm

    DataSecurityBreach

    Cyber attacks have become a regular occurrence in the last few years; in fact, you can’t turn the news on without some mention of a business suffering an attack. Most attacks are fuelled by criminals looking to steal valuable information, but what type of information is being stolen?

    According to a report by Veracode, the top 5 types of information that are stolen are:

    Payment Data

    No surprises here of course. Card payment data is a very attractive form of information for cyber criminals to steal. Card data provides quick access to money in multiples ways such as siphoning the victims account, using their card for purchases or selling on the black market.

    Selling and purchasing card payment data online is terrifyingly easy, so easy in fact that you could have bought several card details in the time it’s taken you to read this far.

    Authentication Details

    Details that allow authorised access into online systems are very valuable on the black market. Imagine the price tag on login credentials for the email address of a celebrity, or the president of an international bank.

    Unfortunately, humans are subjects to bad habits such as using the same password for online accounts. So if cyber criminals manage to get hold of your Facebook password, then they will most likely be able to login to any of your accounts.

    Copyrighted Material

    Why would a cyber criminal pay for software when they could just steal it? With most websites being vulnerable to attack, a cyber criminal could in theory steal any software they fancy, costing organisations a large sum of money.

    Medical Records

    Thieves could sell your stolen personal health information on the Internet black market, use your credentials to obtain medical services and devices for themselves and others, or bill insurance companies for phantom services in your name.

    Medical ID theft is worse than financial identity theft, because there are fewer legal protections for consumers. Many victims are forced to pay out of pocket for health services obtained by the thieves, or risk losing their insurance and/or ruining their credit ratings.

    Classified Information

    Depending on how you define classified, this could include information such as your organisation’s top secret product idea or the code for your security door. Either way, if it’s labelled classified then you don’t want it to be in the hands of cyber criminals.

    Protecting this information

    There is a high chance that the five forms of information listed above can be found on your organisation’s network, so what are you doing to protect it?

    Data Security Breaches: Notification Law

    Related articles

    Tags: Computer security, data breach, data stolen, data theft, Identity Theft

    Mar 14 2014

    Hacking Point of Sale

    Category: cyber security,data securityDISC @ 9:28 am

    Hacking Point of Sale

    A hands-on guide to achieve better security at point of sale

    Hacking Point of Sale – A must-have guide for those responsible for securing payment card transactions. Hacking Point of Sale is a book that tackles the issue of payment card data theft head on. It covers issues from how attacks are structured to the structure of magnetic strips to point-to-point encryption, and much more.

    Packed with practical recommendations, it goes beyond covering PCI DSS compliance to offer real-world solutions on how to achieve better security at point of sale.

    Hacking Point of Sale…

    •A unique book on credit and debit card security, with an emphasis on point-to-point encryption of payment transactions (P2PE) from standards to design to application
    •Explores most of the major groups of security standards applicable to point of sale, including PCI, FIPS, ANSI, EMV, and ISO
    •Details how protected areas are hacked and how hackers notice vulnerabilities.
    •Highlights ways of defending against attack, such as introducing cryptography to payment applications and hardening application code

    An essential guide for security professionals that are charged with addressing security issues with point of sale systems.

    Related articles

    Tags: debit card, Information Security, Payment card industry, Payment Card Industry Data Security Standard, Point of sale

    Feb 09 2014

    Why to use hardware-encrypted USB sticks

    Category: data securityDISC @ 10:17 pm

    Hardware encryption has tangible benefits as file sharing and mobility tools, as backup drives and much more. Also hardware based encryption is more secure because the keys are embedded in the flash drive, require physical access to get, and very specialized knowledge to extract them.

    • Safeguard keys and critical security parameters within crypto-hardware
    • Authentication takes place on the hardware
    • Cost-effective in medium and larger application environments, easily scalable
    • Encryption is tied to a specific device, so encryption is “always on”
    • Does not require any type of driver installation or software installation on host PC
    • Protects against the most common attacks, such as cold boot attacks, malicious code, brute force attack

    if you want your organization to avoid the risk of a data breach, you need to use hardware-encrypted USB sticks when you transfer data outside of the organisation, such as SafeXs 3.0. Using SafeXs 3.0 sticks will protect any data stored on them to a high degree as the data is hardware encrypted, which is more secure than using software encryption.

    You should also use a USB stick management solution such as SafeConsole to ensure you are managing your secure USB sticks. This offers the advantage of being able to remote wipe data if a stick goes missing, enforce security policy across your sticks and a whole host of other security features.

    Ensure your information security runs smooth through the use of a simple, secure USB stick such as SafeXs 3.0 that is  used in conjunction with SafeConsole Secure USB Management.

    Integral® 16GB Crypto Drive – FIPS 197 Encrypted USB

    Hardware Encrypted USB Flash Drive

    Nov 08 2011

    Looking for a secure USB stick with hardware encryption

    Category: Access Control,data securityDISC @ 10:55 pm

    CESG Approved USB Stick
    CESG is the UK Government’s National Technical Authority for Information Assurance

    Over 1 million SafeSticks are now in use in the NHS helping to keep patient data and other confidential data secure! Buy your SafeStick today!

    SafeStick is a secure USB stick with AES 256 bit hardware encryption and is FIPS 197 certified.

    SafeStick includes brute force attack lockdown protection. This means should the password to your SafeStick be entered incorrectly a number of times, the SafeStick is disabled or the data on it wiped.

    The antivirus and anti-mailware software available for SafeStick (at an extra cost) prevent any nefarious software from spreading on your SafeStick. With one in four virus or mailware attacks now spread by USB sticks, this is an essential control to have in place.

    Key Features and Benefits:

  • Uses AES 256 (FIPS 197 certified) hardware encryption to protect your data – this makes it highly unlikely that, should a drive be lost, that anyone would be able to access the data.
  • This stick is the one that was chosen for use by the UK’s National Health Service (NHS). To date over 1 million SafeSticks are now in use in the NHS helping to keep patient data and other confidential data secure!

    • SafeStick is a fully manageable enterprise solution when used in partnership with SafeConsole (available at an extra cost). SafeConsole allows you to kill a stick if it has gone missing. It also enables you to enforce group policies, allowing you to enforce such policies as allowing certain file types to be put on the drive whilst denying others. You can also reset passwords using SafeConsole.

    SafeStick is tough, durable, waterproof, heat resistant, crush proof. It can take anything you can throw at it.

    SafeStick is compatible with Windows 7, Vista, XP, 2000, 2003, 2008, Mac OSX, Linux and Citrix in an ultra small form factor and can be used as a either a standalone or enterprise solution.

    Simply plug in a SafeStick and within minutes you can be up and running. All you need do is set a password and any data placed on the SafeStick is encrypted.

    Order your SafeStick today!!!

    BlockMaster SafeStick 1G Encrypted USB Flash Drive

    BlockMaster SafeStick 2G Encrypted USB Flash Drive

    BlockMaster SafeStick 32G Encrypted USB Flash Drive

    Nov 03 2011

    Knowledge Management finally gets it’s own book: WKIDM

    Category: Data mining,data securityDISC @ 9:11 am

    by Melanie Watson
    That’s right, Knowledge Management finally has it’s own book: Information Lifecycle Support: Wisdom, Knowledge, Information and Data Management (WKIDM).

    The primary role of Knowledge Management is to “improve the quality of decision making” by making sure that information throughout the Service Lifecycle is accurate, reliable and trustworthy. This book covers all four areas of knowledge: data, information, knowledge and wisdom.

    This book, (endorsed by the OGC – the creators of the ITIL methodology) provides a comprehensive and much-needed source of information on data and information management. It examines the effective production, coordination, storage, retrieval, dissemination and management of information from internal and external sources.

    Information Lifecycle Support: Wisdom, Knowledge, Information and Data Management (WKIDM)

    Tags: it service management, ITIL, ITSM

    Oct 20 2011

    Finding And Securing Sensitive Data In The Enterprise

    Category: data securityDISC @ 9:40 am

    By Robert Lemos @ DarkReading.com

    Your organization’s most valuable data may be stored in scattered – and insecure – locations. Here are some tips for identifying that data and making sure it doesn’t leak out

    When Michael Belloise joined human resources outsourcing firm TriNet four years ago as the IT manager, the amount of sensitive data held by the company put him on edge.

    TriNet handles payroll and benefits for its customers. As such, its systems store Social Security numbers, birth dates, employee ID numbers, and addresses for 100,000 workers at other companies. That data isn’t necessarily subject to the kind of detailed privacy and security rules covering financial transactions or healthcare information, but it’s highly sensitive nonetheless.

    Belloise brought in data loss prevention vender Vontu (now part of Symantec) to install a data discovery appliance that finds and monitors all data leaving the company’s network. The results, says Belloise, were shocking.

    “I dare not drop any numbers about what we saw, but it was egregious,” he says.

    TriNet had secure ways of transmitting and storing data, but its employees were using alternative, less-secure methods, including unencrypted portable media, drop boxes, and attachments to email sent from personal accounts. In most cases, they were skirting the rules in order to serve customers faster, but some of the activity looked questionable and possibly malicious. The security violations didn’t result in any data breaches, but the results were eye opening, Belloise says.

    “It was to the point where you couldn’t put your head in the sand anymore, because it was that shocking,” he says.

    Belloise called a meeting of C-level execs and embarked on a mission to secure the company’s data. TriNet first studied its data to gauge the risk it faced. Then it altered processes and educated employees to minimize misuse of data, and also installed a DLP system to monitor compliance.

    TriNet’s experience isn’t all that unusual. Sensitive data has a habit of spreading throughout companies and ending up in places it shouldn’t be–places it’s more likely to be stolen or accidentally leaked. Lost, stolen, and inappropriately disposed-of laptops have accounted for the greatest number of breach incidents in most of the last five years, according to The Leaking Vault 2011, the Digital Forensics Association’s comprehensive report. But much of the information that’s on those laptops shouldn’t have been there to begin with.

    Read more on Finding and Securing Sensitive Data >>>

    Related topics to Secure the Enterprise Data

    Data Protection for Virtual Data Centers

    The Data Asset: How Smart Companies Govern Their Data for Business Success

    Privacy and Big Data

    « Previous Page