ITS_833__INFORMATION_GOVERNANCEChapter_11__Information

ITS 833 – INFORMATION GOVERNANCE

Chapter 11 – Information Governance

Privacy and Security Functions

University of the Cumberlands

Dr Isaac T. Gbenle

CHAPTER GOALS AND OBJECTIVES

Things To Know:

Sources of Threats to protection of data

Solutions to threats to protection of data

Identify some privacy laws that apply to securing an organization’s data

What is meant by redaction

What are the limitations on perimeter security?

What is IAM?

What are the challenges of securing confidential e-documents?

What are the limitations on an repository-based approach to securing confidential e-documents?

Things to Know:

What are some solutions to securing confidential e-documents?

What is stream messaging?

How is a digital signature different from an electronic signature?

What is DLP Technology?

What are some basic DLP methods?

What are some of the limitations of DLP?

What is IRM?

What are some key characteristics or requirements for effective IRM?

What are some approaches to security data once it leaves the organization?

Who are the victims ?

Government

Corporations

Banks

Schools

Defense Contractors

Private Individuals

Cyberattack Proliferation

Who are the perpetrators?

Foreign Governments

Domestic and foreign businesses

Individual Hackers/Hacking societies

Insiders

INSIDER THREATS

Some malicious/some not malicious

Insider threats can be more costly than outside threats

Nearly 70% of employees have engaged in IP theft

Nearly 33% have taken customer contact information, databases and customer data

Most employees send e-documents to their personal email accounts

Nearly 60% of employees believe this is acceptable behavior

Thieves who are insiders feel they are somewhat entitled as partial ownership because they created the documents or data

58% say the would take data from their company if terminated and believe they could get away with it

SOLUTION?

Security – including document life cycle security

Risk Education

Employee Use Policy

IG Training and Education

Enforcement and Prosecution – Make an example!

Monitoring

PRIVACY LAW THAT MAY APPLY

Federal Wire Tapping Act

Prohibits the unauthorized interception and/or disclosure of wire, oral or electronic communications

Electronic Communications Privacy Act of 1986

Amended Federal Wire Tapping Act

Included specifics on email privacy

Stored Communications and Transactional Records Act

Part of ECPA

Sometimes can be used to protect email and other internal communications from discovery

Computer Fraud and Abuse Act

Crime to intentionally breach a “protected computer”

Used extensively in the banking industry for interstate commerce

Freedom of Information Act

Citizens ability to request government documents – sometimes redacted

LIMITATIONS ON SECURITY

“Traditional Security Techniques”

Perimeter Security

Firewalls

Passwords

Two-factor authentication

Identity verification

Limitations to traditional techniques

Limited effectiveness

Haphazard protections

Complexity

No direct protections

Security requires a change in thinking about security

Secure the document itself, in addition to traditional techniques that secure “access” to the document

DEFENSE IN DEPTH TECHNIQUES TO SECURITY

Use Multiple Layers of Security Mechanisms

Firewall

Antivirus/antispyware software

Identity and Access Management (IAM)

Hierarchical passwords

Intrusion Detection

Biometric Verification

Physical Security

What is IAM?

Goal is to prevent unauthorized people from accessing a system

Effective IAM included:

Auditing

Constant updating

Evolving roles

Risk reduction

LIMITATIONS OF REPOSITORY-BASED APPROACHES TO SECURITY

Traditionally, we have applied “repository-based” solutions which have not been effective. We have document repositories that reside in databases and email servers behind a firewall.

Once Intruder breaches firewall and is inside the network, they can legitimately access data

Knowledge workers tend to keep a copy of the documents on their desktop, tablet, etc.

We operate in an Extended Enterprise of mobile and global computing comprising sensitive and confidential information

SOLUTION?

Better technology for better enforcement in the extended enterprise

Basic security for the Microsoft Windows Office Desktop-protection of e-documents through password protection for Microsoft Office files

Good idea but passwords can’t be retrieved if lost

Consider that “deleted” files actually aren’t.

Wipe the drive clean and completely erased to ensure that confidential information is completely removed

Lock Down: Stop all external access to confidential documents.

Take computer off network and block use to ports

Secure Printing

Use software to delay printing to network printers until ready to retrieve print

Erase sensitive print files once they have been utilized

SOLUTION (contd)

E-mail encryption

Encryption of desktop folders and e-docs

Use Stream messages when appropriate

Use of Digital Signatures ---not the same thing as an electronic signature

Use Data Loss Prevention (DLP) software to ensure that sensitive data does not exit through the firewall

(Three techniques for DLP-Scanning traffic for keywords or regular expressions, classifying documents and content based upon predefined set, and tainting) This method has weaknesses!

IRM Software/ERM Software-provides security to e-documents in any state (persistent security)

SOLUTION (Contd)

Device Control Methods –example blocking ports

Use of “thin clients”

Compliance requirements by different organizations

Hybrid Approach: Combining DLP and IRM technologies

More on IRM

Transparently – no user intervention required

Remote control of e-documents

Provides for file-level protection that travels with file even if stolen

Includes cross-protection for different types of documents

Allows for creation and enforcement of policies governing access and use of sensitive/confidential e-documents

Decentralized administration

Good IRM software provides useful audit trail

Integration with other enterprise systems

Provides embedded protection that allows the files to protect themselves

Key Characteristics of IRM

Security

Transparency – can’t be more difficult to use than working with unprotected documents

Easy to deploy and manage

SECURING DATA ONCE IT

LEAVES THE ORGANIZATION

REMEMBER – CONTROL DOES NOT REQUIRE OWNERSHIP!

Consider new architecture where security is built into the DNA of the network using 5 data security design patterns

Thin Client

Thin Device-remotely wipe them

Protected Process

Protected Data

Eye in the Sky

Document Labeling

Document Analytics

Confidential Stream Messaging

Discussions

ITS 833 – INFORMATION GOVERNANCE

Chapter 12 – Information Governance

For Email and Instant Messaging*

University of the Cumberlands

Dr Isaac T. Gbenle

Organizations should assume that IM is being used, whether they have sanctioned it or not. And that may not be a bad thing—employees may have found a reasonable business use for which IM is expedient and effective. So management should not rush to ban its use in a knee-jerk reaction. Here are some tips for safer use of corporate IM:

Just as e-mail attachments and embedded links are suspect and can contain malicious executable files, beware of IM attachments too. The same rules governing e-mail use apply to IM, in that employees should never open attachments from people they do not know. Even if they do know them, with phishing and social engineering scams, these attachments should first be scanned for malware using antivirus tools.

Do not divulge any more personal information than is necessary. This comes into play even when creating screen names—so the naming convention for IM screen names must be standardized for the enterprise. Microsoft advises, "Your screen name should not provide or allude to personal information. For example, use a nickname such as SoccerFan instead of BaltimoreJenny."[19]

Keep IM screen names private; treat them as another information asset that needs to be protected to reduce unwanted IM requests, phishing, or spam (actually spim, in IM parlance).

Prohibit transmission of confidential corporate information. It is fine to set up a meeting with auditors, but do not attach and route the latest financial report through unsecured IM.

Tips for Safer IM

Important things to know

Restrict IM contacts to known business colleagues. If personal contacts are allowed for emergencies, limit personal use for everyday communication. In other words, do not get into a long personal IM conversation with a spouse or teenager while at work. Remember, these conversations are going to be monitored and archived.

Use caution when displaying default messages when you are unavailable or away. Details such as where an employee is going to have lunch or where their child is being picked up from school may expose the organization to liability if a hacker takes the information and uses it for criminal purposes. Employees may be unknowingly putting themselves in harm's way by giving out too much personal information.

Ensure that IM policies are being enforced by utilizing IM monitoring and filtering tools and by archiving messages in real time for a future verifiable record, should it be needed.

Conduct an IM usage policy review at least annually; more often in the early stages of policy development.

Important things to know

E-mail is a critical area for IG implementation, as it is a ubiquitous business communication tool and the leading piece of evidence requested at civil trials.

Nearly 80 percent of all employees send work e-mail messages to and from their personal e-mail accounts, which exposes critical information assets to uncontrolled security risks.

Meeting e-mail retention and archival requirements becomes an impossible task when e-mail messages are routed in a haphazard manner via personal accounts.

In developing e-mail policies, an important step is consulting with stakeholders.

E-mail policies must not be too restrictive or tied to a specific technology. They should be flexible enough to accommodate changes in technology and should be reviewed and updated regularly.

Important things to know

Not all e-mail messages constitute a business record.

Not all e-mail rises to the level of admissible legal evidence. Certain conditions must be met.

Automatic archiving protects the integrity of e-mail for legal purposes.

Instant messaging use in business and the public sector has become widespread, despite the fact that often few controls or security measures are in place.

Typically as much as 80 percent of all IM use in corporations today is over free public networks, which heightens security concerns.

Important things to know COntd

IM monitoring and management technology provides the crucial components that enable the organization to fully implement best practices for business IM.

Enterprise IM systems provide a greater level of security than IM from free services.

Regular analysis and modification (if necessary) of business IM policies and practices will help organizations leverage the maximum benefit from the technology.

Records of IM use must be captured in real time and preserved to ensure they are reliable and accurate.

Discussions

Discussion Question

Chapter 12 – From the chapter reading, we learned that e-mail is a major area of focus for information governance (IG) efforts, and has become the most common business software application and the backbone of business communications today. In addition, the authors provided details to support their position by providing 2013 survey results from 2,400 corporate e-mail users from a global perspective. The results indicated that two-thirds of the respondents stated that e-mail was their favorite form of business communication which surpassed not only social media but also telephone and in-person contact.

Q : With this detail in mind, briefly state why the e-Mail has become a critical component for IG implementation?

blog1

Get help from top-rated tutors in any subject.