Message From The Head Of Security Consulting
Over the past six months or so, we have witnessed an increased focus on data protection initiatives in both government and private institutions in the region. These initiatives ranged from establishing governance around data classification, to privacy compliance, and all the way to implementation of technologies that would support the organization in monitoring and preventing leakage of sensitive information beyond the intended recipients as per the approved business need.
Elements of Data Protection
PEOPLE
- Communication of policy
- End-user education
- Classification of data (ownership, metadata, flows)
PROCESS
- Data Protection Framework
- Policy
- Process
- Protection requirements
- Handling requirements
TECHNOLOGY
- Automated classification
- Data leakage prevention
At Help AG, we have taken an information centric approach to establishing classification governance that is focused on knowledge transfer, which in turn means long-term sustainability of the program by the internal end customer resources. This is also coupled with state-of-the-at technologies that enable the organization to have an automated approach to labeling their sensitive data and preventing leakage outside the organization; as well as applying additional controls as per the defined sensitive information handling guidelines.
Create
- Classification
- Labeling
- Rights Management
Store
- Access Control
- Encryption
- Data Discovery
Use
- Activity Monitoring
- Rights Enforcement
- Application Control
Share
- Data Loss Prevention
- Encryption
- Application Controls
Archive
- Physical Protection
- Encryption
- Regulatory Compliance
Destroy
- Secure Disposal
- Retention Management
- Regulatory Compliance
Below are some tips that will ensure a sound information classification program:
- Define your objectives and set your KPIs
- Educate the general users on their responsibilities via dedicated awareness sessions
- Formally initiate the project with organizational stakeholders and ensure top management support
- Configure the DLP policies to fit the company business needs for information protection
- Formalize and communicate detailed policies, procedures, and guidelines to govern the information classification process
- Plan and perform periodic tests, e.g. simulate a scenario in which the DLP shall react as expected and analyze the results thoroughly
- Select the ight representatives from all organizational units to bring them together in the common ‘information protection journey
- Monitor the change management of the information classification process and reflect the necessary DLP improvements promptly
Tips for handling sensitive information
Do’s |
Don’ts |
| Abide by your corporate information classification policies and procedures | Leave sensitive information unattended |
| Label the information you create with the proper classification level | Pint sensitive information on a public printer |
| Avoid over-classifying and under-classifying your information | Store sensitive information on personal devices |
| Handle your information as per the defined handling guidelines for each classification level | Communicate sensitive information using unsecure mediums |
| Store your sensitive information in secure containers (physical cabinet, encrypted storage devices, etc.) | Provide sensitive data access to unauthorized users |
| Double check the email recipient before attaching sensitive information | Share your credentials with anyone |
| Pint sensitive information on corporate approved printers if there is a legitimate need | Dispose of information insecurely |
