Information is an essential resource for all businesses today and is the key to growth and success. However, companies have to ensure that the information held on their IT systems is secure. 

Data security: countdown to compliance

Faced with a growing volume of data, organisations need to tighten up data compliance policies. Tier-3 CTO Geoff Sweeney provides the inside track on implementing the most effective measures to comply with the latest legislation.

Recent security breaches in the private and public sector have highlighted the need for organisations to ensure personal information is processed and stored securely. Ever-growing collections of personal data, more remote access and the prevalence of crime such as identity theft all create vulnerabilities. It is essential that effective data protection policies and practices are in place, combined with vigilance and strong governance at all levels in all organisations, to ensure data protection is taken seriously. Individuals expect the Data Protection Act to shield the security of their information. At the same time, information security is increasingly at risk.

As part of its new data protection strategy launched in March 2008, the UK's privacy watchdog, the Information Commissioner's Office (ICO), announced plans to promote the importance of appropriate security, to use its regulatory powers against organisations that neglect their responsibilities in this area and to help individuals to protect their own information.

Businesses and consumers are still underestimating
the scope of the IT security problem,
in part because
of the lack of transparency when breaches occur

In May 2008, this was reinforced when the Criminal Justice and Immigration Act received Royal Assent, creating tough new sanctions for the ICO, including the power to impose substantial fines on organisations that deliberately or recklessly commit serious breaches of the Data Protection Act. It is a step up from the ICO's previous powers to simply issue enforcement notices. This is not necessarily the end of the changes and there may be more regulation.

The European Network and Information Security Agency (ENISA) has also called for tougher laws than those in the US to force companies to reveal when their computer systems have been breached. In its 2007 general report, the EU's top security body said governments, businesses and consumers are still underestimating the scope of the IT security problem, in part because of the lack of transparency when breaches occur, and mandatory disclosure of security breaches would be a step toward raising recognition of the seriousness of security threats.

In the US, there are two laws which force organisations to publish details of security breaches. One is the California Breach Law (SB1386), which requires organisations doing business in California to tell customers about possible security breaches. Similar laws are planned for other states. The second is Sarbanes-Oxley, which obliges companies to be transparent about material aspects of their business, including security breaches.

Data vulnerability

Whether mandatory disclosure of information security breaches is ultimately adopted in the UK or not is unclear, but advances in IT have made the collection, storage and sharing of all sorts of information easier and available to a wider population.

Undoubtedly, these advancements have resulted in improved services across many sectors, but it has also increased the challenge of managing and protecting information. The vulnerability of data protection is apparent almost daily with costly data leakage incidents regularly affecting individuals and the organisations charged with the custody of their sensitive information.

The connectivity of WANs (wide area networks) and the internet means that there are now few barriers to sharing information. However, the consequence is that it is increasingly clear that organisations can quickly lose control of who is sharing the information, where it is going and whether it is being used appropriately?

Risk management

With this in mind, the best way for organisations to meet their data protection obligations is to understand the information flows and uses within their business environment. A systematic risk-based approach, which matches the data monitoring and protection capabilities of the organisation with the risks associated with the loss of information based on its sensitivity, value and its likely impact on the individual and the organisation, is increasingly important.

One of the most damaging breaches
is when an authorised user who has legitimate access to sensitive information either accidentally or maliciously chooses
to misuse or leak that information    

Security policies, processes and technology are all part of the operational risk management process of identifying, monitoring and controlling information security breaches, which may cause highly public exposure to an organisation and its stakeholders.

Increasingly, with the large data volumes involved, this risk management loop requires the integration of skilled operational staff and competent technology to provide appropriate monitoring and control to ensure the use and movement of confidential information meets policy guidelines and is adequately protected.

Monitoring usage

The security management process should not be too onerous and, indeed, should be part of the overall IT security effort. Technology is available which can monitor who is accessing information, when and for what purpose. Using data protection systems, which employ behavioural analysis, an organisation can easily distinguish between legitimate use of its confidential information and inappropriate usage.

One of the most damaging breaches is when an authorised user who has legitimate access to sensitive information either accidentally or maliciously chooses to misuse or leak that information.

A behavioural analysis-based security system can detect unexpected or risky data movement even where other systems cannot. By recording the movement and use of information, a behavioural analysis-based security system establishes a profile that incorporates the characteristics of normal system use. By constantly monitoring and profiling user and system activity, the system immediately recognises when information is accessed, changed or shared in an unusual or uncharacteristic manner, and immediately alerts the accountable manager for remediation and evidentiary audit purposes. Specific business and policy rules can enable early warning of any specific forbidden or unacceptable practices such as theft or fraud.

The scale and workload of protecting stored and transmitted sensitive information is undoubtedly becoming greater. The problem for organisations is that their responsibility for information protection remains unchanged.

With the intrinsic risk associated with storing and sharing information, owners continue to need information about who is accessing data, for what purpose and where they are taking it. For this reason, risk-based behavioural technology provides the ability to continuously manage and report the status of access and usage of confidential information.
http://www.tier-3.com/

Storage Expo 2008

Tier-3 will be exhibiting at Storage Expo 2008, the data storage, information and content management event. The show features a comprehensive free education programme and over 100 exhibitors and will be held at Olympia, London from 15-16 October 2008. www.storage-expo.com