Feature

Align your data protection efforts with GRC

Ezine

This article can also be found in the Premium Editorial Download "Information Security magazine: Why privileged account management is critical to today's data security."

Download it now to read this article plus other related content.

In today's security-conscious organization, there is a split between two competing security camps: the policy-driven governance, risk and compliance (GRC) group

    Requires Free Membership to View

and the technology-driven data protection group. In the "ring of protection," the GRC camp and data protection camp are locked in a veritable "Smackdown," wrestling for the same buckets of resources and funding for their projects.. Ultimately, however, both sides need each other to succeed.

Data protection tools such as DLP examine, block and report on unauthorized transmission of data which protects an organization against loss of sensitive and confidential information. In many organizations, they're being deployed as a stopgap measure while security managers develop and/or refine their long term protection strategies. But how do you configure a DLP service without proper security standards already in place? Vendors may offer "best practice" sets of configuration data, but be cautious: While they can be used as examples of the information needed to configure a DLP service, they generally don't provide an effective set of standards that fit an organization's data protection requirements.

On the other side, GRC activities create the foundational standards that drive security deployments like data protection. But how do you know they're effective without the feedback data protection tools provide? Surveying managers and workers who handle sensitive data is one way to get feedback, but it's time consuming and not always accurate.

When GRC and data protection activities are both effective and are not in competition with each other, they create an ongoing cycle which benefits both as illustrated:

Business and security requirements + key security events = security standards -> local execution -> configuration information -> data protection and reporting -> standards effectiveness feedback -> business and security requirements -> {cycle begins again}

So the configuration of a good data protection service relies on good GRC standards and an effective set of GRC standards rely on good DLP services to provide feedback on their effectiveness. While both GRC standards and data protection services are needed, most companies don't have the time or energy to dive into them at the same time. So how does a company decide where to start? Here are some key considerations:

  • Does the organization have a working, clearly defined security standards development process? This process should take into consideration the organization's business and security requirements and prioritize the results according to the top security and industry or regulatory compliance issues that most affect the organization. The resulting standards should then be communicated down to the local business managers for execution. However, if the organization doesn't have a clearly defined process, then short term this lack of direction will undoubtedly benefit from technological services like DLP. These services will block, as best as possible without a configuration mapped to the business' security standards, unauthorized access to sensitive information at the business' security boundaries until the process can be formally initiated
  • Is the organization heavily regulated or constantly "under cyber attack" from outside entities? Businesses that are under the scrutiny of outside entities, whether legally or illegally (such as large on-line retailers who are constantly bombarded by cyber attacks), have to be able to monitor the effectiveness of their information boundaries. In this case, deploying tools like DLP is mandatory, even with a lack of security standards.
  • Who owns security? Is the enterprise managed centrally or is it distributed? Are there political ownership obstacles for security? Centrally managed organizations typically can create good GRC standards that are applicable across the entire organization. But distributed management models can run into political and control issues and usually have to rely on locally generated standards to manage security. This leads the local lines of businesses to protect their limited amounts of sensitive data with locally deployed data protection services.
  • What is the "resource to area of coverage" ratio? While this isn't necessarily a quantitative number, if you have a limited number of security personnel and large geographic areas or end use populations, strong standards or strong tools, will have to be put into place depending on your resources' capabilities. Businesses with limited resourced tend to deploy tools first to augment their security team's activities.

So as you examine your business to see which camp you're in, you must look critically at the effectiveness of your GRC standards and data protection efforts. Short term, funding and efforts should be directed at maintaining the stronger components while shoring up the weaker ones. In the end, the standards and services must be in balance to securely protect your information.

Randall Gamby is an independent security analyst who has worked in the security industry for more than 15 years. He specializes in security/identity management strategies, methodologies and architectures, and has a security and identity management blog at: http://randallgamby.wordpress.com. Send comments on this column to feedback@infosecuritymag.com.

This was first published in July 2009

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: