I've had many discussions with senior management regarding the need to protect the "Crown Jewels" of a company. This article, Ex-Goldman Programmer Out on Bail, illustrates a great example of one company's "Crown Jewels" being exposed.
In this case, it would seem on the surface to be a fairly straight forward call, that this particular programming code would be highly sensitive and need the greatest protections available. However, in most cases, it's not so easy. Often, one difficulty encountered when identifying sensitive data results from the fact that sensitive data can be the result of combining more than one 'non-sensitive' data source.
A basic example would be these two pieces of non-sensitive data:
1) DOB: 01/02/1988
2) NAME: Jane Doe.
These non-sensitive fields only become sensitive when they are linked together. Another might be that the information in question is sensitive only for a period of time, but then becomes non-sensitive. A simple of example of this would be information related to a yet to be announced merger.
The Goldman example also highlights the benefits and importance of companies having an Information Risk Framework to help drive the identification of sensitive information and ensure adequate controls are in place for what is identified as sensitive.
Later on, I will share what the difference is between Information Risk and IT Risk. They are often confused.
Mark-
Actually, there are new algorithms that can trigger risk management actions (notification, quarantine, encryption etc..) based on "tuples" like f_name+l_name+DOB and similar. These detection methodologies are what's behind a lot of the success of technologies like Data Loss Prevention.
Many traces of crimes like these can be matched against similar algorithms and detected or even proactively prevented.
Kevin
Posted by: Kevin Rowney | July 31, 2009 at 07:34 PM
Kevin,
Thanks for your comments.
I've been impressed with the significant advances in DLP capabilities, like the algorithms you mentioned. In fact, I believe fully exploited and matured, DLP capabilities will likely emerge to help companies with even broader business challenges like records management, information life cycle management, etc. Which is simply reflective of the strength and potential of DLP.
Of course as with most advances in technology, the maturity in the governance and business processes around those technologies tends to lag. As industry continues to embrace DLP and develops more mature business processes to deploy and manage DLP, we will see even greater benefit.
Mark
Posted by: Mark Brooks | August 01, 2009 at 12:31 PM