The absence of effective risk controls for data security often start with denial of vulnerabilities. Here is a true story:

...I'm not concerned about data theft. We've outsourced our entire IT operation to a big bank's data center and they're up to speed on information security. I can always go back to the logs and figure it out if something happens.
Vice President Internal Audit of a private banking institution with $5BN in assets.

Just 2 months later, the "big bank" had a major data theft event. Both banks missed their earnings estimates and took a beating in the market. Today the private institution is trying to break out of their 5 year outsourcing contract.

Human resources controls

Ensuring employee loyalty and reliability starts with HR, which has responsibility for hiring and guiding the management of employees. High-security organizations (such as? Could you name a few areas?)defense contractors or securities traders add additional screening such as polygraphs and security checks to the hiring process. Over time, organizations may sense personality changes, domestic problems or financial distress that indicate increased extrusion risks for employees in sensitive jobs.

Disconnect #1: HR isn't accountable for the corporate brand and therefore doesn't pay the price when trusted employees and contractors steal.

Internal audit

Extrusion prevention is part of an overall internal audit process that helps an organization achieve its objectives in the areas of:

• Operational effectiveness
• Reliability of financial reporting
• Compliance with applicable laws and regulations

Internal auditors in the insurance industry say regulation has been their key driver for risk assessment and implementation of preventive procedures and security tools such as intrusion detection. Born in the 1960s and living on in today's Windows and Linux event logs, log analysis is still the mainstay of the EDP (What does EDP mean? My guess is electronic data processing) Yes it does - EDP audit is sort of a buzz word I thought - we can use IT audit if you think it is clearer audit. Over the past 7 years our industry evolved to Client-Server computing, XML Web services and converged IP networks. Welcome to stateless http transactions, dynamic IP addressing and Microsoft Active Directory, where your ability to audit network activity depends on which versions of Windows run on your workstations and servers. Offline analysis of logs has fallen behind and yields too little, too late for the EDP auditor!

Disconnect #2: EDP audit have the job but they don't have the tool.

Physical security

Physical security starts at the parking lot and continues to the office, with tags and access control. Office buildings can do a simple programming of the gates to ensure that every tag leaving the building also entered the building. Many companies run employee awareness programs to remind the staff to guard classified information and to look for suspicious behavior.

Disconnect #3: Perfect physical security will be broken by a Nokia 3650 (cell-phone with camera)

Information security

Information security builds layers of firewalls and content-security at the network perimeter, and permissions and identity management that control access by trusted insiders to digital assets, such as business transactions, data warehouse and files. This structure lulls the business managers into a false sense of security. Let's not forget that firewalls let traffic in and out, and permissions systems grant access to trusted insiders by definition. Could your explain a little more what you mean here or give an example of what you mean? For example, an administrator in the billing group will have permission to logon to the accounting database and extract customer records using SQL commands. He can then zip the data with a password and extrude the file using a private Webmail account.

Content-security tools based on http/smtp proxies are used against viruses and spam. These tools weren't designed for extrusion prevention; they don't inspect internal traffic, they only scan authorized e-mail channels, they rely on file-specific content recognition and have scalability and maintenance issues. When content security tools don't fit, we've seen customers roll out home-brewed solutions with open source software such as Snort and Ethereal. A client of ours recently used Snort to nail an employee who was extracting billing records with command line SQL and extruding the results by Web mail.

Disconnect #4: Relying on permissions and identity management is like running a retail store that screens you coming in but doesn't put magnetic tags on the clothes to prevent you from wearing that expensive hat going out.

The direct approach to digital asset protection

To correct the disconnects and protect your digital assets, you need CEO level commitment to management and technology controls:

The direct management method
Your company's management should directly mandate extrusion prevention:

• Soft controls - Training and continuous behavior sensing
• Direct controls - Good hiring and physical security
• Indirect controls - Internal Audit

The direct technology method
Your technology solution must be based on classifying your key digital assets and identifying when they flow out of your network to dubious or forbidden destinations.
This direct approach is deployed independently of privileged system managers, permissions and identity management systems and complex perimeter security systems. It's simple and it's effective.