Cyber Crime Can Damage Aviation

In the recent past, we have witnessed numerous instances of data theft in aviation industry, when data is deliberately stolen rather than simply lost. Hackers, spies, hactivists and insiders .. no stone is left unturned to gain information and therefore competitive edge.

One rather above board situation came to light a few months ago where the company handling the call center of one of the largest airlines was actually owned and controlled by another airline (NewsLink). The chances of confidential information breaching in such a complex set of commercial relationships is extremely high due to obvious conflict of interests.

Besides the above, the aviation industry is “opening up” its systems to the internet. From private, terminal based systems of even 5 years ago, the industry has rapidly moved to web based front, mid and back office systems. This of course has increased productivity and reduced costs but it comes with increased risks of information breaches.

The aviation industry is also the one most prone to being attacked by terrorist organizations. These organizations today have organized cyber crime teams equipped with latest in hardware and software.

All of the above reasons point to increased risks of information breaches in aviation.The damage of losing customer data and privacy breaches not only have financial implications, but also the factor of losing productivity and  business reputation.

The Federal Aviation Administration, part of the U.S. Department of Transportation which is responsible for regulating the aviation system by releasing standards and operating traffic control systems for both the civil and military aviation, recently faced a serious data theft incident on one of its servers. The agency that suffered the loss of nearly 45,000 data records is still in the process of notifying its employees, whose personal details have been electronically stolen. The wake-up call has already arrived.

The aviation industry would do well to consider advanced security systems like Information Rights Management and secure outsourcing technologies. IRM systems like Seclore FileSecure allow information owners to monitor and control WHO uses the information (within or outside), WHAT can each person do, WHEN and from WHERE. These data centric security controls can help in an increasingly perimeter-less world that the industry lives in. Also secure outsourcing technologies like Seclore InfoSource can help companies control data sent to outsourced service providers.

With the highly competitive environment of aviation, a data breach and the associated legal, monetary and reputation costs, is the last thing that a company needs.

Cloud data collaboration and security – an IRM perspective

The motor car was created to solve the problem of “growing pollution in cities due to manure from horse carriages”

Fast forward a hundred years and now the motor car itself is one of the biggest sources of pollution. The example of the motor car as the “solution” to the pollution problem is just a manifestation of what happens in the digital world constantly i.e. solutions create problems.


There was no centralized view of enterprises so ERP systems came and centralized the data which gave clarity. Over a period of time the amount of data was so much that ERP systems could’nt provide a centralized view and then came data mining tools to make sense out of that data ... and the story continues ...

For collaboration technologies also there is a similar trend. There were no file sharing / storage services so email was the primary method of transmission. This caused problems with multiple people, large files and persistent storage so numerous options like Dropbox, Skydrive, box.net, SugarSync, sendthisfile.com, yousendit.com, ... came and effectively provided central storage and collaboration capabilities. This “solution” however created the problem of governance, risk and compliance to security and compliance policies.

Confidential Information
If documents shared using these services, contains some sensitive corporate data, some of us would actually worry about this information being breached for security and landing in the wrong hands (which may belong to the service provider itself !!) . For most individuals the thought of information security may not even come up. These practices give corporate Information Security Officers the chills. They need to worry about how much of their enterprise data is being shared on these public internet sites. Their concerns range from - Who has access to it? Who has shared it? Is it necessary to share this data? For how long it should be shared? How much of it contains confidential information? How do they ensure that confidential information does not get leaked out?

Is this a problem introduced by the websites offering these services? - Probably not. These websites can be in business only because they have several layers of security built in to their file sharing mechanism. However, the service provider can only secure the data while it is in transit and while it is in storage, nothing more. The information could be leaked out due to end user errors – like someone accidentally makes a confidential document ‘public’ or mistakenly shares it with the wrong person. Sometimes the recipient may forward the document to someone else, who should never be given access to it.

So how can the Information Security Officer ensure that critical corporate data is not accessible to the wrong person even if it is shared on a public file storage service?
Should all these sites be blocked? If all such sites are blocked (even if we assume that it is somehow possible) it may hamper employee productivity and work efficiency.

Blocking effectively creates the same problem we started with – someone wants to send a really large file and he/she cannot use the corporate email service to send it out. The only option left is to put it on an external storage medium like a CD, DVD or USB drive…etc. and physically mail it to the recipient. This may not work in all cases, especially if there is a 24 hour delivery deadline to be met and an external agency or overseas colleague needs to work with the data. Some corporates corporate setup their own file-sharing FTP sites, but not everyone has access to them. Even on a corporate FTP site, the problem still persists – the user may accidentally share data with the wrong person and he/she does not have control of the data once it is shared.

A better solution Information Rights Management to the rescue ...

So what else can Security Officers do to ensure that confidential data is not leaked out – either intentionally or un-intentionally?
Is there a way to protect the information in the file itself and not worry about the medium?

1. Can the file be secured even if it is in a public folder or on an internet site?


2. Can the file owner decide ‘Who’ has access to the data in the file?


3. Can the file owner decide ‘What’ operations can be done on the file – like view, edit, print…etc?


4. Can the file owner decide ‘When’ the recipient’s access to a file is revoked?

What could possibly give anyone so much control of their data even when it resides on a public website or on the ‘cloud’?
The answers to these questions point to the technology called – IRM or Information Rights Management.

With IRM, the user can ensure that –

• Only an authorized set of users will have access to the data.


• Each user is given specific usage controls to view or edit or print the data.


• The access to the data can be given or taken away at any time even after having shared the data.


• All the copies and versions of the same file are protected with the same security controls.


• No one other than the file owner can change these security controls.


• The data can be tracked and the file owner will know exactly who is accessing it and what operations were performed on the file.

If the shared data needs to be destroyed, it can be inactivated and all the versions and copies in circulation will become inaccessible.

IRM obviously solves the problem of securing data when using these cloud based collaboration technologies .. the BIG question now is .. “What problems will this solution create ??”

Incorporating security within the enterprise : The non technical angle !

One of the biggest challenges that we see our customers experience is how to incorporate information security as a culture and not only as a technology. For this the Human Resources and the Information Security teams have to come together.

Criticality of privacy and security increases with every passing day. Security best practices must be woven into the organization’s consciousness and culture at every level. As the custodian of this sphere, HR is in the best position to establish a security culture.


Here are a few things that appear to have worked in this context :

One way to seek attention and support from everyone in the organization is to make security a "fun" topic. A lot of times security is seen as a drain on productivity and is therefore considered 'scary'. If the 'scary' aspect is taken away and people are shown “funnier” aspects then it helps in 'humanizing' the awareness process.

Rewards and recognition for the “Best Security Practitioner” is another initiative that has worked. An organisation can set up a special e-mail or hotline where the employees can report a suspicious activity, phishing emails or links and claim suitable reward or recognition.

Explanations of security policies and procedures also plays an important part in justifying the process. Chances are that if you tell everyone to NOT touch the Red button .. Someone is finally going to come and touch it. But perhaps if you explain what exactly will happen if someone touches the Red button then people will keep away from it.

Finally, it comes back to the age old saying “Charity begins at home”. If the HR / Info Sec team itself demonstrates adherence to the security procedures then others will follow suit. If the general directive is that confidential information should not be sent via unencrypted emails and then the payroll system starts sending payslips in plain text every month then chances are that all security initiatives may be handled with a pinch of salt.

These are just a few notes from our experience .. Any thoughts ??

IRM controls on data shared with HR Outsourcing vendors is, in our opinion critical !

Outsourcing of HR processes has become fairly mainstream now with even some small companies opting for this service.Specialized skills, best-in-class HR programs, better compliance to legislative norms and of course lower costs are prime reasons for this shift. The most common processes that are outsourced are pre-employment background checks, payroll processing, time & attendance, accounts payable, compensation & benefits, taxation, garnishment and exits. Outsourcing of these tedious activities, that involve lot of paperwork and compliance issues, saves time and money and allows businesses to focus on other core issues.

The sparkling rewards of outsourcing, however, are accompanied with certain risks which, if not mitigated, can negate the value of the outsourcing. The risks are primarily around competency gaps, hidden costs, employee customer service and losing control over the critical and sensitive data. A lot of companies are sceptical of entrusting their critical data at the hands of the HR Outsourcing vendors.Control of data like employee information, payroll operations, compensation details, and corporate plans and statements is critical for businesses today. It is this data that needs to be shared with the HR outsourcing service provider for the provider to perform his duties. Information Rights Management(IRM) can help to a large extent here.

IRM systems equip enterprises with a mechanism to establish “ownership” of the data. The owner of the information can control access, editing, printing, copying, distribution, sharing rights with respect to data In addition, the enterprise is assured that its data can only be used by the rightful recipients and and that it can remotely remove the rights any time for any external or internal user of that Information.

IRM technologies allow for several levels of security at the volition of the owner. Functionality such as: Industry standard encryption of the information, disallowing the copying of data from the secure document to an insecure environment, preventing screen shots and printing, easy mapping of business classifications to information, Offline use allowing for users to create/access IRM sealed documents without needing network access for certain periods of time and full auditing of both access to documents as well as changes to the rights/policy by business users are key elements of an effective IRM solution.

The IRM system also maintains a comprehensive record of all the activities performed by different users on the document. A complete history of Who (users) has done what (view, edit, print, copy-paste, print-screen, etc) with the information, When (time) and from Where (location and computer) is completely tracked and logged. This helps organizations comply with regulatory norms like ISO 2700-1, PCI, HIPPA, etc.

Security Framework for the “New New World” of Smartphones

Most technology experts predicted that the last year and 2012/2013 are going to be years of the handheld devices. As more information gets accessed by these handhelds and stored on the cloud, information security will have to adapt some practices and create new ones. This post looks at options for creating a security framework for the “new new world”.

Smartphones are goldmines of personal and professional information and are constantly targeted by hackers, spywares and malwares to get sensitive information. The challenge of providing security for handheld devices is that, very often, the device and the data are owned by different entities i.e. the device by the individual and the data by the enterprise. This is in stark contrast to traditional desktop / laptop based computing environments where devices, applications and data are owned by the same entity and therefore security systems can be completely driven by enterprise's preferences. Coupled with this is the challenge of much more frequent device loss / theft.

“People represent the weakest link in the security chain and we are chronically responsible for the failure of security systems.” - Schneier (2004)

The characteristics of a security solution for handhelds therefore become :

1. Should provide for enterprise control of data
2. Should provide for individual control of device
3. Should prevent breaches in case of theft / loss of device
4.Should be phone / OS agnostic since enterprises will not be able to control the individual device preferences of users.
5.Should take into consideration the handheld's form factor and computing resources.

IRM presents a unique solution to solving the handheld security challenge. Enterprises can control data which is resident on end user devices (reminds me of BYOD !!) and still allow authorized individuals to use it whenever / wherever. The challenge of device / OS independence is however not small.

At Seclore, we have always given high priority to handheld device security. The priority however is not for security as a stand alone goal but to provide security without hampering on the individual's productivity. The Web Connect platform already provides a device / OS independent method of accessing confidential information. The framework provides app developers an easy integration with FileSecure so that apps related to securing information and accessing secure information could be provided easily to the customers. Situations like device theft, employee status change and device vulnerabilities are easily dealt with the IRM systems.

In conclusion, handhelds provide a great opportunity and a great threat to provisioning information and the right combination of collaboration and security technologies have to be used to achieve the sometimes mutually conflicting goals of security and collaboration. IRM technology has the potential to help enterprises achieve these goals together.

Offbeat Information Security Predictions for 2012 - Part 2 of 2

In this season of new year resolutions and predictions we, at Seclore, have come up with our own "top 10". This is the last part.

Governments & Enterprises are increasingly targeted by overlapping surges of cyber attacks from within, from criminals and nation-states seeking economic or military advantage. This article lists the top 5 security risks in front of such organizations for 2012 and recommends ways to deal with them :

1. Insider Threats : Threats of information breaches from "trusted" people and groups like employees, vendors, customers is already the largest threat and is going to grow in importance. This one is right at the top because its probability directly increases with the number of people in the trusted network and also because of the high amount of damage it can do. Besides obvious controls like access management and privileged user activity monitoring, organizations need to be able to control the flow and usage of information within and outside the enterprise. Enterprises should evaluate identity management, DLP and IRM technologies to mitigate this risk."I don't need enemies ... I got enough friends to deal with"

2. Cloud Adoption : Enterprises are adopting the cloud, in most cases without realizing it themselves ! Extremely easy to use systems like Drop box and Skype are essentially cloud based services which users adopt without informing any central security decision maker. In most cases the cloud adoption requires nothing more than a URL and only in few cases does it require the person to actually seek IT help. What users do not realize is that cloud adoption, irrespective of the form (SaaS, PaaS, IaaS... ) needs to be carefully evaluated at the enterprise level and not adopted by the individual without understanding the risks. Enterprises can start with a policy for using cloud based services and then translate that into controls over access which can be gradually relaxed as the specific cloud service is deemed safe. Enterprises should evaluate content filtering and IRM technologies to mitigate this risk."Things are looking very cloudy for enterprise security"

3. Un-Managed Devices : Till a few years ago the rules of internal network and application access were very simple i.e. only devices owned and managed by the enterprise's IT team were allowed to access the IT resources. This has changed rapidly where personal devices like smartphones, tablets and even personal computers are accessing corporate emails, knowledge portals and applications. Enterprises are evaluating and sometimes deploying a Bring-Your-Own-Device (BYOD) strategy ! Traditional tenets of endpoint security systems i.e controlling devices from becoming rogue are therefore falling. The rules for un-managed devices should be defined very stringently. Data which is allowed to go the device should be protected. Enterprises should evaluate virtualization technologies to mitigate this risk by reducing the amount of data going to the un-managed device."Who is the stranger in the house??"

4. Mobility : Mobility presents the greatest opportunity and also one of the greatest threats for enterprises today. Mobile devices and operating systems are coming closer to the capabilities of the desktop ones but still lag behind in terms of security. Adoption rates are growing faster than what security teams of enterprises can grapple with. Enterprises are best advised to start with policy formulation and then extend to technology controls on mobile devices for enterprise applications. Data going to the mobile device should be protected. Private mobile app store is an option to control the flow of apps to the mobile enterprise workforce but is not feasible for small enterprises. Enterprises should evaluate the multitude of mobile security systems available today."The network follows me and so do the threats"

5. Social Media : Use of social media platforms by the workforce is growing rapidly. In this use, distinguishing between personal information and corporate information is becoming difficult. This leads to personnel and enterprises coming under the attack of social engineers and espionage. Starting with guidelines, enterprises need to increase awareness on appropriate use of social media and may evaluate Data Loss Prevention (DLP) technologies to do content based filtering on social media access."Man is a social animal and its a jungle out there"

Offbeat Information Security Predictions for 2012 - Part 1 of 2

In this season of new year resolutions and predictions we, at Seclore, have come up with our own "top 10". This is the first of the 2 part series.

Governments & Enterprises are increasingly targeted by overlapping surges of cyber attacks from within, from criminals and nation-states seeking economic or military advantage. This article lists the top 10 security risks in front of such organizations for 2012 and recommends ways to deal with them :

10. Information Security Skills Mismatch : The fundamental structure on which every information security initiative stands is the skill of the security worker. Every control can be compromised if this skill is not updated. Enterprises need a combination of specialist information security personnel and IT personnel to make and security initiative a success. Enterprises should collect a cross-functional-team responsible for information security and invest in constant skill upgrade to mitigate this risk."Ignorance is bliss" does not work here !!

9. Disclosure Norms for Data Breaches : The regulatory and legal framework for cyber crime and disclosure of data breaches in most countries is lagging behind the on-the-ground scenario. For enterprises this means that cyber crimes, data breaches and their causes do not get known. This means that the same incident could repeat itself many times before an enterprise comes to know about it. Enterprises should collaborate in closed forums and setup industry interaction sessions to exchange incident information as well as knowledge. "Sharing is caring."

8. State Sponsorship of Cyber Threats : National sponsorship of cyber attacks is no longer targeted only towards other nations. It now extends to private organizations holding any kind of valuable digital asset like citizen data or car designs. Advanced Persistent Threats (APT) attacks will combine every technique old and new to gain control of information and infrastructure. Enterprises can mitigate this threat by deploying a multilayer security strategy against such attacks. Enterprises should evaluate Intrusion Detection & SIEM systems to mitigate this risk."Just because the prime minister does it ... does not make it right"

7. Security Systems : Security systems themselves pose a significant risk to the security of enterprises. The year 2011 has seen some very public disclosure by security companies announcing security breaches themselves. Rogue anti-virus companies are mushrooming all over. Before adoption of any security system, enterprises need to put the system itself through a security test."Who will monitor the monitors ?"

6. Identity and Access Control : Security begins with identity and errors in managing identity and authorization can reflect in every other system and process. Lack of the right technology and the right process presents a significant risk for enterprises today with a large, distributed, mobile workforce with a high manpower churn. Enterprises should evaluate identity management, single sign-on and authorization management systems to mitigate this risk."Who am I is an important question to ask for me and you !

The Case For Content Aware IRM.

An IRM system which can transfer the responsibility of protection from human beings to a content aware automated process will be extremely valuable in case of large organizations.

The need to integrate DLP and IRM is critical

Lots have been written about famous data breaches and the need for Data Loss Prevention. I will spare the reader the aggravation of reading it again here. There are hundreds of data security systems designed to control and prevent data breaches, and yet, every week we here about a new Data Breach. It is clear that users and administrators are unable to fully protect sensitive data. The main problem is that Data changes all the time. Users are focused on doing their job and not on data security. Aggravating the problem is that Hackers, Malware, Spyware and Viruses are focused on extracting such data from the perimeter.
What is a CSO to do?

Content awareness and the 4 W's

A good solution is to provide Content-Aware Information Rights Management System. Automatic Content visibility transfers the obligation of Data Security from users to a process. Imagine a system that automatically identifies files containing Credit Cards, Source Code, Images or any other intellectual property. Furthermore, imagine a process in which pre-defined IRM Policies are automatically enforced on such files as soon as they are saved on desktops or files-hares. Such policies are the 4 W’s that are so crucial to protecting Data.

The 4 W’s – Who – What – Where and When

Access controls and usage control are two aspects of Data Security that are often ignored. Mapping the content discovery to the IRM policies (see example picture below) provides automatic control of the 4 W’s:

WHO can access the information: The IRM system's identity establishment method, LDAP or non-LDAP databases as defined in custom applications and portals.

WHAT can recipients do with the information: Control specific allowed actions on files: View, Edit, Print (Print Screen), Forward/Share, Copy/Paste.

WHEN can each user access the information: IRM can control the time-span in which the recipient has access to the file. A document may have allowed access from August, 20, 4 pm to August 23rd, midnight. Alternatively time span may be defined as 2 days from first access.

WHERE the information can be used : This important Control restricts usage of the information to only a pre - specified list of computers identified by the hardware (mac address) or to a specific range of IP addresses or networks. CSO’s can now control Data even if such data is outside the perimeter. This is a very good way to provide data protection for Smart Mobile Devices. One can prevent such devices from ever seeing the data. Users, who have such credentials, may view the files with the local Browser.

The discovery agent must be monitoring the system constantly so that anytime a file is saved; it is scanned for a pattern or fingerprint and then the mapped IRM Policy is enforced.





Detecting the data correctly

It is worth mentioning here that there are two types of Data: Structured and unstructured Data. In my many meetings with CSOs I found that this is somewhat confusing. Here I refer to the need to protect files which hold either Intellectual Property or data in the file that also resides in the Database. Intellectual digital Property is any file that is deemed sensitive or confidential. Database Data is often multiple fields residing in an email or a file and is typically comes from the Human Resource Database, the CRM or any other application utilizing a Database. Such data may be the Last Name and the Salary of an employee.

Discovery systems use multiple detection engines to detect data inside files. The detection technique can be divided to Precise Algorithms and Imprecise Algorithms. Precise Algorithms are those that use fingerprints or registered data for exact data matching. Among them are Cyclical hashes, Rolling hashes, Watermarking/tagging, Recursive Transitional Gaps (GTB proprietary). Of course, not all fingerprinting engines are the same. One has to avoid false positives and false negatives at all cost.

Imprecise Algorithms are those that use Data Patterns, Bayesian analysis and Statistical analysis. Such engines prove to be highly inaccurate and present an unacceptable rate of false positive. It is highly recommended to test these techniques and to determine the acceptable level of false positives and of false positives. Of course, much attention must be paid to the array of file types supported by such engines. Naturally, a Bank may be interested in support for Microsoft Office, while Engineering Company may be more interested in support for DXF files or binary fingerprinting.

Organization will be well advised to use the appropriate detection technique based on the data they want to protect.

Conclusions

The marriage of Content-awareness and IRM provide organization comprehensive access control on sensitive data for internal and external constituents. Sensitive or confidential data is automatically encrypted based on file content and access to such data is controlled by either the File Owner or designated Administrator. External constituents may also have access rights to such files but only if they have been approved. This way organizations are able to secure files even after such files are circulating outside the perimeter.

Guest Blogger Mr. Uzi Yair is the CEO of GTB Technologies , the Next Generation DLP company. Mr. Uzi Yair has 20 years executive management experience with software companies ranging from $1.5 million to $22 million in annual revenue. Mr. Yair attained his MBA from Columbia Business School and his BS in Computer Science and Mathematics from Hofstra University.

What happens outside stays outside.

Transactional Systems and Data Security

Almost all medium to large organizations depend on various transactional systems for their day to day operations like - ERP, CRM, planning and optimization, inventory management etc. Some organizations consolidate their corporate data across multiple systems into data-warehouses or reporting data stores which may be used for ongoing analysis and reporting.

Data access within the transactional system is usually well controlled via access rights logic to ensure that users access only the data that they are authorized to access. Very often users are allowed to extract or download reports from the systems for analysis or offline reporting purposes. The data extracted from the system is no longer governed by the access rights logic. However, data once available to the ‘authorized’ user is not limited to that user only. This user can share the data with ‘anybody’ without ‘any limitations’ once it is outside the system. Every report or data extract that is ‘outside’ the system, is a source of corporate data leakage.

A competitor could use this vulnerability to cause significant damage to the organization’s assets.

Access rights logic can be used to secure the application data which resides within the boundaries of the application, but it cannot help to secure the data outside the application.

How can data be controlled outside the system?

Information Rights Management technologies like Seclore FileSecure can be integrated with any transaction system to ‘protect’ the report or data extract before it is made available to the ‘authorized’ user.

The protection policies are applied automatically as part of the report execution or data extraction process. The policies governing the use of this information are managed centrally and can be changed at any time as per organization’s requirements.

The security policy for a report will govern:

WHO has access i.e. users or groups of users that are allowed access.
WHAT access is to be given i.e. can the user print, edit, forward or copy from the report.
WHEN the access expires i.e. user access can be given for a few days, few weeks or few months after which the data is unavailable.
WHERE the access is available i.e. user can only access it from within the office network (LAN or WAN) and not from outside.

Data audits and usage reports

Once data is protected with the Seclore FileSecure policy, every access to the report is logged and tracked in a central repository. This helps to maintain an audit trail and log of information flow outside the application boundary. This audit log is comprehensive, with every activity by every user being logged and it is made available to the document owner.

Sample case 1: Consider an insurance company that has a sales reporting process to provide weekly sales figures of each of its intermediaries to the executive sales team.

MIS users sitting at each of the regional head offices i.e. North, South, East and West are responsible to extract this data from the transactional system for their regions and send it to the head office. The MIS team is required to modify or massage the data and aggregate it before sending it to the head office. This data is very sensitive and should not fall into the wrong hands. With a solution like Seclore FileSecure, the MIS team can ensure that the access to this data is limited to the MIS team and the executive sales team at the head office. Further, every access to this data will be tracked and any misuse can be traced to the individual.

Information security audit recommendations … and what is the reality?

Have you ever wondered about the source of information for WikiLeaks ? Was it an employee with malicious intent, a lost mobile phone or a discarded hard disk? Most companies which feature on WikiLeaks have probably got some kind of audit done on the source of the leak and then put together a control measure. Here we take a look at some of the most common information security audit “observations” and what is the reality .. as far as the counter-measure goes.

Scenario	Business Observation	Reality Check
Theft of data from network resources	Network transmission was not encrypted and that it should be encrypted	Security offered by network layer begins and ends with the transmission.
Misuse of file by authorized personal or by unknown person	Files and folders are not protected and therefore all confidential files must be password protected.The security of a password protected file is easily lost once the user open the password protected file	Do you remember the password of all files that were shared with you over the last 6 months? Did you keep a common password for all your files even though you are sending the files to different people?
Process document or credit card statement data were reprinted by employees or external print service provider	There is no control over printing and therefore printers should be in a secluded location which has physical access control.Data sent to external vendor should be encrypted and the vendor must be contractually obligated to delete the data after the first print. Physical control over printers in the office does not really control printing and the associated data loss.	What if a vendor relationship ends on a hostile note ? When does the vendor inform you about a lost laptop, lost USB drive or an exception taken to a NO-USB policy. Can you for sure block individual employee/vendor from misusing the data ?
Employee who should not have access to a folder on the file server had access and misused the information.	Access permissions on the file server folders is not configured properly. There should be a formal approval workflow before access is granted to any folder of the file server. Access should be removed as soon as it is not required. Employees can share information with their colleagues via email.	Permission removal never really happens
Ex-employee as well as trusted consultants misused information and systems after the relationship or project ended.	All employees and consultants should sign a strict non disclosure agreement (NDA) . Employee ID should be disabled as soon as he / she has left the organization. Disabling ID does not necessarily mean disabling access to all information. Copies of information can easily be made before a resignation is tendered.	Detection of a NDA breach and enforcement of corrective measures are extremely difficult and long drawn out processes and the person responsible for the breach knows this ! So now what do we do ?

The biggest challenge with audit recommendations and the corrective controls is that each of the recommendations focus on a particular “risk”. The specific scenario may not get repeated with the control being implemented but it creates a new “scenario” which will come up in the next audit.

The final objective of most information security audits is not audit of information systems but audit of information itself ! Once this fact is accepted then a comprehensive “control” for information control is the obvious next step.

To perform an information audit a persistent, information-locked method of monitoring ( and controlling ) information is the first step. Information Rights Management (IRM) systems offer such a capability. IRM systems like Seclore FileSecure allow the company and the security auditor to discover

• WHO has used / misued the information
• WHAT has the person done with the information (viewed, edited, printed, etc..
• WHEN has the person used the information (date & time) & from
• WHERE did the user access the file ( computers, networks, …)

This capability, combined with the fact that such an audit report even captures the use of information by external agencies like vendors and customers, provides a very powerful method of performing a true information audit.
Ref links : RBI IRDAINDIA