IRM controls on data shared with HR Outsourcing vendors is, in our opinion critical !

Outsourcing of HR processes has become fairly mainstream now with even some small companies opting for this service.Specialized skills, best-in-class HR programs, better compliance to legislative norms and of course lower costs are prime reasons for this shift. The most common processes that  are outsourced are  pre-employment background checks, payroll processing, time & attendance, accounts payable, compensation & benefits, taxation, garnishment and exits. Outsourcing of these tedious activities, that involve lot of paperwork and compliance issues, saves time and money and allows businesses to focus on other core issues.

The sparkling rewards of outsourcing, however, are accompanied with certain risks which, if not mitigated, can negate the value of the outsourcing. The risks are primarily around  competency gaps, hidden costs, employee customer service and losing control over the critical and sensitive data. A lot of companies are sceptical of entrusting their critical data at the hands of the HR Outsourcing vendors.Control of data like employee information, payroll operations, compensation details, and corporate plans and statements is critical for businesses today. It is this data that needs to be shared with the HR outsourcing service provider for the provider to perform his duties. Information Rights Management(IRM) can help to a large extent here.

IRM systems equip enterprises with a mechanism to establish “ownership” of the data. The owner of the information can control access, editing, printing, copying, distribution, sharing rights with respect to data  In addition, the enterprise is assured that its data can only be used by the rightful recipients and and that it can remotely remove the rights any time for any external or internal user of that Information.

IRM technologies allow for several levels of security at the volition of the owner. Functionality such as: Industry standard encryption of the information, disallowing the copying of data from the secure document to an insecure environment, preventing screen shots and printing, easy mapping of business classifications to information, Offline use allowing for users to create/access IRM sealed documents without needing network access for certain periods of time and full auditing of both access to documents as well as changes to the rights/policy by business users are key elements of an effective IRM solution.

The IRM system also maintains a comprehensive record of all the activities performed by different users on the document. A complete history of Who (users) has done what (view, edit, print, copy-paste, print-screen, etc) with the information, When (time) and from Where (location and computer) is completely tracked and logged. This helps organizations comply with regulatory norms like ISO 2700-1, PCI, HIPPA, etc.

Security Framework for the “New New World” of Smartphones

Most technology experts predicted that the last year and 2012/2013 are going to be years of the handheld devices. As more information gets accessed by these handhelds and stored on the cloud, information security will have to adapt some practices and create new ones. This post looks at options for creating a security framework for the “new new world”.

Smartphones are goldmines of personal and professional information and are constantly targeted by hackers, spywares and malwares to get sensitive information. The challenge of providing security for handheld devices is that, very often, the device and the data are owned by different entities i.e. the device by the individual and the data by the enterprise. This is in stark contrast to traditional desktop / laptop based computing environments where devices, applications and data are owned by the same entity and therefore security systems can be completely driven by enterprise's preferences. Coupled with this is the challenge of much more frequent device loss / theft.

“People represent the weakest link in the security chain and we are chronically responsible for the failure of security systems.” - Schneier (2004)

The characteristics of a security solution for handhelds therefore become :

1. Should provide for enterprise control of data
2. Should provide for individual control of device
3. Should prevent breaches in case of theft / loss of device
4.Should be phone / OS agnostic since enterprises will not be able to control the individual device preferences of users.
5.Should take into consideration the handheld's form factor and computing resources.

IRM presents a unique solution to solving the handheld security challenge. Enterprises can control data which is resident on end user devices (reminds me of BYOD !!) and still allow authorized individuals to use it whenever / wherever. The challenge of device / OS independence is however not small.

At Seclore, we have always given high priority to handheld device security. The priority however is not for security as a stand alone goal but to provide security without hampering on the individual's productivity. The Web Connect platform already provides a device / OS independent method of accessing confidential information. The framework provides app developers an easy integration with FileSecure so that apps related to securing information and accessing secure information could be provided easily to the customers. Situations like device theft, employee status change and device vulnerabilities are easily dealt with the IRM systems.

In conclusion, handhelds provide a great opportunity and a great threat to provisioning information and the right combination of collaboration and security technologies have to be used to achieve the sometimes mutually conflicting goals of security and collaboration. IRM technology has the potential to help enterprises achieve these goals together.

Offbeat Information Security Predictions for 2012 - Part 2 of 2

In this season of new year resolutions and predictions we, at Seclore, have come up with our own "top 10". This is the last part.

Governments & Enterprises are increasingly targeted by overlapping surges of cyber attacks from within, from criminals and nation-states seeking economic or military advantage. This article lists the top 5 security risks in front of such organizations for 2012 and recommends ways to deal with them :

1. Insider Threats : Threats of information breaches from "trusted" people and groups like employees, vendors, customers is already the largest threat and is going to grow in importance. This one is right at the top because its probability directly increases with the number of people in the trusted network and also because of the high amount of damage it can do. Besides obvious controls like access management and privileged user activity monitoring, organizations need to be able to control the flow and usage of information within and outside the enterprise. Enterprises should evaluate identity management, DLP and IRM technologies to mitigate this risk."I don't need enemies ... I got enough friends to deal with"

2. Cloud Adoption : Enterprises are adopting the cloud, in most cases without realizing it themselves ! Extremely easy to use systems like Drop box and Skype are essentially cloud based services which users adopt without informing any central security decision maker. In most cases the cloud adoption requires nothing more than a URL and only in few cases does it require the person to actually seek IT help. What users do not realize is that cloud adoption, irrespective of the form (SaaS, PaaS, IaaS... ) needs to be carefully evaluated at the enterprise level and not adopted by the individual without understanding the risks. Enterprises can start with a policy for using cloud based services and then translate that into controls over access which can be gradually relaxed as the specific cloud service is deemed safe. Enterprises should evaluate content filtering and IRM technologies to mitigate this risk."Things are looking very cloudy for enterprise security"

3. Un-Managed Devices : Till a few years ago the rules of internal network and application access were very simple i.e. only devices owned and managed by the enterprise's IT team were allowed to access the IT resources. This has changed rapidly where personal devices like smartphones, tablets and even personal computers are accessing corporate emails, knowledge portals and applications. Enterprises are evaluating and sometimes deploying a Bring-Your-Own-Device (BYOD) strategy ! Traditional tenets of endpoint security systems i.e controlling devices from becoming rogue are therefore falling. The rules for un-managed devices should be defined very stringently. Data which is allowed to go the device should be protected. Enterprises should evaluate virtualization technologies to mitigate this risk by reducing the amount of data going to the un-managed device."Who is the stranger in the house??"

4. Mobility : Mobility presents the greatest opportunity and also one of the greatest threats for enterprises today. Mobile devices and operating systems are coming closer to the capabilities of the desktop ones but still lag behind in terms of security. Adoption rates are growing faster than what security teams of enterprises can grapple with. Enterprises are best advised to start with policy formulation and then extend to technology controls on mobile devices for enterprise applications. Data going to the mobile device should be protected. Private mobile app store is an option to control the flow of apps to the mobile enterprise workforce but is not feasible for small enterprises. Enterprises should evaluate the multitude of mobile security systems available today."The network follows me and so do the threats"

5. Social Media : Use of social media platforms by the workforce is growing rapidly. In this use, distinguishing between personal information and corporate information is becoming difficult. This leads to personnel and enterprises coming under the attack of social engineers and espionage. Starting with guidelines, enterprises need to increase awareness on appropriate use of social media and may evaluate Data Loss Prevention (DLP) technologies to do content based filtering on social media access."Man is a social animal and its a jungle out there"

Offbeat Information Security Predictions for 2012 - Part 1 of 2

In this season of new year resolutions and predictions we, at Seclore, have come up with our own "top 10". This is the first of the 2 part series.

Governments & Enterprises are increasingly targeted by overlapping surges of cyber attacks from within, from criminals and nation-states seeking economic or military advantage. This article lists the top 10 security risks in front of such organizations for 2012 and recommends ways to deal with them :

10. Information Security Skills Mismatch : The fundamental structure on which every information security initiative stands is the skill of the security worker. Every control can be compromised if this skill is not updated. Enterprises need a combination of specialist information security personnel and IT personnel to make and security initiative a success. Enterprises should collect a cross-functional-team responsible for information security and invest in constant skill upgrade to mitigate this risk."Ignorance is bliss" does not work here !!

9. Disclosure Norms for Data Breaches : The regulatory and legal framework for cyber crime and disclosure of data breaches in most countries is lagging behind the on-the-ground scenario. For enterprises this means that cyber crimes, data breaches and their causes do not get known. This means that the same incident could repeat itself many times before an enterprise comes to know about it. Enterprises should collaborate in closed forums and setup industry interaction sessions to exchange incident information as well as knowledge. "Sharing is caring."

8. State Sponsorship of Cyber Threats : National sponsorship of cyber attacks is no longer targeted only towards other nations. It now extends to private organizations holding any kind of valuable digital asset like citizen data or car designs. Advanced Persistent Threats (APT) attacks will combine every technique old and new to gain control of information and infrastructure. Enterprises can mitigate this threat by deploying a multilayer security strategy against such attacks. Enterprises should evaluate Intrusion Detection & SIEM systems to mitigate this risk."Just because the prime minister does it ... does not make it right"

7. Security Systems : Security systems themselves pose a significant risk to the security of enterprises. The year 2011 has seen some very public disclosure by security companies announcing security breaches themselves. Rogue anti-virus companies are mushrooming all over. Before adoption of any security system, enterprises need to put the system itself through a security test."Who will monitor the monitors ?"

6. Identity and Access Control : Security begins with identity and errors in managing identity and authorization can reflect in every other system and process. Lack of the right technology and the right process presents a significant risk for enterprises today with a large, distributed, mobile workforce with a high manpower churn. Enterprises should evaluate identity management, single sign-on and authorization management systems to mitigate this risk."Who am I is an important question to ask for me and you !

The Case For Content Aware IRM.

An IRM system which can transfer the responsibility of protection from human beings to a content aware automated process will be extremely valuable in case of large organizations.

The need to integrate DLP and IRM is critical

Lots have been written about famous data breaches and the need for Data Loss Prevention. I will spare the reader the aggravation of reading it again here. There are hundreds of data security systems designed to control and prevent data breaches, and yet, every week we here about a new Data Breach. It is clear that users and administrators are unable to fully protect sensitive data. The main problem is that Data changes all the time. Users are focused on doing their job and not on data security. Aggravating the problem is that Hackers, Malware, Spyware and Viruses are focused on extracting such data from the perimeter.
What is a CSO to do?

Content awareness and the 4 W's

A good solution is to provide Content-Aware Information Rights Management System. Automatic Content visibility transfers the obligation of Data Security from users to a process. Imagine a system that automatically identifies files containing Credit Cards, Source Code, Images or any other intellectual property. Furthermore, imagine a process in which pre-defined IRM Policies are automatically enforced on such files as soon as they are saved on desktops or files-hares. Such policies are the 4 W’s that are so crucial to protecting Data.

The 4 W’s – Who – What – Where and When

Access controls and usage control are two aspects of Data Security that are often ignored. Mapping the content discovery to the IRM policies (see example picture below) provides automatic control of the 4 W’s:

WHO can access the information: The IRM system's identity establishment method, LDAP or non-LDAP databases as defined in custom applications and portals.

WHAT can recipients do with the information: Control specific allowed actions on files: View, Edit, Print (Print Screen), Forward/Share, Copy/Paste.

WHEN can each user access the information: IRM can control the time-span in which the recipient has access to the file. A document may have allowed access from August, 20, 4 pm to August 23rd, midnight. Alternatively time span may be defined as 2 days from first access.

WHERE the information can be used : This important Control restricts usage of the information to only a pre - specified list of computers identified by the hardware (mac address) or to a specific range of IP addresses or networks. CSO’s can now control Data even if such data is outside the perimeter. This is a very good way to provide data protection for Smart Mobile Devices. One can prevent such devices from ever seeing the data. Users, who have such credentials, may view the files with the local Browser.

The discovery agent must be monitoring the system constantly so that anytime a file is saved; it is scanned for a pattern or fingerprint and then the mapped IRM Policy is enforced.





Detecting the data correctly

It is worth mentioning here that there are two types of Data: Structured and unstructured Data. In my many meetings with CSOs I found that this is somewhat confusing. Here I refer to the need to protect files which hold either Intellectual Property or data in the file that also resides in the Database. Intellectual digital Property is any file that is deemed sensitive or confidential. Database Data is often multiple fields residing in an email or a file and is typically comes from the Human Resource Database, the CRM or any other application utilizing a Database. Such data may be the Last Name and the Salary of an employee.

Discovery systems use multiple detection engines to detect data inside files. The detection technique can be divided to Precise Algorithms and Imprecise Algorithms. Precise Algorithms are those that use fingerprints or registered data for exact data matching. Among them are Cyclical hashes, Rolling hashes, Watermarking/tagging, Recursive Transitional Gaps (GTB proprietary). Of course, not all fingerprinting engines are the same. One has to avoid false positives and false negatives at all cost.

Imprecise Algorithms are those that use Data Patterns, Bayesian analysis and Statistical analysis. Such engines prove to be highly inaccurate and present an unacceptable rate of false positive. It is highly recommended to test these techniques and to determine the acceptable level of false positives and of false positives. Of course, much attention must be paid to the array of file types supported by such engines. Naturally, a Bank may be interested in support for Microsoft Office, while Engineering Company may be more interested in support for DXF files or binary fingerprinting.

Organization will be well advised to use the appropriate detection technique based on the data they want to protect.

Conclusions

The marriage of Content-awareness and IRM provide organization comprehensive access control on sensitive data for internal and external constituents. Sensitive or confidential data is automatically encrypted based on file content and access to such data is controlled by either the File Owner or designated Administrator. External constituents may also have access rights to such files but only if they have been approved. This way organizations are able to secure files even after such files are circulating outside the perimeter.

Guest Blogger Mr. Uzi Yair is the CEO of GTB Technologies , the Next Generation DLP company. Mr. Uzi Yair has 20 years executive management experience with software companies ranging from $1.5 million to $22 million in annual revenue. Mr. Yair attained his MBA from Columbia Business School and his BS in Computer Science and Mathematics from Hofstra University.

What happens outside stays outside.

Transactional Systems and Data Security

Almost all medium to large organizations depend on various transactional systems for their day to day operations like - ERP, CRM, planning and optimization, inventory management etc. Some organizations consolidate their corporate data across multiple systems into data-warehouses or reporting data stores which may be used for ongoing analysis and reporting.

Data access within the transactional system is usually well controlled via access rights logic to ensure that users access only the data that they are authorized to access. Very often users are allowed to extract or download reports from the systems for analysis or offline reporting purposes. The data extracted from the system is no longer governed by the access rights logic. However, data once available to the ‘authorized’ user is not limited to that user only. This user can share the data with ‘anybody’ without ‘any limitations’ once it is outside the system. Every report or data extract that is ‘outside’ the system, is a source of corporate data leakage.

A competitor could use this vulnerability to cause significant damage to the organization’s assets.

Access rights logic can be used to secure the application data which resides within the boundaries of the application, but it cannot help to secure the data outside the application.

How can data be controlled outside the system?

Information Rights Management technologies like Seclore FileSecure can be integrated with any transaction system to ‘protect’ the report or data extract before it is made available to the ‘authorized’ user.

The protection policies are applied automatically as part of the report execution or data extraction process. The policies governing the use of this information are managed centrally and can be changed at any time as per organization’s requirements.

The security policy for a report will govern:

WHO has access i.e. users or groups of users that are allowed access.
WHAT access is to be given i.e. can the user print, edit, forward or copy from the report.
WHEN the access expires i.e. user access can be given for a few days, few weeks or few months after which the data is unavailable.
WHERE the access is available i.e. user can only access it from within the office network (LAN or WAN) and not from outside.

Data audits and usage reports

Once data is protected with the Seclore FileSecure policy, every access to the report is logged and tracked in a central repository. This helps to maintain an audit trail and log of information flow outside the application boundary. This audit log is comprehensive, with every activity by every user being logged and it is made available to the document owner.

Sample case 1: Consider an insurance company that has a sales reporting process to provide weekly sales figures of each of its intermediaries to the executive sales team.

MIS users sitting at each of the regional head offices i.e. North, South, East and West are responsible to extract this data from the transactional system for their regions and send it to the head office. The MIS team is required to modify or massage the data and aggregate it before sending it to the head office. This data is very sensitive and should not fall into the wrong hands. With a solution like Seclore FileSecure, the MIS team can ensure that the access to this data is limited to the MIS team and the executive sales team at the head office. Further, every access to this data will be tracked and any misuse can be traced to the individual.

Information security audit recommendations … and what is the reality?

Have you ever wondered about the source of information for WikiLeaks ? Was it an employee with malicious intent, a lost mobile phone or a discarded hard disk? Most companies which feature on WikiLeaks have probably got some kind of audit done on the source of the leak and then put together a control measure. Here we take a look at some of the most common information security audit “observations” and what is the reality .. as far as the counter-measure goes.

Scenario	Business Observation	Reality Check
Theft of data from network resources	Network transmission was not encrypted and that it should be encrypted	Security offered by network layer begins and ends with the transmission.
Misuse of file by authorized personal or by unknown person	Files and folders are not protected and therefore all confidential files must be password protected.The security of a password protected file is easily lost once the user open the password protected file	Do you remember the password of all files that were shared with you over the last 6 months? Did you keep a common password for all your files even though you are sending the files to different people?
Process document or credit card statement data were reprinted by employees or external print service provider	There is no control over printing and therefore printers should be in a secluded location which has physical access control.Data sent to external vendor should be encrypted and the vendor must be contractually obligated to delete the data after the first print. Physical control over printers in the office does not really control printing and the associated data loss.	What if a vendor relationship ends on a hostile note ? When does the vendor inform you about a lost laptop, lost USB drive or an exception taken to a NO-USB policy. Can you for sure block individual employee/vendor from misusing the data ?
Employee who should not have access to a folder on the file server had access and misused the information.	Access permissions on the file server folders is not configured properly. There should be a formal approval workflow before access is granted to any folder of the file server. Access should be removed as soon as it is not required. Employees can share information with their colleagues via email.	Permission removal never really happens
Ex-employee as well as trusted consultants misused information and systems after the relationship or project ended.	All employees and consultants should sign a strict non disclosure agreement (NDA) . Employee ID should be disabled as soon as he / she has left the organization. Disabling ID does not necessarily mean disabling access to all information. Copies of information can easily be made before a resignation is tendered.	Detection of a NDA breach and enforcement of corrective measures are extremely difficult and long drawn out processes and the person responsible for the breach knows this ! So now what do we do ?

The biggest challenge with audit recommendations and the corrective controls is that each of the recommendations focus on a particular “risk”. The specific scenario may not get repeated with the control being implemented but it creates a new “scenario” which will come up in the next audit.

The final objective of most information security audits is not audit of information systems but audit of information itself ! Once this fact is accepted then a comprehensive “control” for information control is the obvious next step.

To perform an information audit a persistent, information-locked method of monitoring ( and controlling ) information is the first step. Information Rights Management (IRM) systems offer such a capability. IRM systems like Seclore FileSecure allow the company and the security auditor to discover

• WHO has used / misued the information
• WHAT has the person done with the information (viewed, edited, printed, etc..
• WHEN has the person used the information (date & time) & from
• WHERE did the user access the file ( computers, networks, …)

This capability, combined with the fact that such an audit report even captures the use of information by external agencies like vendors and customers, provides a very powerful method of performing a true information audit.
Ref links : RBI IRDAINDIA

"Important questions to ask before deploying IRM"

A quick intro to IRM

An IRM solution protects sensitive information from un-authorized access, and the good part is, the controls remain with the information in spite of where the information goes and how it goes.
IRM solutions are used to protect sensitive information such as financial data, intellectual property, business plans, client or personal information. In its present shape and IRM technologies focus on unstructured forms of data like documents, emails, web pages, designs and images.

Few questions to ponder
Any successful technology implementation needs to start with the end purpose in mind, rather than technology and the same is true for IRM solutions. In my experience, clients need to have answers for five key questions before starting an IRM implementation.

1.Do you have a Data Governance and Classification policy?
An IRM solution will help an organization implement their data classification and protection policy. Does your organization have a data classification and protection policy? If not, what are you going to use the IRM solution for?You need to define your organizations policy for data classification and protection. What is sensitive, what is confidential and what is public, needs to be clear. What is allowed and what is not allowed needs to be defined and documented.

2.Do you know what and where is critical data in your organization?
So your data protection policy is defined, great! You now know data is critical in your organization.But do you know who creates it, who uses it, where it is stored? Most organizations do not have visibility on how data flows within or outside the organization. A data flow analysis is needed to understand this in detail and more importantly to get buy-in from the business on what is critical and what is not.

3.How does the Authentication work?
Authentication is one of the primary prerequisites of any security system. When authentication fails, the entire security of the system is vulnerable to attacks leading to loss of information.The authentication strategy of any IRM system is absolutely critical. Whether single sign on with existing authentication infrastructure, a new authentication system within IRM itself or a combination, the authentication piece needs to be in place. For critical data a multi-factor authentication should also be considered.

4.What happens after implementation?
Most technology projects are focused on technology selection and implementation. But what happens after successful sign-off? Is the project complete? Are the end-objectives met?
In security, the critical phase starts after technology implementation. It is absolutely necessary to monitor effectiveness of the IRM solution. Are users using it or not? If not, why not? What are the true positives? Is it getting recorded, is it getting escalated? Is new information getting created? Are new partners getting added? A lot of questions, that can only be answered if a strong sustenance and optimization process is implemented. The key is to ensure the IRM life-cycle is managed well.

5.What about auditing and compliance?
Generating a detailed audit trail listing details like, who tried to access the information, time of access, what action taken by the user, what IP address. Audit trails are required to prove that security measures are effective and prevent information flow when the organization is meeting regulatory compliance such as, SOX, HIPAA, and Gramm-Leach-Bliley. These regulations require organizations to protect their information from unauthorized access.
Conclusion

As with all technologies, you cannot put the cart before the horse. End goals and process frameworks have to come before technology solutions.

IRM solutions are critical components in the security arsenal of an enterprise and builds on the defense-in-depth principle. It empowers the business and users to protect sensitive information not only within the boundaries of the organization, but also once it leaves the enterprise. Hence it is critical to ensure we take a holistic view to the entire IRM deployment, not just implementation but also through-out the life-cycle.

Guest Blog by John Prathab is a senior consultant in the Secure Development Lifecycle (SDL) practice at Aujas Networks. His works span multiple products and technologies to solve real-world information and application management problems. His special areas of interest are secure software development framework, information and application security, cloud security, Information Rights Management and convergence of logical and physical access.He holds M.Sc Software Engineering and MBA in Sales & Marketing.

Data Theft is rapidly growing in India

Does the following scenario sound familiar: You sign up for a new demat account or home loan or trading account, and within a week or so you receive a call from a related service asking whether you’d be interested in signing up with them as well? One recent example comes to my mind: a friend of mine just bought a new car and took a car loan for it. Within one week he received an SMS offering him car polishing and window tinting services!
We face these instances on an alarmingly regular basis. Those pesky calls and those irritating SMSes are simply dealt with as a part of life in a growing economy and we move ahead after uttering a few curses. But all of us need to pause and think about what is really happening behind the scenes? How is it that our private data so readily spreads around to all and sundry?

Contrast this to the recently released Notification expanding the IT Act to include Privacy Laws for protection of a citizen’s private data. This notification requires companies to secure my personal data and also keep the public informed of the practices and policies they adopt with regards to this data. It also requires the companies to obtain an explicit permission from me before sharing this data with someone else.
In spite of this, how is it possible for anyone to obtain highly specific private information for just a few paise per record. Sample this:

1. Car Owner’s Database
2. Active Intraday Trader’s Database with their Ledger Balance and Mark To Market
   
3. Demat Account Database including DP ID and Client ID

All of this represents what can only be called a data leakage epidemic in India!
However, before you rush to file RTI (Right to Information) applications and PILs (Public Interest Litigations) against your bank, share broker or home loan provider, you must realize that this information is most likely not being disclosed directly by your service provider. These service providers outsource their back office work to domestic BPOs and KPOs who are often common providers of these services to multiple institutions. The real problem then lies with the way that these service providers manage the security of this data. While your bank might be ISO 27001 certified and implement best practices in terms of information security, the vendor that it outsources it’s KYC (Know Your Customer) back-office work to may not even have a basic security policy in place!

One of the solutions that fits very well in such scenarios is for organizations outsourcing work to BPOs to use an Information Rights Management product. An IRM product protects files even when the leave the bank’s network and provides a comprehensive audit trail of the actions carried out by a service provider on that file. The organization sending this data – imagine an Excel file containing a few million customer records – can restrict the recipient from printing, copying, modifying, forwarding as an email attachment, and even taking screen-shots of this file. Any such attempt would be neatly logged and the vendor could then be questioned as to why he was attempting to leak the Bank’s data outside his own network.

This is not to say that an IRM is a magic bullet and solves all issues. But for sure it goes a very long way in protecting data even when the data has left the organization’s network boundaries.

Guest Blog by K. K. Mookhey (CISA, CISSP, CISM) is the Principal Consultant and Founder at Network Intelligence (www.niiconsulting.com) as well as the Founder of The Institute of Information Security (www.iisecurity.in). He is an internationally well-regarded expert in the field of IT governance, information risk management, forensic fraud investigations, compliance, and business continuity. He has more than a decade of experience in this field, having worked with prestigious clients such as the The Indian Navy, The United Nations, Abu Dhabi & Dubai Stock Exchanges, State Bank of India, Saudi Telecom, Capgemini, BNP Paribas, the Mumbai Crime Branch and many others.

He is well-versed with international standards such as COBIT, ISO 27001, PCI DSS, BS 25999, and ITIL / ISO 20000.He is the author of two books (Linux Security And Controls by ISACA, and Metasploit Framework, by Syngress Publishing), and of numerous articles on information security. He has also presented at conferences such as OWASP, Blackhat, Interop, IT Underground and others.

Data Theft Booming in Health Care

Startling revelation in Health care and pharmaceutical sectors have come up because they have claimed a mysterious disappearance of their important documents facing an unaccounted loss of important documents such as product patents, product dossiers from their systems. Data security has always been one of the top priorities for any organization. Loss of important data posses a critical threat in almost all the business sectors across the world. Lately, health care and allied companies have been facing a similar menace and have been targeted as well.

This vertical has lost most of their electronic medical records and has been facing a problem of data being leaked to unknown source. Pharmaceutical products consisting of formulations of medicines and clinical research records are prone to leak into the hands of competitors and other undesired sources. Besides the report also placed Hospitals and health sector firms in the third position and claimed 15.6% of such organizations hit by the similar menace. Most of the data loss have occurred during their transfer from one system to other system or presumably hacked by third party users and in other cases displaced by the internal staff of organizations.

Loss of data from hospitals and health care facilities has resulted to disappearance of millions of Electronic Medical Records belonging to patients from US and other countries. This has indeed caused a panic among CEOs of health care companies worldwide as loss of medical records have contributed to rise in identity theft business. Black market has been profiting from records relating to health insurance plans, medical transcripts and other sensitive medical documents belonging to various people.

Might this sort of misuse of information bring deprivation and hidden handicaps to so many people and medical service providers? While conventional hospital information management systems may prove vulnerable against high tech thieves and may be unable to safeguard their important documents. Data breach and its theft can be either traced to the internal affairs within organization or an external breach by the third party individual or a group. Stolen medical records have been giving rise to identity theft market and cause health care organizations to lose their reputation in the eyes of their valued customers.

The prevalent problem at hand is that so many organizations are unable to afford a better security package to store and safeguard their data. In addition to this, the conventional security programs implemented by health care organizations may not be well equipped to face technologically advanced threats or many organizations are unable to afford for enhanced security measures due to restricted budget.
Information Rights Management (IRM) is one such solution that offers a unique security solution to such a menace. IRM solutions have dynamic security features with various tools and functionality and are easy to use.

IRM solution can provide with a complete package of database management like data tracking, cyber forensics and enhanced encryption such that it can travel within and beyond the network boundary of any organization without any risk of data theft or cyber piracy. It can provide complete details regarding the IP location of the user who is accessing the particular information document. Along with its unique security features, it is also economic and can easily be implemented in the regular budget of any organization.

These discrepancies emanating from the ill orders of the system in place need to be plugged and probable solution as suggested above should be taken into account. It is better to eliminate the scar before it gets matured for surgery.