It’s one of the thorniest challenges enterprises face today: how to balance operational demands for information availability with the need to protect that information from unauthorized exposure. Consider these recent developments:
- A two-year study involving Fortune 1000 information security professionals found that over 90% of data loss incidents are non-malicious. (TheInfoPro)
- More than 35 million data records were breached in 2008 in the United States, and the majority of the lost data was neither encrypted nor protected by a password. (Identity Theft Resource Center 2008 Study)
- In 2008, Symantec researchers documented 5,491 vulnerabilities. Of these, 80% were classified as “easily exploitable.” (Symantec Internet Security Threat Report XIV)
- According to a survey of employees who lost or left a job in 2008, 59% admitted to stealing confidential company information, such as customer contact lists. (Symantec/Ponemon Institute)
Factor in the effects of the current economic crisis, with hundreds of thousands of jobs being shed each month, and the prospect of maintaining a balance between information availability and information protection becomes more daunting than ever.
Small wonder, then, that Forrester Research says CIOs and CISOs around the world are being “handed a clear mandate by their bosses: Keep the data from walking out the door.” (“Top Data Security Predictions for 2009,” Forrester Research)
Read on to learn how an information exposure assessment provides you with a detailed analysis of how your information is exposed internally and externally, along with a clear plan for reducing and eliminating your areas of exposure.
Speaking generally, an information exposure assessment seeks answers to three fundamental questions:
- Where is my confidential data?
- How is it being used?
- How do I prevent data loss?
The questions sound simple. But think of all the places where your confidential information can turn up today: It gets loaded onto laptops, copied to USB devices, stored on PDAs and smartphones, posted on blogs, burned to CDs and DVDs, and relayed via IM and web-based email.
“The challenge for many companies is that they have little or no visibility into what confidential data is leaving the organization and how employees are using it on and off the corporate network,” says Samir Kapuria, Senior Director with the Symantec Enterprise Security Practice.
Kapuria makes the point that “you can’t answer those three questions about confidential data unless you have an understanding of your exposure to internal as well as external data breaches.”
That’s the idea behind the Symantec Information Exposure Assessment. By providing customers with a detailed analysis of their potential exposure to internal and external data breaches, Symantec presents a more complete picture of security risk.
The Symantec Information Exposure Assessment combines consulting advisory services and industry-leading data loss prevention technologies to assess actual data loss risk and security vulnerabilities across networks, web applications, storage, and endpoints. It consists of the following steps:
- Critical Information Classification. This step involves reviewing an organization’s key information classification levels and assigning specific data assets and asset categories to the appropriate levels within the information hierarchy. Traditional information classification models allow for public, private, confidential, and top-secret data categories to determine where information should be stored, how it should be protected, where it can be sent, and who should have access to it.
- Critical Systems Classification. In this step, systems are identified where sensitive information and data assets are stored, processed, managed, or viewed by internal and external resources.
- Data Discovery Assessment. In this step, a targeted data discovery scan locates and quantifies the amount of sensitive data residing on high-priority devices as defined in the Critical Systems Classification.
- Data Loss Assessment. The object of this step is to gain visibility into, and quantify, your organization’s risk of data loss based on the data protection policies as determined in the Critical Information Classification phase. This step identifies where sensitive information is being sent, who is sending it, and how often it’s happening.
- Network and Web Application Penetration Assessments. Using information gathered in the Data Discovery and Data Loss Assessments, a targeted vulnerability assessment is performed. This step identifies specific attack vectors that may be used by malicious users to gain access to your critical information and systems. It also provides insight into vulnerabilities that may expose critical information, the ease with which an attacker can exploit those vulnerabilities, the level of effort needed to remediate those issues, and the estimated business impact.
- Information Exposure Assessment Summary. The final step is the delivery of a summary report detailing the findings of internal and external information exposure risks. Quantitative data loss metrics are provided for the network, storage, and endpoints. The report also outlines high-priority information exposure concerns, and includes recommend key tasks and activities for a risk mitigation plan.
“A comprehensive assessment generally takes six to eight weeks,” Kapuria explains. “The end result is a clearly defined remediation plan that aims to eliminate areas of exposure across the organization. The results are designed to show where the exposures are and help take a risk-based, prioritized approach to creating a more secure infrastructure over time.”
A recent study from the TheInfoPro and Symantec found that DLP is the top security initiative and pain point for Fortune 1000 companies. For many of these organizations, preventing the loss of confidential data has become more difficult than ever.
Recently, Symantec was positioned as a leader in the 2009 Magic Quadrant for Content-Aware Data Loss Prevention
by Gartner Inc. According to Gartner, “leaders have demonstrated good understanding of client needs and offer comprehensive capabilities in all three functional areas – network, discovery, and endpoint – either directly or through well-established partnerships and tight integration.”
Gartner went on to say that “the market for content-aware DLP continues to show significant market growth despite difficult worldwide economic conditions.”
Symantec’s Information Exposure Assessment can provide you with a data-centric view of your organization’s information risk. By engaging in an Information Exposure Assessment, you gain valuable insights into where your confidential data is stored, how it’s being used, and how to prevent its loss.
To learn more about Symantec Data Loss Prevention, click here