1. Inherent Data LeakagePrevention Program (IDLPP)ByBen OguntalaSolutions Director www.dataprotectionofficer.com Ben.oguntala@dataprotectionofficer.com078120398671

2. IntroductionWe take standard data leakage prevention and convertthem into automated processes that are linked up as part of your organisations Data Leakage Prevention strategy.Management Business processesEnd devices Network systems Comms SuppliersIDLPP inIDLPP activatedIDLPP activated & IDLPP baseline IDLPP provisionsIDLPP automatedmanagement& automated in automated within on all comms on all suppliers business processes decisionsend devices the network systems contractsRe-uses incumbentActivated andCompatible with Embedded withintechnologyautomated the DLP strategy the organisation 2 3. What is the Data Leakage Strategy? The Data Leakage strategyDLP policy &DLP baseline & DLP Riskproceduresenforcementmonitoringmanagement All assets that All assets will Integration of To ensure thatare considered in have DLPIDLPP to youronce thescope will have a baseline or currentstandard is setDLP policy. adopt a hybridmonitoring there isfeature.solution.continuous risk assessment in place. 3 4. IDLPP overviewDMZ tier Middle tier Database tier Data IntranetExtranet Business processes DataIDLPP in ingress and egress trafficIDLPP is embedded with each aspect of your network to ensure holistic approach 4 5. IDLPP featuresIDLPP product featuresData loss preventionFirewallDMZ tierMiddle tierDatabase tier Intranet Anti-spam DataHost IPS Anti-malware Encryption Device control Extranet Network access controlWeb filteringServersDesktopComplianceData Application controlLaptops 5 6. Integration of IDLPP into managementdecisions.Management Business process will include DLP into their considerations.IDLPP features (2)Business processesServers, workstations, Laptops and Mobiles will all have IDLPP embeddedEnd devices Network systems like Switches, Routers, firewalls, IPS, IDS will have an element of IDLPPNetwork systems IDLPP policies and procedures will be applied to comms devices e.g. Email, printers and mobilesComms IDLPP will be included in contracts with suppliers and self audit capability to report on compliance6 Suppliers 7. 3rd parties and extranets3rd party hosting facilityCustomer intranetSupplierExtranet Extranet Internet- IDLPP will allow you to audit 3rd party suppliers on an ongoing basis.- Via contract, IDLPP will be able to extend from customer intranet to their suppliers and 3rdparty hosting facilities. 7 8. Applicablestandards Several DataFSA DataData seal RegulatoryPCI DSS SOX 404ISO27001Protection Act security (DMA) requirementsPolicies, procedures & baselinesNetwork ChangeSecurity DataData Compliancesecurity mgmtmgmtsecuritysecurityBusinessProjectCompliance3rd partyChangeprocess Data security cycle securitymgmtsecurityAccessData Privacy End point End pointDatacontrolimpactsecuritysecuritysecuritysecurity assessment3rd party3rdpartysecurityAccessAccess3rd party security 3rd partycontrol controlsecurity securityEnd DataEnd securityAccess Security pointEnd point control mgmt pointsecurity securitysecurityChange mgmtMonitorMonitor Change mgmtMonitor8 9. IDLPP change managementData FSA Data Data sealPCI DSS SOX 404ISO27001Protection security(DMA)Act Project/ChangeEach requires operational riskCurrently manual and assessmentassessments on an ongoing basis.not cohesiveEach requires supplier audits & pre-Costly to carry out 3rd party audits engagement and in flightvisits, uncoordinatedCompliance Each requires a complianceDisparate views and reportingoperation and reporting framework tools Management Notification Each requires a supplier torequirements to berequirements reporting incidentsnotified9 10. IDLPP for Laptops OS Security build specification Hardware security baseline Remote wipe enabledBuild Registration on Asset register AccessHard controldisk Fettered ingress and egress traffic Auto lock down of all unauthorised connectivity Authorised USB access only connectivity secure connectivityUSB devices Encryption policy enforcement Data encryption in transit and stationary Access control ( 2 factor authentication)connectivity Remote wipe functionalityData Hard disk encryption10 11. Benefit to SophosCustomerCompliance automationAutomatic enforcementAutomatic reportingAutomatic auditingAutomated consolidation Automatic breach reporting Policies ProceduresISO SOXPCI DPA3rd partiesDSFSA 11 12. Is the network segregated card holder dataadequately secured? PCI DSS Are there risk management processes, changecontrol and Governance in the organisation? SOX 404 Are there policies and procedures that ensures adequate engagement exists betweenmanagement & business units as well as ISO27001 procedures to support the policies.How much information Assets do I have and with whom am I sharing them.DataWhat sort of privacy impact assessments are carried out for projects & changes?Protection Act Are there adequate Governance, riskmanagement and adequate security for FSArelated confidential & financial informationsecurityFSA Dataabout clients? Does the company have adequate data securitycontrols in place to cater for customer data Key questions from regulations (DMA) they are handling?Data seal12 13. IDLPP Gap analysisCountermeasures & Key areasRisks RecommendationsNetwork infrastructure Business processes Software AssetRegisterGapHardware AssetanalysisRegisterProject3rd party implementationsuppliers Data flow definition Policies &procedures RiskManagement13 14. Engagement timelineProject scope definition (2 man days) Questionnaire 2 face to face meeting Objective definitionGap analysis and fact finding (20 man days) Mapping out your current network infrastructure Business processes Software Asset Register Hardware Asset Register 3rd part supplier Assessment Data flow definition Risk management process assessment Policies and processing assessmentAudit report (5 man days) Gap analysis report Risks and countermeasures Recommendations and work streamsProject implementation Dependent on work streams 14 15. THE ENDhttp://www.dataprotectionofficer.com/Data-Leakage.aspx 15