Archive for the ‘Compliance’ Category

DLP rules - Tips to reduce false postives and false negatives

Monday, July 9th, 2012

For those who are already conversant and comfortable with DLP, the following are some of the tips to avoid false positives and false negatives

a. For new rules you create - apply ‘Deep data’ strategy - most specific to least specific. For example, keyword ‘Company specific’ or ‘Company confidential’ is not enough. Research some more and add more data. Try it with a small team and have him/her send out some emails to summarize confidential type information. See if it is caught by DLP

b. Default rules are recommendations only - customize them to your environment - again ‘ MSLS’ - most specific to least specific’ rule. Do not leave the default rules in the system and expect it to work - it might work but may also generate false positive or false negavite

c. ‘False positives / negatives’ are not a waste of time - use them to focus more on what has worked and what has not worked - fine tune.

d. ‘Comprehensive overview of the risks’ or ‘leak areas’ - Always keep in mind what are the potential leak areas and apply MSLS rule first on these areas and slowly work through the rest. Also, there will be rules that may overlap multiple leak areas - treat them with even more care because the risk of data aggregation will be higher on such.

Hope this helps!

Data center consolidation

Friday, May 8th, 2009

As business evolves through standard growth, mergers or acquisitions, organization could find itself trying to manage and maintain multiple, redundant data centers.

The agenda for Data Center Consolidation (DCC) could be to

  • centralize your systems,
  • Reduce power and cooling costs and protect your environment by implementing comprehensive security
  • business continuity and availability plans.
  • Eliminate IT redundancies
  • Increase IT asset utilization
  • Reduce management and operational costs
  • Achieve greater return on investments

Typically DCC projects is sponsored by core-IT management. DCC projects are run as a program than a project as it involves cross-IT and business owners accross.

Every DCC program has many unique challenges. Hence getting the scope of the DCC should be defined and agreed-upon. Also identifying and obtaining sign-off to what is not done is equally important. A top level presenattion to the management about - Basics (What we do and what we dont do, Strategies followed, High level steps in moving), Process, Budget and time line should be able to help management understand clearly the direction and would help them approve the budget.

Click here to see a presentation of DCC run as a program

Who needs ISO-27001?

Monday, March 30th, 2009

If you hold your client’s classified or sensitive data as part of performing business with your client, you may want to get an ISO 27001 to offer ’security’ comfort to your clients. Get it?

Here is an example, if you hapenned to hold your clients’ source code or similar sensitive data as part of performing your business, your client will be concerned about the security of their sensitive data -  specifically, they would like to know if your Information security department is reliable and sustainable.  That is where ISO 27001 comes in. Not all companies benefit from ISO 27001. Right?

What does ISO 27001 offer that is different from what you have today? It is a measuring Framework. Framework which enables you to scale your policies and handle them appropriately as your grow.

Security policies in companies today are often abstract and gets close to the ‘terms of usage’ policy within a company. However, it is worth exploring an ISO security framework - ISO 27001. This enables you to formally enumerate policies, data classifications and provide an appropriate risk treatment and provide continuity.