All about IT Governance

Its very interesting to know and talk about the data loss protection. But there are some things, that as of now is not possible unless you can huge cost.  How and why?  Please read below.

Data loss protection can protect data deemed confidential and also trigger an incident. This is nice for a huge corporation which would be busy dealing with IP and knowing their business well,  busy selling and making the revenue target.  When corporations are busy with this, its quite possible that employees, knowingly or unknowingly, send data thats considered confidential.  Ideally the data should be protected in the sense, it should not be sent out and if sent (email, or cipied to USB drive or send file or copy pasted on Chat, etc)  it should be filtered and the management or Information security team needs to know.

(At one of our client company, 5 people were walked out as they forwarded CEO’s email about the business direction and how this Qtr, they would make money, etc. CEO himself acknowledged - Thanks to Data loss protection)

How did this all happen? Data loss protection taps ( thats inserted inline with the ingress and outgress  traffic )  would filter out emails and based on the keywords on the email, DLP would trigger an action and perhaps could trigger a Incidence. (Other option for Companies having Symantec is to have Endpoint - a DLP agent on each and every end-point such as desktop, laptop, etc)

So, what does it not accomplish? Can a end user open a secure shell? Can a user open a https over 443 and send some confidential data? Yes and No. It mainly depends on the your infrastrcure.

Lets take Symantec’s DLP solution.  Symantec has an ‘Endpoint’ product that is an agent installed on every desktop/laptop and also network device ( I was told).  When a end-user opens a ssh, the endpoint would take over and it will open the connection to destination website. Since Endpoint can read every byte of the packet, if the end-user has confidential data sent, Endpoint will let the user know or silently discard based on the policy. This makes the end-user think that he sent the email with confidential data. This costs a lot and also, not all sites certificate is noted so, Endpoint lacks and so, end-user is still able to send confidential data via https.

The other way to do this is to  install a tap that can decrpt and encrpy to do a ‘man-in-the-middle’ attach.

The Firewall should be loaded with certificate  when the end-user opens a new https site.  Hence Firewall will be able to decrypt the packet. Its an expensive opportunity but you can make it happen.

So, if you have money they can be able to accomplish as DLP does not provide a clear filteriung of packets that are sent via https.

Let me know if I am wrong and something has appeared that can filter the packets and accomplish the DLP.

It is because,

a. Senior management of companies do not believe, they need to invest into something that *may* happen

b. DR is expensive - if you are not a storage company, your DR costs can skyrocket to the extent of listing them on your 10-k!

But think about it, what is not expensive? Automation is expensive, Regulation is expensive, Business Process Transformation is expensive.  Atleast, DR enables you to do the best at something you are good at - do it once, do it the best!

What is the bare minimal risks that your ITGC SOX controls should cover? Although there are ITGI/COBIT documents to guide you through, one can easily get lost in the maze - I thought, I will put together this checklist for anybody to apply this to get a comfort.

a. New accounts or modifications to account privileges are approved - OS, DB, App, Network, Logical Security (VPN, ActiveDirectory, NIS, LDAP and other authentication sources),  Physical security.

b. Terminations are performed timely - applicable to same processes as above

c. Transfers are handled as combination of b. and a. above - applicable to same processes as a.

d. Controls around change management to specifically address database object level changes, data fixes, data migrations and UATs are recorded for all application level changes

e.  Shared privilege level account management - passwords are changed when team members having access to shared privileged accounts leave the company - applicable to all areas listed in a.

f. Storage backup is tested for recovery (especially for databases)

g. Password configuration complies with enterprise standards for areas listed in a.

Optional:

a.  Account reviews in each area listed in a.

I remember somebody asking me, why is there such a big fuss about program management - why is it so important?

Here is my response: Lets say, I have diabetes and I would like to lead a structured and sustainable life - exercise every day, eat small portions and more often, take medications,  avoid bruises etc. The keywords ‘Sustainable’ and ‘Structured’ is what makes a set of tasks ‘Program’.

The program should have objectives, plans, timelines and should be measurable.  Example Programs would be SOX program, DR Program, Outsource Management Program, IT Service delivery program etc.

What makes these a program? They all require a methodology to ’sustain’ the tasks/processes involved.