By Geoff Sweeney, CTO, Tier 3.
Recent security breaches in both the private and public sector have highlighted the need for organisations to ensure personal information is processed and stored securely. Ever growing collections of personal data, more remote access and the prevalence of crime such as identity theft all create vulnerabilities. It is essential that effective data protection policies and practices are in place, combined with vigilance and strong governance at all levels in all organisations, to ensure data protection is taken seriously.
Individuals expect the Data Protection Act to shield the security of their information. At the same time information security is increasingly at risk. As part of its new data protection strategy launched in March 2008 the UK’s privacy watchdog, the Information Commissioner’s Office (ICO), disclosed its plans to promote the importance of appropriate security, the use its regulatory powers against organisations that neglect their responsibilities in this area and to help individuals to protect their own information.
In May this was reinforced when The Criminal Justice and Immigration Act received Royal Assent creating tough new sanctions for the ICO. This new legislation gives the ICO the power to impose substantial fines on organisations that deliberately or recklessly commit serious breaches of the Data Protection Act and represents a step up from the ICO’s previous power to simply issue enforcement notices.
This isn’t necessarily the end of the changes and there may be more regulation to come as, towards the end of May, the European Network and Information Security Agency (ENISA), called for laws tougher than those in the US to force companies to reveal when their computer systems have been breached. In its General Report 2007 the EU’s top security body said governments, businesses and consumers are still underestimating the scope of the IT security problem, in part because of the lack of transparency when breaches occur, and mandatory disclosure of security breaches would be a step toward raising recognition of the seriousness of security threats. In the US, there are two laws which force organisations to publish details of security breaches. One is the California Breach Law (SB1386), which requires organisations doing business in California to tell customers about possible security breaches. Similar laws are planned for other states. The second is Sarbanes-Oxley, which obliges executives to keep informed about material aspects of their business, including security breaches.
Whether mandatory disclosure of information security breaches is ultimately adopted in the UK or not is not yet known but clearly advances in IT have made the collection, storage and sharing of all sorts of information easier and available to a wider population. Undoubtedly these advancements have resulted in enhanced services across many sectors but it has also increased the challenge of managing and protecting information. The vulnerability of data protection is evidenced almost daily with costly data leakage incident regularly impacting individuals and the organisations charged with the custody of their sensitive information.
The connectivity of WANs and the internet means that there are now few barriers to sharing information. The consequence however is that it is increasingly apparent that organisations can quickly lose control of who is sharing the information, where it is going and whether it is being used appropriately?
With this in mind the best way for organisations to meet their data protection obligations is to understand the information flows and uses within their business environment. A systematic risk based approach which matches the data monitoring and protection capabilities of the organisation with the risks associated with the loss of information based on its sensitivity/value and its likely impact to the individual and the organisation is increasingly important. Security policies, processes and technology are all part of the operational risk management process of identifying, monitoring and controlling information security breaches which may cause highly public exposure to your organisation and its stakeholders.
Increasingly, with the massive data volumes involved, this risk management loop requires the integration of skilled operational staff and competent technology to provide appropriate monitoring and control to ensure the use and movement of confidential information is within policy and adequately protected.
The good news in all this is that the security management process shouldn’t be to onerous and indeed should be part of the overall IT security effort. Technology is available which readily monitors who is accessing information, when and for what purpose. Using data protection systems which employ behavioural analysis an organisation can easily distinguish between legitimate use of its confidential information and inappropriate usage. One of the most damaging breaches is when an authorised user who has "legitimate" access to sensitive information either accidentally or maliciously chooses to misuse or leak that information. A behavioural analysis based security system can detect unexpected or risky data movement even where other systems can’t.
By recording the movement and use of information a behavioural analysis based security system establishes a profile that incorporates the characteristics of normal system use. By constantly monitoring and profiling user and system activity the system immediately recognises when information is accessed, changed or shared in an unusual or uncharacteristic manner and immediately alerts the accountable manager for remediation and evidentiary audit purposes. Specific business and policy rules can complement the system to enable early warning of any specific forbidden or unacceptable practices eg. Theft or fraud.
The scale and task of protecting stored and transmitted sensitive information is undoubtedly becoming greater. The problem for organisations, however, is that their responsibility for information assurance remains unchanged and with the intrinsic risk associated with its storing and sharing information owners continue to need ongoing visibility of who is accessing data, for what purpose and where are they taking it. Behavioural based security monitoring technology provides the ability to continuously manage and report the status of access and usage of confidential information for any organisation.