This is a simple slide to showcase on why companies need to protect data, classify information and how Seclore IRM as a platform help you get to your targets
2. Approach to Information Security
Setting the Agenda
• Making Information
available to all users, is
essential for the enterprise
to conduct its business
• Leakage of such
information may impact
the organization adversely
Five step approach to make information available and secure
Information Location Classification Protection Audit Training
3. Approach to Information Security
Where does Information Reside?
On File-Servers (FTP)
Shared
Within DMS
folders Backup
Content
Emails
Management
Backup Tapes
Extracts from BI tools
Laptops
Removable Mobile
Printer hard disk
media devices
This Information is shared with
Employees/ Vendors/ Partners/
Desktops
Email
Consultants/ Contractors/ Auditors
Recognize where information exists
Information Location Classification Protection Audit Training
4. Approach to Information Security
Classification
What is Information Classification?
It is the science to describe principles that
need to be followed to protect information
It guides you on how and to whom you
can distribute information with a particular
classification
Why Classify?
Classification of information is essential for every business
because without classification everyone treats the same piece of
information differently, which could have major consequences
Classified data helps to better define and implement protection policies
Information Location Classification Protection Audit Training
5. Approach to Information Security
Protection
What is Protection?
Ensure that only legit users have access to
the data
Control data with internal/external users
Define and apply policies based on
Classification
Why Protect?
Protection enables the enterprises to
manage the usage and consumption of its
valuable data
Information Location Classification Protection Audit Training
6. Approach to Information Security
Audit
Auditing Information Usage
Track all end user actions on
protected information
Generate and analyze reports
Keep a close eye on all your data
that resides within or outside the
organization
Why Audit Information Usage?
To understand the Information consumption pattern
To showcase the shortcomings of existing policies
To fine tune “Control-Policies” for your confidential data
Information Location Classification Protection Audit Training
7. Approach to Information Security
End User Training
What is Training
Educate employees on Information Usage
Ensure participation, role play for users
Using email, standees, flyers, KM portal
as a medium of knowledge transfer
Why Train Staff?
Helps enterprise define better control-policies on data
Minimize accidental misuse of information
Ensure technology platform is well accepted
Training ensures User participation and acceptance
Information Location Classification Protection Audit Training
8. Approach to Information Security
Importance of DFA in building better policies
Data Flow Analysis is an activity to
understand what is valuable information
and which department holds it
It also helps in tracking the information
and the consumption pattern & risk
DFA maps the information flow for a particular business
process
DFA clearly points out the security issues attached with a piece
of information at different stages of its lifecycle
DFA sharpens classification and protection policies on information
Thank you for being present today.The agenda of this presentation is to lay down a very simple and a basic approach for us to understand on what steps need to taken to protect the enterprise from the risk of its information being put to misuse. The assumption being made here is that , We recognize the need to protect information, however, we still need to identify what is that piece of information that is most valuable to the company and finally lay down the way forward.This presentation is an attempt to provide all of us with the ways and means of getting to answers to the following questions..1) Why should I be protecting my information?2) What is information classification and on Why it is a means to getting to where we want to go?3) How do I get an understand on the risk that my business is exposed to and finally around the business controls that are available to Protect my Information?So lets start by answering the 1st questions..… “Why should I be protecting my information?” Read the 1st 2 para of the slide deck…Information is exchanged by people across the enterprise. So for example an escalation about a customer transaction or perhaps a job on the design floor may end up reaching the HEAD of the given department or the CIO. Information in this case traverses across the company and you do not need a policy to hinder this flow of escalation . In fact once the issue is sorted you may need to ensure that the information is not put to misuse. Another example would be quotations that you send to customers or information that business partners receive to complete a given assignment. What would be the risk to your information that is now with an external user? Does your NDA report back to you in case information is accidentally put to misuse. . So in simple words every bit of information , during its lifecycle is exposed to some or the other risk of misuse and this risk can be measured and quantified in terms of financial loss and legal liabilities if you have not protected the confidential information that the other party has handed to youWhat would we cover… we would stich together words such as [read the 3rdpara..]Where do I start from…[next slide]
Information classification is an approach, a science, a set of guidelines that an enterprise needs to understand & follow. It would help you understand on what is valuable to you and on how we should protect informationClassification is a means to helping different people or systems understand on how they should behave , react, behave and act when they receive information with a specific classification attached to it.
Using a technique know as “Data Flow Analysis” we can get a grip of what information does a specific department hold and for how long. This technique provides us a map of the existing business risk that we are exposed to.Read Para 1,2,3Once we have this information I can now identify the correct policies and classification that needs to fall in place .What is now needed is a technology tool to automate some of this work. Using a plain technology approach to automate discovery and classification does not work