Info security can not be achieved only by DLP tech. deployment. The people and process area too need to be covered to make it comprehensive.

1. 1
Enterprise Information Leak Prevention
Recent trends shows Insider’s threat is bigger then the Hacker’s.

2. 2
Knowing ‘what’ is sensitive is a business problem that
Technology alone can not solve. (The Policy)
Technology need to know the data, to know ‘How’ and
‘Where’ to manage it. ( Process & Federation)
Ancillary functions are required in order to increase further
functionalities.
Each DLP program is unique and ancillary functions
changes from deployment to deployment.
What is Information or Data Leak Prevention ?
Information / Data Leak Prevention (DLP) is a strategy for making sure that
sensitive information doesn’t reach to wrong hands either inside or outside
of the enterprise network. The term is also used to describe technology
products that help a network administrator to control the data that end-users
transfer. Terms Information-Data, Leak-Loss and Prevention-Protection are
used interchangeably.

3. 3
Quiz - Ahead of Apple much anticipated
new product launch. On iCloud, a celebrity
picture leak incident caused its share prize
to fall by 4.2%. If Apple have total 5.99
Billion shares then Kindly put a price tag on
this leak ?
a) $ 6 Million
b) $15 Million
c) $15 Billion
d) $25 Billion
Financial Implication of a Single Information Leak; An example

4. 4
“According to Kaspersky Labs Accidental Data sharing leads to loss of more
data than software flaws.27% of organizations have lost sensitive business
data due to internal threats in last 12 months…”
Industry Trend
Vulnerabilities in Existing software
Accidental Leaks / Sharing od data by staff
Loss / Theft of mobile device by staff
Intentional Leaks / Sharing of data by staff
Information leaked / inappropriately shared on mobile device
Security failure by third part supplier
Fraud by employess
7%
7%
7%
9%
5%
4%
5%
13%
14%
12%
9%
10%
7%
7%
16%
7%
7%
3%
6%
5%
4%
Data Loss Threats
Yes- Of Sensitive Business Data Yes- Of Non Sensitive Data No

5. 5
Obtain top management buy-in, Have a policy and Have a high-level
vision of enterprise network to establish the primary boundary and
identifying primary gateways Speak to Corporate Governance, Data
Governance, Control Minded Cousin
Speak to IT and understand various Information
types and its handling
Speak to sample staff at all levels to understand
the culture around information life cycle
Survey to business function to understand
specific Business Process and develop data flow
diagrams
Develop a road map with all the above details
Finding the Starting Point
Policy
Leak Control
at Mail
Gateway
(@xyz.co.kw)
Leak Control
at
Automation
(USB,CD, etc.)
Leak Control
at Internet
Gateway
(Gmail,
SkyDrive, etc.)

6. 6
Data
Classification
Policy
Framework
Rights
Management
Gateway Tech
Integration
Encryption
Mobile
Support
While developing a roadmap, identify the ‘What’, ‘How’ and ‘Where’, and
ancillary functionality as per organization priorities.
The Roadmap
‘What’ shall constitute the Information Classification
as per the Policy, to achieve the primary building
block of the program
‘Where’ shall form the base and extended
boundaries thus constituting the Federation
‘Who’ shall constitute the Rights Management
‘How’ shall constitute related Business Processes,
flow diagrams and also the deployment of gateway
technology (Mostly referred as the DLP Products)
Ancillary functions are further added to bring in the
functionality for Encryption and Mobility

7. 7
Public Information which is to be shared outside the
enterprise
Internal Use Information accessible to staff on need-to-
know basis or need-to-have basis.
Business Partners Information accessible to Vendors,
Partners or consultant (i.e. outside KFH Domain) .
Confidential Information accessible to staff only on need-
to-know or need-to-have basis perform assigned jobs
responsibilities within organization only.
Secret Information accessible to highly restricted
authorized employees within org with absolute need to
know or need to have requirement to perform assigned
job.
Information Classification Scheme
InformationSensitivity
Information Classification is the fundamental requirement of identifying sensitive data. In
its absence, no amount of technology deployment can be an alternative
Information Classification Policy
1
Public Internal use
Business Partners Confidential
Secret

8. 8
The term ‘Leak’ refers to the breach of boundaries
by respective classification
Boundaries also constitutes the constituency of
each classification
Similar to Social media framework allows end user
to classify his / her information accordingly.
KSA
3rd
party
Oman
UAE
Qatar
Bahrain
KSA
Kuwait
Examples of
LinkedIn,
Google, FB :
Its fundamental requirement to establish
logical enterprise boundaries as per base
organization.
Federation Framework

9. 9
Print
Rights Management along with validation
features manages the restriction and
access control mechanism of program
Rights to change the classification are
managed to avoid unauthorized business
partner classification in order to send the
information Outside
RM mechanism deployed to restrict the
printing of ‘Confidential’ and ‘Secret’
information.
RM manages the authorization of Public
information.
Its required to establish ‘Who’ can do ‘what’ as per job authorization.
Rights Management
Right
Management
Mechanism

10. 10
Identified sensitive information shall be auto encrypted and do not
require interference from average end user
Encryption mechanism get auto
evoked based on classification
without end user intervention.
Organization do not need to apply
cumbersome encryption across the
organization.
Special public announcement that
needs to be treated as confidential
till released are managed with
special process.
Encryption and Digital Certificates
50%
10%
20% 5%
15%
Sensitivity Trends
Internal Use Business Partners Confidential Secret Public

11. 11
Extend the program on Mobile Devices as per organization appetite, similar
to PC.
Integrate Mobile Device Management
with solution Including device identity
parameters
For large organization facility can be
rolled out with limited staff only to keep
license cost down
SMB may consider integration with MS
Office360 / Google Docs
Deploy Black and white (MAC Address)
list at the enterprise gateway
Mobility
Corporate Network
Manageme
nt Server
ProxyData
Stora
ge
Exchange
+
Policy
+
Policy
DMZ
CA Server
Forrester Research 2013

12. 12
General Benefits
# Benefits
1 Gaining Competitive advantage, in both brand value and reputation
2 Data leakage prevention comprehensively covers all information types, that
Management do not wish to get leaked
3 Once information is classified, no user interference is required, further security is
managed in the background
4 Increases the staff awareness about value and sensitivity of the data adherence to
corporate governance and information security policies
5 Confidential information printing is restricted
6 Secure work environment, Archive Data Governance, Intellectual Property
protection, Privacy and Regulations, Culture Change
7 Securing Proprietary information against security threats caused by enhanced
employee mobility and new communication channels
8 Preventing the misuse of information, both on and off the enterprise network

13. 13
Regulatory / Compliance Benefits
# Regulation Benefits
1 Payment Card
Industry - Data
Security Standards
V3.0
PCI requirement 4.2: Never send unprotected PANs by end-user messaging
technologies (for example, e-mail, instant messaging, chat, etc.).
PCI requirement 9.6.1: Classify media so the sensitivity of the data can be determined.
PCI requirement 12.2 Implement a risk-assessment process that is performed at least
annually and upon significant changes to the environment (for example, acquisition,
merger, relocation, etc.), Identifies critical assets, threats, and vulnerabilities, and
Results in a formal risk assessment. (KRIs)
2 Central Bank of
Kuwait
Information Security Instruction ( 2012 /2013) and Corporate Governance
Instruction (20112):Banking confidentiality is considered one of the key principles of
banking business due to the trust and reassurance it gives to all parties dealing with
banks
3 IS027001-2013
Information Security
Management
A.8.2.1 Classification of Information
A.8.2.2 Labelling of Information
A.8.2.3 Handling of Assets
4 Intellectual Property
Protection
All public information are intrinsically protected for Trademarking, © protection and ®
5 Data Governance Primary requirement of any Data Governance program

14. 14
https://kw.linkedin.com/in/tanvirh
Tanvir is an Information Security professional
specializing in managing large scale programs
that requires unique blend of expertise in strategy,
process re-engineering and technological action
planning.
Prior to his role at Kuwait Finance House (KFH),
He has been associated with leading companies
including National Commercial Bank (NCB),
Emirates NBD, Riyad Bank and HSBC.
Tanvir has MS in Electronics & Communications
and CISSP, CISA, AMBCI Certifications.
Speaker Profile