2. Agenda
What is Information Leakage?
How and when it occurs?
Impact on organizations
Frameworks & DLP tools
Implications for CA
Conclusion
3. What is Information
Leakage?
Information leakage is an alternate term for
information exposure
Information exposure is the intentional or
unintentional disclosure of information to a party
that does not have access to that information (CWE,
2008)
Common form of data loss
Severity range widely depending on type of
information that is revealed
4. How and when it occurs?
External hack to organization’s confidential
information
Occur during outsourcing
Acts of consultants who works for different firms
concurrently
Relevant to CAs who works as consultants and C-Suite
Executive
Between alliances and collaborating companies
Leak from inside by employees
5. Leak from Inside
Ways information can be leaked:
Flash drives , USB devices, Other “lifestyle” devices
iPods
Bring-Your-Own-Device
Former employees – Internal Control Deficiency
Cyberspace
Online Storage (e.g. Google – Gmail)
Instant messages, emails, blogs
6. Impact on
Organizations
Financial and reputational loss
Small leaks accumulate to big loss
Loss of customer and employee private information
Loss of competitive position
Lawsuits or regulatory consequences
7. Frameworks
The Privacy Act of 1974 – U.S.
The Payment Card Industry Data Security Standards –
U.S.
Sarbanes-Oxley Act (SOX) – U.S.
Federal Information Security Management Act (FISMA)
– U.S.
8. DLP Tools
Full DLP suites
McAfee Data Loss Prevention - Commercial email
security platform
Controls for emails
Websense TruWeb DLP, CISCO IronPort email and
Google – Postini
Stand-alone DLP products
Code Green Networks, intrusion Inc., Workshare
9. Additional DLP Tools
Internal Security Control
Digital forensic techniques
Network Security Solution
E.g. Fidelis Security System’s XPS
Deploy DLP tools as part of larger security suite
10. Implication on CA
Safe environment for internet accounting
information system
Relevant to accounting profession
Third party specialized auditor to appraise system
Effective network security audit
11. Conclusion
Extremely important for C-Suite executives to:
understand information leakage
Realize impact on organizations
Utilize DLP tools
Continuous effort to protect confidential information
Combination of effective DLP implementation and
best management practices
12. Work Cited
Alawneh, M. & Abbadi I. (2008). “Preventing Information Leakage Between Collaborating Organizations”. Proceedings of
the 10th International Conference on Electronic Commerce. No. 38. Pp. 1-10. Retrieved June 1, 2013, from ACM Digital Library:
http://dl.acm.org.proxy.lib.uwaterloo.ca/results.cfm?h=1&cfid=221214407&cftoken=69627990
Baek, E. & Kim. Y. & Sung L. & Lee, S. (2008). “The design of framework for detecting an insider’s leak of confidential
information”. 1st international conference on forensic applications and techniques in telecommunications, information, and
multimedia and workshop. No.14. pp. 1-4. Retrieved June 1, 2013, from ACM Digital
Library:http://dl.acm.org.proxy.lib.uwaterloo.ca/citation.cfm?id=1363217.1363236&coll=portal&dl=ACM
Chen, A. & Chu, H. (2012). “Against the breaches: data loss prevention for online travelling services”. Information Security
and Intelligence Control (ISIC). Pp.282-285. Retrieved June 1, 2013, from IEEE Xplore Digital
Library:http://ieeexplore.ieee.org.proxy.lib.uwaterloo.ca/xpl/articleDetails.jsp?tp=&arnumber=6449761&queryText%3DAgai
nst+the+breaches%3A+data+loss+prevention+for+online+travelling+services
CWE-200. (2008). “Information Leak (Information Disclosure)”. Common Weakness Enumeration. Retrieved June 1, 2013,
from CWE: http://cwe.mitre.org/data/definitions/200.html
Garretson, C. (2008). “Data-leak Prevention: Pros and Cons”. Network World. 25.1. pp. 1-39, Retrieved June 1, 2013, from
ABI/Inform Global
Database:http://search.proquest.com.proxy.lib.uwaterloo.ca/docview/215991675/13E68CFFDE85758648A/1?accountid=14906
13. Work Cited
He, Q. & Chen, G. (2011). “Research of security audit of enterprise group accounting information system under internet environment”.
Second international conference on Artificial Intelligence, Management Science and Electronic Commerce (AIMSEC). Pp. 516-519. Retrieved
June 1, 2013, from IEEE
Xplore:http://ieeexplore.ieee.org.proxy.lib.uwaterloo.ca/xpl/articleDetails.jsp?tp=&arnumber=6010453&queryText%3DResearch+of+Sec
urity+Audit+of+Enterprise+Group+Accounting+Information+System+under+Internet+Environment
Hoecht, A. & Trott, P. (2006). “Outsourcing, information leakage and the risk of losing technology-based competencies”. European
Business Review, Vol. 18 Iss:5. Pp.395-412. Retrieved June 1, 2013, from Emerald: http://www.emeraldinsight.com/journals.htm?issn=0955-
534X&volume=18&issue=5&articleid=1567303&show=abstract
Irwin, K. & Yu, T. & Winsborough, WH. (2008). “Avoiding information leakage in security-policy-aware planning”. 7th ACM workshop on
Privacy in the electronic society. Pp. 85-94. Retrieved June 1, 2013, from ACM Digital
Library:http://dl.acm.org.proxy.lib.uwaterloo.ca/citation.cfm?id=1456403.1456418&coll=portal&dl=ACM
Lawton, G. (2008). “New Technology Prevents Data Leakage”. Computer. Vol. 41 Iss: 9. Pp. 14-17. Retrieved June 1, 2013, from IEEE Xplore
Digital
Libraryhttp://ieeexplore.ieee.org.proxy.lib.uwaterloo.ca/xpl/articleDetails.jsp?tp=&arnumber=4623215&queryText%3DNew+Technology+
Prevents+Data+Leakage:
Lee, H-J. & Won, D. (2011). “Protection profile for data leakage protection system”. Proceedings of the Third international conference on
Future Generation Information Technology. Pp. 316-326. Retrieved June 1, 2013, from ACM Digital
Library:http://dl.acm.org.proxy.lib.uwaterloo.ca/citation.cfm?id=2183807.2183844&coll=DL&dl=GUIDE&CFID=221237978&CFTOKEN=52641
256
Liu, S. & Kuhn, R. (2010), “Data Loss Prevention”. IT Professionals, Vol. 12 No.2. pp. 10-13. Retrieved June 1, 2013, from IEEE Xplore Digital
Library:http://ieeexplore.ieee.org.proxy.lib.uwaterloo.ca/xpl/articleDetails.jsp?tp=&arnumber=5439507&queryText%3Ddata+loss+preven
tion
14. Work Cited
Murphy, J. (2008). “Data Loss Prevention: An Elixir for Privacy Compliance Headache?”. The EDP Audit, Control and Security
Newsletter. Vol. XXXVIII, No. 6. Pp. 1-7. Retrieved June 1, 2013, from Scholars
Portal:http://journals1.scholarsportal.info.proxy.lib.uwaterloo.ca/details-sfx.xqy?uri=/07366981/v38i0006/10_dlpaefpch.xml
Norman, P. (2004), “Knowledge acquisition, knowledge loss and satisfaction in high technology alliances”, Journal of
Business Research, Vol. 57 No. 6, pp. 610-9. Retrieved June 1, 2013, from ABI/Inform Global
Database:http://search.proquest.com.proxy.lib.uwaterloo.ca/docview/232104520/fulltext/13E68DCF766941C339/1?accountid=1
4906#
Oxley, J. and Sampson, R. (2004), “The scope and governance of international R&D alliances”, Strategic Management Journal,
Vol. 25 Nos 8/9, pp. 723-49. Retrieved June 28, 2013, from Deep Blue:
http://deepblue.lib.umich.edu/bitstream/handle/2027.42/34617/391_ftp.pdf?sequence=1
S-Koromina,V. et al., (2012). “Insider threats in corporate environments: a case study for data leakage prevention”.
Proceedings of the Fifth Balkan Conference in Informatics, pp.271-274. Retrieved June 1, 2013, from ACM Digital
Library:http://dl.acm.org.proxy.lib.uwaterloo.ca/citation.cfm?id=2371316.2371374&coll=DL&dl=ACM&CFID=221237978&CFTOK
EN=52641256
Wuchner, T. & Pretschner, A. (2012). “Data Loss Prevention based on data-driven Usage Control”. IEEE 23rd International
Symposium on Software Reliability Engineering. Pp. 151-160. Retrieved June 1, 2013, from IEEE Xplore Digital
Library:http://ieeexplore.ieee.org.proxy.lib.uwaterloo.ca/xpl/articleDetails.jsp?tp=&arnumber=6405363&queryText%3DData
+Loss+Prevention+based+on+data-driven+Usage+Control
Zinkewicz, P. (2009). “Dealing with Data Leakage”. Rough Notes, 152(4), 82-83. Retrieved June 1,2013, from Proquest:
http://search.proquest.com.proxy.lib.uwaterloo.ca/docview/200371198?accountid=14906