Data Loss Prevention - Step 1: Know What's Important

Monday, December 12, 2011

Rafal Los

0a8cae998f9c51e3b3c0ccbaddf521aa

I'm writing a series of posts (should be about 7 if all goes well) to follow up on my blog post titled "Data Loss Prevention - Without the New Blinky Boxes" which addressed some of the silliness that comes with believing that DLP comes in a box, or is a product you can buy to solve your DLP needs

It's silly, but few people out there actually understand why... so I've hopefully addressed the madness and added some sanity, now I want to go through the things I've outlined in the previous post one by one and give them more clarify.

First, let me tackle Know What's Important as an entry way into this much longer discussion.

This is a multi-part section here... because you have to know what, and then know how it's stored/formatted... so let's dig in.

The first and most important part of knowing what's important in your organization is something I've been talking about entirely too much I fear... know what your company does and then figure out what the critical bits are. 

This type of assessment of your organization depends heavily on which industry vertical you play in, or how many of them you play in... and what type of access you have to the right information.  Generally, it's critical to go to the non-techies to figure out what your company treasures. 

Sometimes, what you care about is your customer lists, sometimes it's the secret formula for a soft drink, sometimes it's a secret ultra-high efficiency engine design, or the next big thing in stealth bombers. The point here is that you simply need to know your business.

Let's take the example of an organization that manufactures tires.  Some possible answers to "what does the company care about" is designs, formulas, and distribution channel leads contacts as well as sales campaigns to round out a short and incomplete list.

Next let's make a list of each of the things we just discovered above (for the sake of this exercise we'll call that an exhaustive and correct list, which is clearly isn't) and attempt to map those things to the formats we may find them in. 

This part of the exercise is a little tougher because the off-the-cuff answer is "every format"... but if you're this sample company which makes tires you can assume designs will be in some sort of drawing format, while contacts, financials, etc may be in spreadsheets and documents, when created. 

Remember, to keep it simple we should think about how these will be created and used, because ultimately everything can be ZIPped, emailed, or taken into a screen-shot... so that's not helpful.

The resultant map would look something like this (click image to enlarge):

11-15-2011 10-45-01 PM.jpg

Obviously yours would be significantly more complete as you drilled down into each asset and tried to understand what it is, how it manifests itself, and who has access to it.  After this tree is built you may learn something about your organization you've never known before.

For example, that your company is in a line of business you've never known before, or that there is one specific widget that is super-duper-top-secret ...and all this drives your protection strategy.

Try this exercise.  See how far you can get, without lying to yourself.  Once you feel comfortable with your results, go interview people in your organization and realize how far off you were... then and only then will any DLP strategy make any sense what-so-ever.

Good luck!  Next part coming in a few days...

Cross-posted from Following the White Rabbit

Possibly Related Articles:
16275
Network->General
Information Security
Enterprise Security Security Strategies Risk Assessments Data Loss Prevention DLP Information Security Data Protection
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.