Tips for enterprise data protection

At the ongoing InfoWorld Enterprise Data Protection Forum in New York, Stephen Scharf — who serves as a head of security for Bloomberg and sits on the board of the Information Systems Security Association (ISSA) international board of directors — offered-up his tips on what large businesses need to do to create and manage more effective data protection initiatives.

In the same order Scharf pitched them, and with a little additional color, here are the practices the expert evangelized for improving enterprise data protection:

-Data classification:

“You have to know what you have, and where you have it, if you want to protect it.”

-Identity management:

“People have to get paid, so if anyone knows who everyone is — who is full time, and who is part time and what they need access to — human resources knows.”

-Access controls:

“Don’t put in place overly complex controls or people will spend all their time trying to backdoor them; if you put in place controls that become overly complex, throw them away and start over, you want to try to keep them as straightforward and clear as possible.”

-Training Awareness:

“You can’t expect that users are absorbing this material that you give them; they don’t go home and read their employee manuals, users are focused on getting their jobs done.”

“Most people want to do things securely, often times it’s just that they don’t know how; the business of your business isn’t security, so you can’t expect people to be security gurus.”

-Policies:

“You have to make sure that policies are practical and follow the business; if policies are too confusing for you to understand, how can you expect your users to understand? Policies are not written for you, they’re written for employees.”

-Assessments:

“Don’t just run a scanner and run a report and think you’re done, a scanner is only as smart as the person running it; don’t just blindly accept what consultants give you, challenge them and make sure that false positives are thrown out.”

“Don’t forget to asses vendors, because of amount of data leaving your firm with them, it’s important to ensure that anyone touching your data is certified.”

-Encryption/obfuscation:

“Encryption is not always your friend, it is also a bad thing depending on how you use it; encryption reduces your awareness and visibility, you don’t want to do it to the extent that you don’t know what’s going on, you want to encrypt intelligently.”

-Penalties for noncompliance:

“It invalidates everything you do if someone says they won’t follow the rules and nothing happens, there must be a top-down approach for people who violate process, and they need to be educated in a manner that they will understand going forward; make sure that HR is fully onboard too, the last thing you want to do is bring a case to HR and have them not want to move forward; you want to have those conversations ahead of time.”

Among the most common enterprise data security failure points cited by the security expert — who was also formerly employed as a managing security architect for consultants @Stake:

-Political infighting

-Use of “vanilla” programs in a complex IT environments

-Assumptions that data will leave the firm and that you can’t do anything about it

Scharf’s recommendations for selecting data protection tools:

-Use common market tools to avoid complexity

-Use auditing tools to look for oddities

-Automate the vendor selection process

-Conduct sweeps for P2P programs

Stay tuned for more show coverage today!