Security Basics mailing list archives

RE: When , where, how?

From: "Mark Brunner" <kohi10 () rogers com>
Date: Thu, 26 May 2011 16:37:55 -0400

Dude,

In my opinion, EVERY business needs a DLP strategy and solution.  It can be
homegrown, it can be freeware, it can be commercial.  You are talking about
identifying and protecting critical, private and confidential data from
being stolen.  That is a no-brainer, and is at the very heart of information
security.  If you are not taking steps to protect that information, you are
doomed.

The need depends on the connectivity available and the technology used, not
location, culture, or even legislation.  Survival is the driver, or soon
will be.  If your company connects to the Internet to share and collect
email, you need a DLP solution that manages that connectivity.  If your
company uses Instant Messaging, you need a DLP solution that handles that.
If you provide FTP services, you need to address that.  Whatever methods and
services the company uses to connect and share information with others needs
to be considered and addressed.  Addressing them may entail stopping their
use, monitoring and reporting their use, restricting their use through
policy and monitoring, filtering with technology, or other means.

How to implement the solution?  Well, to answer that would take a book.  Or
several, because not every solution is the same, and not every
implementation is the same.  Best advice that I can offer for implementation
would be stage it.  Do it in phases.  Pilot it first with a medium sized
group, and put it into monitoring only mode. This will aid in identifying
your baseline, what is "normal", and what is in need of investigation.  Like
an IDS/IPS solution, this is a disruptive technology that is _initially_
prone to error, both false-positive and false-negative.  It will need to be
tuned and maintained regularly.  Once you understand what is being sent,
where, and by whom, you can start modifying the rule-set and tightening up
your classifications.

Gaining buy-in, identifying data owners, working with other departments,
that is what a good consultant does as part of your project.  That sort of
intell never comes free, and if it does, it is suspect.  In this economic
climate, you need to support your local businesses, and start bringing in
the expertise that you dont have.  Make certain that Knowledge Transfer is
written into the engagement contract, and DON'T let the PM or Consultant
nibble away at the time allotted to this part.  It is how you will learn to
tweak, adjust and manage the new infrastructure devices that you will be
introducing to the environment.

Just my 2¢, collect the whole dollar!

Mark B
Information Security Manager & IT Consultant 
Greater Toronto Area, Ontario Canada
My Blog  http://kohi10.wordpress.com/


CONFIDENTIALITY NOTICE: This e-mail and any attached documents may contain
confidential or legally privileged information that is intended only for the
named recipient(s). Delivery of this message to any person other than the
intended recipient(s) is not intended in any way to waive privilege or
confidentiality.  Unauthorized use, dissemination or copying is prohibited.
If you have received this communication in error, please notify the sender
and destroy all copies of this e-mail.  Thank you for your cooperation.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of a bv
Sent: Thursday, May 26, 2011 3:18 AM
To: security-basics () securityfocus com
Subject: DLP: When , where, how?

Hi,

I would like to have your opinion about when/which organizations  need
a DLP solution? How the need depends on organizations work area,
country,region or culture ? How to implement the solution and handle
the data classification and
coorperate with data owners, business  departments.

Regards

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

DLP: When , where, how? a bv (May 26)
- Re: DLP: When , where, how? Valin, Christian (May 26)
  - How do I remove this from my list? Wright, Shawn E. IT3 (May 26)
    - Re: How do I remove this from my list? Archangel Amael (May 26)
    - Re: How do I remove this from my list? Matthew Caron (May 26)
- RE: When , where, how? David Gillett (May 26)
- RE: When , where, how? Mark Brunner (May 26)
  - RE: When , where, how? Shane Anglin (May 27)
    - RE: When , where, how? Omar Salvador Alcalá Ruiz (May 31)