Data Loss Prevention (DLP) Best Practices for PCI Compliance

Posted on June 6, 2011 by rfernandez

The Payment Card Industry Data Security Standard (PCI DSS) was first released in late 2004 as a means to ensure that merchants were meeting accepted levels of security when they transmit, process, and store cardholder data. PCI DSS 2.0 was released on October 26, 2010 to provide greater clarity and flexibility of the standard making it easier for merchants to implement.

Currently there is no single technology that can satisfy all of the requirements of PCI DSS 2.0; however, today’s Data Loss Prevention (DLP) tools have the ability to successfully address three of the Payment Application (PA) DSS requirements to demonstrate PCI compliance:

  • PA-DSS Requirement #3 – Protect stored card holder data
  • PA-DSS Requirement #4 – Encrypt transmission of card holder data across open, public networks
  • PA-DSS Requirement #11 – Regularly test security systems and processes

In this video Chris Leffel, Code Green Network’s Director of Product Management, discusses how organizations are using DLP tools to address the requirements above and comply with PCI DSS 2.0.

To find out how Code Green Networks TrueDLP can help you comply with various industry and government regulations visit our Web site: www.codegreennetworks.com



Posted in Data Leakage Prevention, Data Loss Prevention, DLP, PCI DSS 2.0, Video | Leave a comment

Protecting Research Data for Healthcare Clients

Posted on May 25, 2011 by rfernandez

Just this month, Gilmore Research launched its Healthcare Division which uses a third party auditor to assure compliance with HITECH regulations and is on track to conform to the most stringent HIPAA designation of “Covered Entity,” differentiating it from research providers who merely have “Business Associate” status.

The “Covered Entity” security standards require that a covered entity conduct a risk assessment and document their determinations regarding whether the security measures apply to them. The standard requires several areas to be addressed: administrative safeguards, physical safeguards, technical safeguards and organizational requirements.

With guidance from a third party auditor, to conform to these high standards within the Health Insurance Portability and Accountability Act (HIPAA), Gilmore Research identified the need to further protect extensive databases of highly sensitive PHI and PII information it handles for clients, so it turned to Code Green Networks TrueDLP solution for data loss prevention.

“While we have long used industry-standard tools for IT security, our goal is to remain at the forefront of data protection procedures and policies. TrueDLP effectively protects the sensitive information within our many, large databases from being deliberately or inadvertently exposed,” noted John Cell, Senior Vice President and Director of Gilmore’s Healthcare Division. “TrueDLP has a strong track record of detecting data that should not leave the organization. And it will discover sensitive data so that we can create more effective policies for managing that data.”

To find out more on how Code Green Networks assists in demonstrating regulatory compliance with HIPAA and HITECH visit our Web site, http://www.codegreennetworks.com/solutions/healthcare.htm

Posted in Data Loss Prevention, DLP, Healthcare, HIPAA, HITECH | Leave a comment

The Data Loss Prevention (DLP) Challenge

Posted on May 18, 2011 by rfernandez

In this video, President and CEO of Code Green Networks, Dan Udoutch discusses the data loss prevention (DLP) market, and his concern that organizations are hesitant to move forward with DLP because they haven’t found a solution that is affordable, accurate, and usable in delivering the value they expect.

Udoutch further encourages enterprises to organize a five day DLP Proof of Concept (POC) of Code Green Networks TrueDLP against other providers, leveraging the enterprise’s “live” production data, to test the usability and accuracy of the various systems. To find out more about Udoutch’s challenge visit: http://www.codegreennetworks.com/DLPchallenge/index.htm



Posted in Data Loss Prevention, DLP, Proof of Concept, Video | Leave a comment

8 Steps for a Successful Data Loss Prevention (DLP) Implementation

Posted on April 14, 2011 by jpeck

Joe Peck, VP Marketing, Code Green Networks

1. IDENTIFY EXTENDED TEAM – Assemble those that should be involved internally when you identify data loss. In larger organizations, in addition to your InfoSec team, you might have: IT, Security, Compliance, HR, Legal, CSO/CISO. Identify the individuals and meet with them to work out what situations they will need to be involved in.

2. DEVELOP BREACH NOTIFICATION PROCESS – Do you have processes ready if a regulated data breach occurs? Who will be notified? Is your legal or compliance team ready to meet requirements such as breach notification laws? Get your compliance people in the loop and have them write the process with you. Consider what you would have done if you were one of companies whose data was lost by Epsilon.

3.  FIX BROKEN BUSINESS PROCESSES (E.G. AUTOMATED TRANSFERS) – Assume that you will find broken business processes, like automated file transfers to partners in clear text over the internet instead of encrypted or over private line. You’ll spend time getting these fixed. Often the Info Security team needs a champion advocate to get other parts of IT to drop what they’re doing and get these changes made. Arrange this ahead of time.

4. CREATE PLAN FOR HANDLING INSIDER THEFT – Talk with HR to establish a process if you uncover insider theft. Give HR a heads up and involve them in the roll-out. The insider may be at a senior level, so consider that as well. At Code Green Networks we’ve seen executive level data theft–do not assume anything.

5. ESTABLISH THE INCIDENT TEAM AND WORKFLOW – Map out your incident handling and resolution process, as a flowchart. Who will be on the incident handling team? In larger organizations you might have: First level reviewer (making sure the incident is properly classified with the right severity-typical in large enterprises), IT, Security, Compliance, HR. Identify the individuals in your extended team.

6. SET SLAs FOR INCIDENT RESOLUTION – Set goals for making sure incidents are handled in a timely manner. We’ve had folks establish SLAs for:

  • First level review of all incidents within x amount of time
  • Resolve all high severity incidents within y amount of time
  • Close all incidents within z amount of time (resolving incidents within 2 hours).

7.  ESTABLISH REPORTING AND AUTOMATE – How are you going to track things? Decide what reports you’ll need to have and who should get them. Set up scheduled reports so that you know what is happening and that your team is resolving incidents within your SLA goals. Reports for:

  • Incidents Created
  • Incidents Closed
  • Open Incidents Status – by age, severity, owner
  • A report sorted by the type of data or by policy that was violated
  • Summary reports for your CSO or execs

8.  PLAN ROLL-OUT STAGES – It’s important to plan your roll-out in stages rather than trying to boil the ocean.

  1. Select data and policies to be implemented in stages, e.g. first the customer billing database for PCI violations, then the next set of data and policies for state privacy regulations, then company IP data and policies.

  2. Roll-out and test your policies in a monitor only mode, to set a baseline. But you have to be prepared for a significant breach to happen. At Code Green Networks we have seen many DLP assessments and POCs uncover significant data loss and come to a screeching halt as the customer scrambles to figure out how to handle it. That’s why we advise people to anticipate data loss and prepare for it in advance.

  3. Decide when you will have the solution notify end users and what you expect of them. Use this for user education about your polices on data handling. You can expect to see the number of incidents drop as users are notified on each violation. Set up your reporting ahead of time so you can track.

Implementing and maintaining a Data Loss Prevention solution should not be painful. Please contact us for more information on how to go about successfully protecting your organization’s sensitive data, or click here to take a test drive of Code Green Network TrueDLP solution.



Posted in Content-aware, Data Loss Prevention, DLP, Proof of Concept | Leave a comment

How a Data Loss Prevention Solution Can Protect Donor Information

Posted on March 29, 2011 by jpeck

Keeping donor data private is a top request from many organizations and a Data Loss Prevention (DLP) solution can be a very good solution for addressing this. We have many customers where donor data is among the first things they want to protect. Reputation harm if there is a breach is usually the main driver.

In order to effectively protect this sensitive information a DLP solution will need to tap into your database (SQL query or upload) to “register” or “fingerprint” your specific data (creating one-way hashes) and then support policies that detect matches of fields in the database. This way it can detect matches of your donor data even though you don’t have easily detectable formats like credit card numbers.

Gartner calls this “structured data fingerprinting” and considers it a core capability to consider when looking at any Data Loss Prevention solution.  Other analysts and vendors often refer to this expertise as “content-awareness” and agree with Gartner that it’s a requirement for any enterprise DLP solution— every vendor listed in the 2010 Gartner DLP MQ report has this capability.

The difference among the content aware solutions will be in ease of use, how intuitive the policy set up is, and whether the vendor expects you to pay for professional services to get this implemented. A Proof of Concept (POC) can help you evaluate the effectiveness and ease-of-use for this feature.  Although many POCs don’t even setup fingerprint based detection in the trial, so make sure to include this in yours.

At Code Green Networks we emphasize fingerprint based detection policies versus generic pattern matching, primarily for accuracy reasons.  Check out our Web site for more information: http://www.codegreennetworks.com/products/products_fingerprinting.htm.  If you are interested in setting up a POC to protect your donor database contact info@codegreennetworks.com.


Posted in Content-aware, Data Loss Prevention, DLP, Fingerprinting, Proof of Concept | Leave a comment