BYOD, iOS and DLP

Posted on April 15, 2012 by Chris Leffel

Rich Mogull over at Securosis has written a great set of posts detailing the different options for managing iOS devices in your environment and making sure they don’t become a source of data loss.

There are a whole spectrum of options available for securing enterprise data on iOS, depending on how much you want to manage the device and the data. ‘Spectrum’ isn’t quite the right word, though, because these options aren’t on a linear continuum – instead they fall into three major buckets:

- Options for unmanaged devices
- Options for partially managed devices
- Options for fully managed devices

Read the rest: iOS Data Security: Protecting Data on Unmanaged Devices

Posted in BYOD, DLP, iOS | Tagged , , | Leave a comment

Data Loss Prevention (DLP) Best Practices for PCI Compliance

Posted on June 6, 2011 by rfernandez

The Payment Card Industry Data Security Standard (PCI DSS) was first released in late 2004 as a means to ensure that merchants were meeting accepted levels of security when they transmit, process, and store cardholder data. PCI DSS 2.0 was released on October 26, 2010 to provide greater clarity and flexibility of the standard making it easier for merchants to implement.

Currently there is no single technology that can satisfy all of the requirements of PCI DSS 2.0; however, today’s Data Loss Prevention (DLP) tools have the ability to successfully address three of the Payment Application (PA) DSS requirements to demonstrate PCI compliance:

  • PA-DSS Requirement #3 – Protect stored card holder data
  • PA-DSS Requirement #4 – Encrypt transmission of card holder data across open, public networks
  • PA-DSS Requirement #11 – Regularly test security systems and processes

In this video Chris Leffel, Code Green Network’s Director of Product Management, discusses how organizations are using DLP tools to address the requirements above and comply with PCI DSS 2.0.

To find out how Code Green Networks TrueDLP can help you comply with various industry and government regulations visit our Web site: www.codegreennetworks.com



Posted in Data Leakage Prevention, Data Loss Prevention, DLP, PCI DSS 2.0, Video | Leave a comment

Protecting Research Data for Healthcare Clients

Posted on May 25, 2011 by rfernandez

Just this month, Gilmore Research launched its Healthcare Division which uses a third party auditor to assure compliance with HITECH regulations and is on track to conform to the most stringent HIPAA designation of “Covered Entity,” differentiating it from research providers who merely have “Business Associate” status.

The “Covered Entity” security standards require that a covered entity conduct a risk assessment and document their determinations regarding whether the security measures apply to them. The standard requires several areas to be addressed: administrative safeguards, physical safeguards, technical safeguards and organizational requirements.

With guidance from a third party auditor, to conform to these high standards within the Health Insurance Portability and Accountability Act (HIPAA), Gilmore Research identified the need to further protect extensive databases of highly sensitive PHI and PII information it handles for clients, so it turned to Code Green Networks TrueDLP solution for data loss prevention.

“While we have long used industry-standard tools for IT security, our goal is to remain at the forefront of data protection procedures and policies. TrueDLP effectively protects the sensitive information within our many, large databases from being deliberately or inadvertently exposed,” noted John Cell, Senior Vice President and Director of Gilmore’s Healthcare Division. “TrueDLP has a strong track record of detecting data that should not leave the organization. And it will discover sensitive data so that we can create more effective policies for managing that data.”

To find out more on how Code Green Networks assists in demonstrating regulatory compliance with HIPAA and HITECH visit our Web site, http://www.codegreennetworks.com/solutions/healthcare.htm

Posted in Data Loss Prevention, DLP, Healthcare, HIPAA, HITECH | Leave a comment

The Data Loss Prevention (DLP) Challenge

Posted on May 18, 2011 by rfernandez

In this video, President and CEO of Code Green Networks, Dan Udoutch discusses the data loss prevention (DLP) market, and his concern that organizations are hesitant to move forward with DLP because they haven’t found a solution that is affordable, accurate, and usable in delivering the value they expect.

Udoutch further encourages enterprises to organize a five day DLP Proof of Concept (POC) of Code Green Networks TrueDLP against other providers, leveraging the enterprise’s “live” production data, to test the usability and accuracy of the various systems. To find out more about Udoutch’s challenge visit: http://www.codegreennetworks.com/DLPchallenge/index.htm



Posted in Data Loss Prevention, DLP, Proof of Concept, Video | Leave a comment

8 Steps for a Successful Data Loss Prevention (DLP) Implementation

Posted on April 14, 2011 by jpeck

Joe Peck, VP Marketing, Code Green Networks

1. IDENTIFY EXTENDED TEAM – Assemble those that should be involved internally when you identify data loss. In larger organizations, in addition to your InfoSec team, you might have: IT, Security, Compliance, HR, Legal, CSO/CISO. Identify the individuals and meet with them to work out what situations they will need to be involved in.

2. DEVELOP BREACH NOTIFICATION PROCESS – Do you have processes ready if a regulated data breach occurs? Who will be notified? Is your legal or compliance team ready to meet requirements such as breach notification laws? Get your compliance people in the loop and have them write the process with you. Consider what you would have done if you were one of companies whose data was lost by Epsilon.

3.  FIX BROKEN BUSINESS PROCESSES (E.G. AUTOMATED TRANSFERS) – Assume that you will find broken business processes, like automated file transfers to partners in clear text over the internet instead of encrypted or over private line. You’ll spend time getting these fixed. Often the Info Security team needs a champion advocate to get other parts of IT to drop what they’re doing and get these changes made. Arrange this ahead of time.

4. CREATE PLAN FOR HANDLING INSIDER THEFT – Talk with HR to establish a process if you uncover insider theft. Give HR a heads up and involve them in the roll-out. The insider may be at a senior level, so consider that as well. At Code Green Networks we’ve seen executive level data theft–do not assume anything.

5. ESTABLISH THE INCIDENT TEAM AND WORKFLOW – Map out your incident handling and resolution process, as a flowchart. Who will be on the incident handling team? In larger organizations you might have: First level reviewer (making sure the incident is properly classified with the right severity-typical in large enterprises), IT, Security, Compliance, HR. Identify the individuals in your extended team.

6. SET SLAs FOR INCIDENT RESOLUTION – Set goals for making sure incidents are handled in a timely manner. We’ve had folks establish SLAs for:

  • First level review of all incidents within x amount of time
  • Resolve all high severity incidents within y amount of time
  • Close all incidents within z amount of time (resolving incidents within 2 hours).

7.  ESTABLISH REPORTING AND AUTOMATE – How are you going to track things? Decide what reports you’ll need to have and who should get them. Set up scheduled reports so that you know what is happening and that your team is resolving incidents within your SLA goals. Reports for:

  • Incidents Created
  • Incidents Closed
  • Open Incidents Status – by age, severity, owner
  • A report sorted by the type of data or by policy that was violated
  • Summary reports for your CSO or execs

8.  PLAN ROLL-OUT STAGES – It’s important to plan your roll-out in stages rather than trying to boil the ocean.

  1. Select data and policies to be implemented in stages, e.g. first the customer billing database for PCI violations, then the next set of data and policies for state privacy regulations, then company IP data and policies.

  2. Roll-out and test your policies in a monitor only mode, to set a baseline. But you have to be prepared for a significant breach to happen. At Code Green Networks we have seen many DLP assessments and POCs uncover significant data loss and come to a screeching halt as the customer scrambles to figure out how to handle it. That’s why we advise people to anticipate data loss and prepare for it in advance.

  3. Decide when you will have the solution notify end users and what you expect of them. Use this for user education about your polices on data handling. You can expect to see the number of incidents drop as users are notified on each violation. Set up your reporting ahead of time so you can track.

Implementing and maintaining a Data Loss Prevention solution should not be painful. Please contact us for more information on how to go about successfully protecting your organization’s sensitive data, or click here to take a test drive of Code Green Network TrueDLP solution.



Posted in Content-aware, Data Loss Prevention, DLP, Proof of Concept | Leave a comment