Skip Links

Data leaks a people problem not a technical one

By , Network World
September 11, 2008 03:10 PM ET

Network World - Data-leak prevention that lets organizations monitor for unauthorized transmission of sensitive content is a powerful technology sometimes put to surprising uses. And those with DLP experience say the biggest challenges lie with people and their online habits rather than technology.

DLP technology, at the gateway or host level, is not difficult or time-consuming to deploy, according to IT managers gaining experience with it in business, government and school systems. (Compare Data Leak Protection products.) Rather, DLP is a game-changer that creates an atmosphere where network users may be caught committing various types of data violations, inadvertent or not. The IT department, though first to know, can’t end up as the enforcement arm, experts say. Management of it comes from human resources and the legal department, and they have to be deeply involved to play the DLP police role. It all starts with creating the DLP policy.

“One of the lessons learned is get your policy in place first,” says Charles Thompson, chief information officer for the city of Phoenix, which is installing the Fidelis Security Systems' DLP called XPS to prevent unauthorized transmissions related to city business.

Thompson can be counted as a DLP veteran after previously installing DLP in the Washington, D.C. and Orange County, Florida school systems. He says years ago he quickly learned that turning on a DLP system for content monitoring without a clear policy in place, which management understands and supports, is a misstep others would do well to avoid.

“You need the personnel department, human resources, legal and management involved,” says Thompson, adding that it must be clear that they are to play a unified enforcement role when DLP catches policy violations.

It turns out that while DLP technology is fairly simple to deploy, getting policies and procedures to follow in the event of violations is not.

“There will have to be a lot of discussions about procedures, about what I call the ‘scope of sequence,’” says Thompson. That means a clear definition of what a violation is, how different sorts of violations should be handled since all may not be equal in scope, and keeping track of repeat offenses.

In the Washinton, D.C., and Florida school systems, schools not only watched out for prohibited sensitive content, such as student records as a privacy violation, or banned content like pornography or music; DLP also looked for evidence of cyberbullying using school-issued computers. “Cyberbullying is one child threatening another, whether it’s physical or mental abuse,” says Thompson.

It turns out defining sensitive content is one of the hardest parts of DLP.

New York City-based Metropolitan Life Insurance Company (MetLife) is working on a DLP policy even as it evaluates three DLP products from Verdasys, Websense and Symantec.

According to Laz Montano, assistant vice president for information security at MetLife, the insurance company plans to deploy DLP as one means to ensure customer information doesn’t leak out across the Internet. But another driving factor is that business managers and executives are clamoring to be given much wider access to the Web than in the past.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News