RSA’s best practices for preventing enterprise data loss

According to U.S. government estimates, incidents of enterprise data loss cost businesses more than $100 billion in a single year. As threats to enterprise data grow more sophisticated, it's imperative for businesses to implement a comprehensive data security strategy. But where to start? RSA, The Security Division of EMC, provides us with these best practices for preventing enterprise data loss.

According to U.S. government estimates, incidents of enterprise data loss cost businesses more than $100 billion in a single year. As threats to enterprise data grow more sophisticated, it's imperative for businesses to implement a comprehensive data security strategy. But where to start?

If your organization is looking for ways to prevent data loss, you can benefit from these best practices provided by RSA, The Security Division of EMC. This advice is excerpted from RSA's white paper, Best Practices for Preventing Enterprise Data Loss and is based on RSA's 25 years of experience in the security industry.

10 woeful tales of data gone missing

1. Understand what data is most sensitive to your business. Not all data within an organization is of equal importance where security is concerned. Classifying your data to ensure that you apply the right level of resources to protect what is most important is the first step.

RSA advises you start by understanding the regulatory and non-regulatory security drivers within your organization. For example, one department might be driven to protect its data in order to comply with the Sarbanes-Oxley Act, while another department must observe the PCI security mandate. Non-regulatory drivers such as corporate policy are important too. For instance, every company wants to protect its intellectual property.

Prioritize your data by grouping it into classes such as restricted, sensitive and non-sensitive. Then determine the data categories, elements and owners for each class of information. According to RSA, you should determine which elements of the information are most critical and which department or business unit owns this data. And last but not least, after classifying the data, you should define the policies for appropriate handling of the data, such as who has authorized access, and how, when and from where they are allowed to access it.

2. Know where your most sensitive data resides. This directive isn't as obvious as it seems. While important data may start in a database, it is often extracted and downloaded to other applications where it may be stored on PCs, e-mailed to other people, and stored on SharePoints or local servers. What's more, the data gets copied off to backup systems for the database as well as these ancillary applications.

RSA recommends you undertake a continuous and complete data discovery process in order to create a map of your critical and sensitive data. This map serves as the foundation for your security policy and control strategy.

3. Understand the nature and origin of your risks. Now that you know where your critical and sensitive data resides and how it is being used, it's time to assess how your data could be compromised or stolen, and how the company would be harmed if this was to happen. Consider the risks both inside and outside your organization, such as lost or stolen media; privileged user breach; unintentional distribution; application hack; and physical theft or loss.

A Forrester Consulting study commissioned by RSA shows that the biggest challenges to data security today and in the future stem from greater demands for mobile employee data access, collaboration and partner data exchange.

4. Select the appropriate controls based on policy, risk and where sensitive data resides. Your control strategy will include both processes and technology. The physical control strategy is comprised of two components: the control mechanisms, or types of controls; and the control points, or where in the infrastructure the controls are placed.

A comprehensive control strategy includes:

* Access controls related to both authentication and authorization.

* Data controls placed on the data itself, such as encryption or enterprise rights management.

* Audit controls, which provide feedback to help ensure the policies and controls are working as they should

According to RSA, many companies are focusing on implementing data controls due to the increasing number of data breaches and growing regulatory scrutiny of data privacy issues.

5. Manage security centrally. RSA advises that centralizing the administration of security policies ensures that control points consistently enforce security rules and makes proactive monitoring of activity that could result in a security violation easier to automate.

6. Audit security to constantly improve. Once your security program is in place, you'll need a feedback mechanism to assess the effectiveness of controls and compliance with policy. RSA recommends a Security Information and Event Management (SIEM) system that automatically collects, manages and analyzes the event logs from your security systems, networking devices, operating systems, applications and storage platforms throughout your organization. A SIEM enables you to correlate events in your data control systems and act on them real-time.

To get more detail about these best practices, please read RSA's publication Best Practices for Preventing Enterprise Data Loss.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.

IT Salary Survey: The results are in