REAL LEAKS INVOLVE PRIVILEGED STAFF – HOW TO PREVENT SENIOR AUTHORISED STAFF FROM STEALING INFORMATION?
Download this resource
Legislation, such as the Personal Data Protection Act (PDPA), HIPAA, and SOX and the adoption of industry standards such as ISO27001, COBIT, and BASIL II, has made the implementation of information security management systems mandatory within large corporations. However, as can be seen from a 2012 report on fraud cases in US financial services, such systems have largely been a failure.
- IT systems detected only 6% of fraud cases, with the majority found via audit processes.
- Over 70% of fraud cases involved insiders.
- Over 50% of those involved in fraud were VPs, managers or held supervisory roles.
- Stealing Personally Identifiable Information was the most common means of fraud.
The key reason for this failure is that protecting against insider threats is not an IT problem but a business problem. Solutions like Data Leakage Prevention (DLP) systems, which try to prevent unauthorised access to sensitive information, do not tackle the issue of fraud. What is required is an approach where the auditing of users with authorised access to sensitive information is central to the implementation of the system.
THE SOLUTION : INTEGRITY MANAGEMENT SYSTEM
e-Safe Compliance, developed by e-Safe Systems, is an Integrity Management System. It is built on the philosophy of “Educate, Trust And Verify”. e-Safe Compliance enables information owners and users to educate each other on what information is sensitive and the changing business needs regarding its use. e-Safe Compliance avoids operational overheads through trust, by making information owners responsible for protecting sensitive information through specification of document rights, and allowing users to override document rights when necessary. e-Safe Compliance enables information owners and auditors to verify that sensitive information is protected and not misused by monitoring its usage and highlighting potential issues.
e-Safe Compliance is the only system to protect against both insider and outsider threats:
- e-Safe Compliance ensures sensitive information is identified and protected by empowering the information owners themselves to classify sensitive information and create the necessary rule definitions, including document rights management. The creation of rules is audited centrally by the integrity department (or similar) to ensure coverage and avoid the creation of badly-defined rules.
- e-Safe Compliance monitors the usage and movement (file transfer, email, webpost, print, etc.) of sensitive information by all users.
- e-Safe Compliance presents sensitive information usage reports, with highlighted potential misuse, to the information owners as they are the best people to verify whether there is a data leak or not. To ensure that the information owners are not stealing sensitive information, the usage reports are centrally audited by the integrity department (or similar). This dual-reporting is an essential requirement to adhere to ISO27001 standards.
A high-level diagram of the checks and balances within e-Safe Compliance is shown in figure 1 below.
Figure 1 – Decentralized Information Monitoring System (Security is everyone’s responsibility)