Defining the confidential and critical information, the risks to each type of information, and the value to the organization allows ILP planners to focus on mission-critical assets first. In short, a data-protection plan follows the same steps that an organization would take when developing a business continuity plan -- only the focus is different. In a business continuity or disaster recovery plan, the focus is on the infrastructure and processes, and what it takes to make a company’s mission-critical tasks operational again. A data protection policy is by contrast information-centric.

Click for larger view.

After the data-protection policy is developed, educating employees is the next order of business. Understanding and adhering to the policy should be part of the hiring package, and employees should know the consequences, for example, for taking home data without permission. Further, there are numerous policies to prevent information loss that leave users out of the loop, regardless of whether or not their intentions are malicious. One is to ensure that backup media is encrypted by default; another is to disable USB to prevent loss by way of flash memory drives. Whatever the policies are, they should be clearly communicated to staff and contractors in writing.

Information is power

Next, information stores and communication channels must be defined. IT must know where all the critical data is stored and how it’s communicated between hosts. Consider client computers, file servers, e-mail servers, print servers, and database servers. Information is often transmitted using HTTP and e-mail, but don’t forget instant-messaging channels or removable media such as DVDs, CD-ROMs, and USB flash drives.

Also consider third-parties if they store or have access to your data. Negotiating the right to inspect and audit their controls on a periodic basis can go a long way toward reducing risk. It’s wise to include a clause in your contract that they forfeit the job the minute they fail to ensure adequate controls.

After you’ve hypothesized where the information is, find it and monitor it. Several vendors make tools that look for confidential information. Some scan server and workstation hard drives looking for tell-tell signs of protected data. The use of predefined data formats such as XXX-XX-XXXX would be recognized as a Social Security number and send out the proper alerts, while others do the same listening on network connections.

PortAuthority, which was recently acquired by Websense, sells software called Precise ID. The software uses multiple detection methods to identify and classify structured or unstructured data, including rules, dictionaries, keywords, threshold counts, categories, lexicons, statistical analysis, and content-matching. It recognizes more than 370 file formats, including popular archival types such as .zip. Searches can be made on storage media (what PortAuthority calls “data at rest”) or while the data is in use.

Evaluate your options

Preventing data leaks requires a multipronged approach. Although no single product can do it all, many companies are buying ILP-specific technologies, such as those found in PortAuthority Technologies’ product line.