Group items tagged

Data classification is a cornerstone of good privacy & security management. If you can measure it, you can manage it, right? First you have to know where it is.

Why classify data? Classifying data can help make data more accessible (or less accessible) to the users in your environment who need it. For example, suppose the Human Resources department created a folder on the file server within their department called Litigation. In this folder they place files that are needed for any litigation the company is associated with. The permissions on the folder are configured so that HR employees can edit the contents of the folder and add documents. Senior management can read the documents in the litigation folder, and the HR manager can remove documents that are no longer needed. The question is, how is it determined that a document is no longer needed and how do we apply these criteria to existing files in such a way that minimizes user interaction with them? The new classification feature in Windows Server 2008 R2 makes it possible to automatically assign classification information to files on file servers and apply policy to them based on that information. Classification in Windows Server 2008 R2 consists of several elements: properties, rules, and a policy segment including reporting and file management. Properties are the fields that you wish to assign a value for, and the rules are the criteria that set these values. There are other methods of classification available as well, including applications and scripts. More detailed examination of the methods of configuring the File Classification Infrastructure will follow in a future post. For the above example, a rule would be used to label a set of files in the Litigation folder. Adding a label such as Litigation-Case Number X (where X is the number of the case) can allow easy organization of files for each litigation case. When the classification rule is run against the specified folder, all files meeting the rule conditions would be classified with an appropriate label. You could use an expiration date here, but doing that might require reclassification of files if the ex

The intersection of dr/bc, privacy & security should be preservation of business value.

What are the key elements of disaster recovery (DR) planning and design? While there's no one-size-fits-all solution, a data asset inventory that includes conducting a data classification project and assessing the potential risk for disaster from within your company will help you protect all of your data resources. In broad terms, you need to determine the recovery point objective (RPO) and recovery time objective (RTO) for different parts of the business and put together an effective data protection plan to achieve this. You should start by performing a business impact analysis.

One of the things that always surprised me while working with corporate information over the years is the lack of a data classification program in the majority of firms. Working with many well-known corporations around the world, I get to see the inner-workings of how IT is practiced.

One item I

Things to think about for auditors during a downturn

As IT environments are becoming more complex, enterprises are relying on them more than ever before, said Michael Juergens, principle at Deliotte & Touche, told attendees at an ISACA CACS audit and compliance conference. He identified 10 areas in which complexity makes IT more difficult to monitor. "This list is designed to get you thinking about your environments and if currently scheduled IT audit procedures will evaluate this risks," Juergens said. "The list is in no particular order, is by no means a comprehensive list, and will vary by environment. There may be a greater or lesser risk depending on your industry, technology, business processes, and other factors," he added. He said that auditors should make a careful risk assessment at any enterprise that uses external cloud computing solutions. A key risk for compliance is simply keeping track of the data and recovering it if part of the cloud goes down. IT administrators must have insight into the cloud to enable forensics if an investigation is required. Juergens added that virtualization, often a key component of private clouds, carries the same risks as public clouds. The key issue is finding and tracing data, which can move to different servers within a virtualized environment. During this economic downturn, many companies will face disgruntled employees and will need to be able to control their access. "Specific attention items should be: timely removal of access, periphery security, internal security architecture, physical security and badge location, help desk procedures, workstation security and IDS management," Juergens said. Layoffs can harm an organization even without disgruntled employees. Many help desks and incident response teams will be understaffed, and Juergens advised that now is a good time to re-examine security procedures. A related risk could occur if an employee takes on the responsibilities of another, combining tasks that were previously segregated for compliance purposes. En

A former Goldman Sachs computer programer accused of stealing secret trading codes from the investment bank was being held in federal custody on Monday, pending the posting of $750,000 bail. Sergey Aleynikov, 39, was ordered by U.S. Magistrate Kevin Nathaniel Fox in Manhattan on Saturday to post a $750,000 personal recognizance bond to be secured by three financially responsible people, according to court documents. The bond also was to include $75,000 in cash, and Aleynikov was ordered to surrender his passport and not to access the computer data at issue in the case. A preliminary hearing in his case was scheduled for August 3. Aleynikov, a Russian immigrant living in New Jersey, was arrested on Friday night by FBI agents as he got off a flight at Newark Liberty International Airport, according to court documents. He is accused of "theft of trade secrets" related to computer codes used for sophisticated automated stock and commodities trading at an unspecified, New York-based financial institution, according to the court affidavit filed by FBI special agent Michael McSwain. Sources familiar with the situation have told Reuters columnist Matthew Goldstein that the financial institution is Goldman Sachs. A Goldman representative declined to comment on Monday. A lawyer for Aleynikov, Sabrina Shroff, also declined to comment.