Professional Documents
Culture Documents
contractors are not aware of them. Addressing the what documents, repositories and media need to
threats and risk factors is critical to protecting data. be protected. It is important that everyone in the
enterprise understands this so that every person can
Figure 2 breaks down threats and risk factors be part of the solution, not the problem.
by data type. Examples of each data type show
Intentional:
• Exposing or stealing data due to discontent
• Exposing or stealing data due to being blackmailed
• Printing and copying sensitive data
• Selling company data/information
• Having one’s own agenda during employment or when leaving the company (e.g., malicious intent,
hacking, fraud)
• Breaching trust among developers
• Misusing or sharing passwords
• Using unauthorized programs on corporate computers
• Copying data to a remote personal computer (to support work effort)
Process Poor oversight:
• Lacking governance on the use, retention and protection of data (to include government
compliance and company policy violations)
• Leaving data unguarded (e.g., in an unsupervised office or area)
• Not assessing how sensitive data are shared with third parties
• Not implementing or enforcing least privilege for system and file access
• Responding insufficiently to physical intrusions or cyberintrusions
• Not conducting information risk assessments to determine the threats and business impacts of
data exposure
Negligence:
• Categorizing sensitive data improperly
• Lacking or not properly defining a data retention policy
• Lacking data transmission procedures
• Lacking data usage monitoring
• Transmitting sensitive data unintentionally
• Not closing accounts after their expected use has expired (e.g., service accounts)
Technology Unintentional:
• Loss or theft of an employee laptop or mobile device
• Data at rest stored without encryption (e.g., laptop, database, removable media)
• Obtaining or inheriting data from another system
• Having technical controls that do not measure or evaluate the level of attack persistence
• Exploitation of weaknesses in a database development environment
• Having unnecessary services on the computer that can be exploited
• Processing production data in the development environment
Tool limitation:
• Not performing regular software updates and patching (includes not only the operating system, but
administrator tools and commercial-off-the-shelf [COTS] software)
• Remote access tools not being flexible enough to support the enterprise, thereby forcing
employees to use thumb drives and personal computing devices
• Not using content-aware DLP tools (e.g., email tools that automatically perform data encryption)
• Faults in vendor products (software and/or hardware)
Intentional:
• Compromising IT protective measures
• Using digital cameras to capture images of printed or displayed data
•M
anagement approval—Obtain support from top who is accessing them and where the data are
executives, system owners and stakeholders. This going. It is important to be aware that there is
includes identifying and involving representatives strict regulatory legislation coming into force
from all departments to obtain buy-in. in the European Union (EU) (i.e., the General
Data Protection Regulation [GDPR]),6 where a
•D
ata comprehension—Develop an understanding breach could cause a large fine or a portion of
of the data. To accomplish this: an enterprise’s annual revenue and may affect
– Define the enterprise’s critical and sensitive data enterprises outside of the EU). Other countries
elements. Definitions should include exposure have also implemented data protection and
condition severity (i.e., low, medium and high). privacy legislation that readers may need to
– Determine the DLP requirements. This includes become familiar with (e.g., Australia’s Data Privacy
understanding where the data originate, Laws7 and the United Kingdom’s Data Protection
the value of the data, where they reside, Act).8 Additionally, in the United States, the state of
enterprise obligations for protecting the data, California has expanded its privacy laws.9