Promotion of DLP: benefits of laws and regulators to information security systems. It is necessary to bypass the DLP system in order to fool the security guards, how to read mail on a robot by an e-mail addressee and a telephone monitoring subscriber, and by an organization such

10/08/2018, Mon, 10:49, Moscow time

A full-fledged hybrid DLP system allows you to secure reliable defender from data flows and monitoring of interconnected traffic on a wide range of transmission channels. The basis of these possibilities lies effektivne vikoristannya The strengths of network-centric and endpoint DLP architectures in different scenarios and in different settings require control over data flows.

For most DLP systems on the Russian market, the initial element is a traffic flow replenishment server, which usually operates in passive mode. Such systems almost always have an endpoint agent for the most important tasks related to traffic control on the same task as the gateway - control of devices and various web services and protocols. However, the presence of an agent is not yet a sign of a full-fledged hybrid DLP, but rather a separation various functions control of various components.

The key task of the server DLP component, which copies the network traffic of the organization as a whole, lies in the control of the vicorbiters of the network data transmission channels when located in the middle of the corporate perimeter, including ir evidence base, identification of cybersecurity incidents. At the same time, the endpoint agents of the hybrid DLP solution are tasked with monitoring the value of significant accumulators, the other channel, and third-party add-ons from proprietary encryption. These jobs have stagnant content filtering, as in real time all potential channels of data flow in DLP systems claim to be full-functional agents.

The first hybrid DLP application on the Russian market is the updated version of DeviceLock DLP 8.3, supplemented with the DeviceLock EtherSensor server module. A hybrid DLP system effectively addresses the number of problems facing services information security. This is monitoring of border traffic from computers and mobile devices, for some technical reasons it is impossible to install and operate a DLP agent, or there is a reduced requirement on the working stations of the correspondents for separate control the same services and protocols on different levels. Automatic muttering different combinations A DLP policy for monitoring edge traffic in the DeviceLock DLP agent, based on the visibility of the connection to the corporate edge and/or corporate servers, allows for extremely tight control of the users. For example, as an agent, with a laptop in the office, control of devices, printers, and especially critical edge devices and services is preserved, including the lack of content filtering in real time, and control Inspection of other edge protocols Those services are based on the EtherSensor module. A single database of underground protocols and shadow copies, which is filled with data captured when traffic flows from the edge and for monitoring edge communications and devices on workstations, allows handle information security incidents across the widest range of potential data flow channels.

Typical scenarios

Let's look at a number of typical scenarios for using DeviceLock DLP as a hybrid DLP system. Add expansions to the scenario if full-scale control of boundary traffic and blocking of data transmission is either impossible or impossible. This situation arises in the corporate environment of guest computers and mobile devices, as well as for workstations running Linux and MacOS OS. In addition, recollection and analysis of network communications directly at work stations may be impossible or excessively resource-intensive at work stations with weak computing efforts. The highest level of monitoring of edge traffic in such a scenario is ensured by re-collection and analysis of traffic on the edge – listening traffic from server mirror ports, integration with NGFW devices and proxy servers , other methods that do not require installing an agent on workstations, which will ensure success EtherSensor server. When it comes to DLP control peripheral devices and workstation ports are configured with the DeviceLock agent (on operating Windows systems and MacOS), and in the database of the DeviceLock Enterprise Server for centralized analysis, data is collected from both EtherSensor for edge traffic objects and DeviceLock agents for device control.

A single database of individual protocols and shadow copying, which is filled with data that is captured when traffic flows from the level as a result of monitoring edge communications and devices on workstations, allows you to identify information security incidents for the widest range of potential data flow channels

Another typical scenario is monitoring of edge communications for inadmissibility of blocking data transmission along the edge. In some organizations, the control of boundary traffic involves logging and analysis of archived data from the inheritance of low-level officials. For example, to implement full-fledged DLP control over data flow blocking limited access lack of resources of the IB service, or passive control of the values ​​of the kerivnitsa company as a sufficient result of the already introduced borders on the vicinity of the border communications at the level of the kerivnitsa perimeter, or the kerivnitsa is afraid of the risk of being handed over to There will be business processes involving the exchange of information. This is a problem if the organization does not assess the risks of the data flow as critical for business, or it is determined that it is not possible to classify confidential data or determine the criteria for detecting data with limited access to stagnation of content filtering mechanisms and suppression of the flow of such data.

In this scenario, using DeviceLock DLP, the organization takes away from its management the traditional Enterprise-level DLP system, can effectively monitor and analyze traffic on even large flows (up to analyzing traffic of hundreds of thousands h spіvrobіtnіv) with low costs for the larynx and continuous operation, as well as insignificant with the help of technical equipment. The solution in this scenario is very similar to the previous scenario, with the difference that there is an emerging need to ensure that unacceptable attempts are blocked on the transmission of the interconnected access, and the criteria are understood This includes detection of confidential data and the possibility of vicarious content filtering. In this case, this scenario flows into another variation – the installation of a full-fledged hybrid DLP system for a wide range of specialists, sub-divisions or the scale of the entire organization.

Folding scenarios

Further development of the logic of combining the capabilities of DeviceLock agents and EtherSensor servers will lead to more complex, and at the same time more effective scenarios for storing confidential data flows.

This script, which transfers separate control of network communications, depending on the flow status of the connection to the corporate network (availability of local network connection, availability of the domain controller, availability of the DLP server) can be changed level of relevance of access to corporate information. To achieve such tasks, a careful approach is required to protect the information from the threads. Automatic switching of various combinations of DLP policies to control fencing traffic (various combinations of rules and control parameters) in the DeviceLock DLP agent ensures the presence of a connection to a corporate network and/or corporate servers allows for secure Read the extremely tight, separate control of border communications of the correspondents. For example, as an agent, with a laptop in the office, control of particularly critical edge applications and services is preserved, including the stagnation of content filtering in real time with the help of the current of confidential information, and inspection of other protocols and services relies on the EtherSensor module. When the DeviceLock agent is switched offline on the workstation that is being protected, the policy is automatically switched to the maximum necessary level to control edge communications while ensuring possible unavailability of outgoing flow traffic a workstation for the EtherSensor server.

As a result of separate control from the automatic switching of online and offline modes in the DeviceLock agent with monitoring of traffic on the same EtherSensor server, complete control of network communications is achieved independently of the local method connection to the Internet of controlled computers. This approach will be especially productive for monitoring mobile devices, such as laptops and laptops for work and office use.

Even more effective would be the scenario of selective control of boundary communications. Thanks to the advanced functionality of the endpoint agent and the technology of server-side traffic re-merging, the full range of capabilities of the hybrid system is achieved. This is the most difficult scenario for monitoring edge communications that is possible today.

In this scenario, the most critical part of the boundary components is that they are considered potential channels for the flow of confidential data (for example, instant messengers with the possibility of file transfer), since local ports and devices are controlled by the DeviceLock agent . In real-time mode, the agent analyzes instead of the processes of transferring the exchanged access (also on par with the agent, “in the middle”). Based on the results, decisions are made about the admissibility of the transfer or the process Shadow copies for significant purposes of incident investigation, or direct alarm notification of the fact that a DLP rule has been issued. Control of other boundary communications that are considered to pose a lower level of risk from the point of view of the flow of data (if for the highest level of information security it is sufficient to monitor and analyze data transfers, for example treasure, for surfing websites and robotic search services) is configured by the EtherSensor server for additional search and analysis of boundary traffic along the perimeter. Briefly speaking, this model for controlling edge traffic can be described as “Monitoring all traffic (EtherSensor) + Selectively blocking unacceptable samples (DeviceLock DLP agent).” What’s important is that policies for enabling or blocking any edge protocols and services, both in context and in content-related rules, can be changed and suspended by the IB service at any time without restarting the work stations And without the participation of the koristuvach.

This scenario achieves a clear balance of opportunities and risks: the risks associated with blocking are delegated to agents on the computers that are stolen, with the task of monitoring traffic and detecting security throughout and generally trust the EtherSensor server.

If you're far away, you can look at it and it's easy to implement! – the most severe scenario of a temporary hybrid DLP system, if it is possible to control (monitoring and blocking data transmission) between the agent and the server of the DeviceLock DLP DLP system, a vibrator is available ID for different investors and groups of investors, or for various computers that group of computers.

This option has full-function DeviceLock agents installed directly on workstations that are protected, all DLP functions (access control, logging, alarm notifications) and only for customer assignments and groups of koristuvachs. Merezhovaya activity of corporate and groups that require free access to various channels of fence communications for the execution of business tasks is monitored by the EtherSensor server for the purpose of redundancy and analysis of merger traffic along the perimeter.

This scenario is also extremely productive for monitoring so-called risk groups, if special sets of policies are created on DeviceLock agents for DLP control of various cloud records, and the reversal of policies that become stuck is completed in real time by enabling such hіv to the group of koristuvachs, similar to them chi other groups of rizik.

In any scenario of a one-hour crash of the DeviceLock EtherSensor server module connected to the DeviceLock DLP complex with Endpoint components, the hybrid DLP system mode is activated unique ability create multiple DLP policies with different levels of control and response to events. The simultaneous implementation of two different DLP architectures (edge ​​and agent) to control edge traffic significantly increases the reliability of high-level control and detection of information flows. Vakhonin Sergey. Director of Solutions DeviceLock, Inc.

Sergiy Vakhonin, director of DeviceLock, Inc.

It’s easy to install DLP systems, but adjusting them so that they begin to bring significant benefits is not so easy. on Narazi When implementing systems for monitoring and controlling information flows (my version of the term DLP), one of the following approaches is most often used:

1. Classic . With this approach, the company has already identified critical information and possible efficient processing, and the DLP system has no control over their data.
2. Analytical . Why does the company have behind the scenes about those that need to control the expansion of critical information (including confidential information), about the reasonable flow of information and the necessary volumes have not yet been determined. Therefore, the DLP system acts as a kind of tool that collects the necessary data, the analysis of which allows you to clearly formulate information processing methods, and then further, more precisely, adjust the system.

I will briefly outline some tips for promoting DLP, which are typical for skin treatments.

Classic approach to implementing DLP:

1. Identify the main business processes and analyze them . When exiting, you must cancel the document " "(Sometimes there may be more list extensions available on the working document template" Transfer of controlled information For example, you want to control and accept in the electronic list of pages of profanity) and the working document “The flow of information from the authorities”. Understanding who is the owner of this and other information is necessary in order to quickly determine the benefits of using it.
2. Consider the main types of information and transmission methods. It is necessary to understand on what media information can be controlled within the IT infrastructure of the organization. In this case, a good practice is the development of such working documents as Overflow of media information"і" Flow of possible channels into the flow of information".
3. Significant benefits from accessing information and services . It often happens that such benefits are formulated in other policies, for example, in the documents “Victory Policy” by e-mail", "Policy of Internet Wikipedia" and others. However, it is easier to develop one" Acceptable resource abuse policy". She has a sense of showing the benefits of the next blocks: work with electronic mail and the Internet, wiki significant noses; use of workstations and laptops, processing information on personal devices(PDA, smartphones, tablets, etc.), the use of copying and reproducing equipment and data storage, merging in social measures and blogs, correspondent services of meeting notifications, processing of information fixed on hard paper (paper).
4. Familiarize yourselves with the benefits of accessing information and services outlined above.
5. Design a DLP system . From a technical design point of view, I recommend that you expand as a minimum " Technical Department"і" Test the program and methodology additional documents are also required " "It is your responsibility to indicate in detail how the system filters information and responds to incidents, and" ", in which you will record the roles and responsibilities for the DLP service.
6. Install and configure the DLP system and put it into full operation. The best way to start is with the monitoring mode.
7. Conduct training for personnel responsible for the management and maintenance of DLP . At what stage you need to develop A set of role-based instructions for DLP(Management and security) .
8. Analyze the bags and the results of the final operation, make corrections (as needed), put them into industrial use.
10. Regularly analyze incidents and improve the DLP adjustment policy.

AnalyticalA good approach to implementing DLP:

Design a DLP system . At this stage, simple things will suffice. Technical Department"і" Program and testing techniques".

It is important to set up minimal DLP policies. Our task is not to monitor or block any activity, but to collect analytical information about the channels and methods used to transmit this and other corporate information.

Conduct training for personnel responsible for the maintenance and service of DLP. Here you can use standard "vendor" instructions.

Install and configure the DLP system and put it into full operation (In monitoring mode).

Analyze the pouches and the results of subsequent use. The task is to identify and analyze the main information flows.

Make changes (expand) to the main documents that regulate the monitoring and control of information, and make the practitioners aware of them. Documents Transfer of confidential information"і" Acceptable Vikor Policy".

Make changes before setting up DLP, define the procedure for maintenance and maintenance of DLP, put it into production operation. Rozrobiti documents Corporate standard with adjusted DLP policies", "Provisions for the division of roles for the management and maintenance of DLP", "A set of role-based instructions for DLP".

Make changes (if applicable, develop) the incident management procedure (or analogues).

Regularly analyze incidents and improve the DLP adjustment policy.

The approaches vary, but both are entirely suitable for implementing DLP systems. I hope that the information provided can lead you to new ideas in order to protect the information from the threads.

Focusing on the English-known class of products, it is still important that DLP systems are especially important for protecting the flow of information. This kind of mercy is given to those who have not yet learned the full potential of such protection. Nowadays, modern systems are equipped with complex analytical tools, such as security specialists in IT departments, information and economic security, internal control, personnel and other structural units can There is a lot of mischief.

TEN ZAVDAN

Within the framework of this article, we do not include the top-level tasks for business, which are determined, using the COBIT5 methodology, based on the interconnection of business and IT goals: benefit reduction, resource optimization iv (including expenses), optimization of risks. We will go down to the level below and take a look at specific applications, seeing the middle ones that can benefit from current DLP systems.

I. Vikrittya of unsuspecting spivrobitniks:

• identification of facts of transmission of information that is protected;
• identification of economic evils;
• recording facts of unethical spitting;
• archiving and incident management.

II. Reducing risks and promoting the global level of information security:

• blocking of current and/or song channels Information notices;
• revealing the systematic violation of the adopted safe policy by the spivrobitniks.

III. Ensuring compliance with legislators and other benefits:

• categorization of information;
• The latest regulatory decisions and support for a wide variety of standards and best practices.

IV. Analysis and improvement of process efficiency:

• prediction and revelation possible problems from sports workers;
• analysis of data flows and saved information.

ANOTHER IN THE MIDDLE OF HIS OWN

The vigilance of unscrupulous police officers allows you to immediately make necessary management decisions (it is important to say goodbye to such people legally). For this purpose, it is necessary to identify the fact of discovery, correctly interpret and classify it, and ensure the preservation of evidence.

Identification of facts of transfer of information that is protected to illegitimate interests is the most popular feature of DLP systems. Make sure that the system is configured to detect data that is subject to commercial confidentiality, personal data, credit card numbers and other confidential information (depending on the specifics of a particular organization).

The data from the InfoWatch analytical center is most often followed by a stream of personal data, and at another place - by information, which creates a commercial secret (div. Figure 1).

Depending on the specific solution, DLP systems can monitor and analyze the following main channels of information transmission: email, data transmission via the Internet (social networks and forums, file sharing services and gloomy councils, Web-access to e-mail and others), copying on external media , other documents.

Identification of economic evils not the main manager of DLP systems. Proceed to do this, often analysis of leafing allows you to reveal preparation before them or the fact of any illegal action. Thus, it is possible to reveal the discussed schemes of “swindles” and other unauthorized negotiations, according to the company’s data.

In addition, other empty forms with stamps and signatures, or sent to someone else, can also be used to indicate possible preparation before document detailing. It is not easy to rely on DLP systems as a panacea - it is difficult to prepare for such evils.

Fixing the facts of unethical sputtering This is determined as a result of the analysis of the leaflets of foreigners among themselves and with external authorities. Current DLP systems are designed to identify aggressive and destructive behavior - for example, drilling and calls for sabotage, “psychological terrorism”, “trolling”, threats and images. Recently, one of my wheels was able to detect a potential evil: the DLP system detected in the list of two companions a message with a method of inflicting bodily harm on a third companion.

Archiving and systematization of all information messages it is necessary to further investigate the incidents and ensure the legal significance of the evidence. It is not enough to detect incidents; you also need to save the data and provide a manual mechanism for its analysis.

“SEALING” CHANNELS

Reducing the risk of the flow of information that is protected is achieved by permanent control and blocking of flow channels, as well as by always preventing hackers who are flagged for broken security policies.

Research from the Ponemon Institute (title “Is Your Company Ready For A Big Data Breach?'') showed that over the past two years, a third of the supply companies have recorded more than 1000 episodes of confidential information: 48% of these data flows occurred more than once, 27% - twice, 16% were subject to by these incidents up to five times , 9% recorded more than five episodes of the revolution. Let's talk about the relevance of these threats.

Blocking of channels for current and/or recent information notifications can significantly reduce the risks of the flow of information. For which there are a number of approaches: blocking I/O ports, blocking access to certain categories of sites (file sharing, e-mail) and/or analysis instead of reporting what is being transmitted, and blocking transmissions i.

In some cases, DLP systems can provide security identification of systematic violations of the adopted non-pec policy: transfer of information to third parties in a clear (unencrypted) manner, transfer of documents to others without affixing signatures, and occasional transfer of electronic sheets to third-party addressees.

Suvoro in uniform

The results of the formalities of regulators and/or recommendations of best practices may be related to the tasks of the first and other groups, but they look side by side.

Automated categorization of information- the additional capability that is provided by other DLP systems. How does this work? The DLP system scans workstations and servers to identify files of different types and, using various analysis technologies, makes decisions about classifying documents into these and other categories.

This possibility may be even worse, since, to our knowledge, only a small part of the company carries current information of a confidential nature, without which it is impossible to understand which documents are confidential and which are not.

Vikoristannya DLP systems allow you to reach Vikonannya vymog regulators(for example, penalties of the Federal Service for Technical and Export Control of Russia No. 21 and No. 17, regulations of the Bank of Russia No. 382-P) and best practices (GOST/ISO 27001, STO BR IHBS, COBIT5, ITIL). DLP systems assist in categorizing information, separating data storage, managing incidents from external sources, monitoring information that is transmitted, and in other cases.

WHAT'S WARTO, WHY WHY?

DLP systems can be used for analysis of data flows and information that is saved- for example, identifying the facts of storing information with limited access in unauthorized places, identifying an attack on email for the presence of file storage and others. They reveal possible bottlenecks in business processes that arise through unhappy behavior and dissatisfaction with staff, as well as irrational ways of saving, transmitting and processing information.

Forecasting and identifying possible conflicts of interest is implemented by analyzing the leaflets of social media and other Internet resources. If a DLP system is needed, the creation of “insight”, who is going to deprive the company (search of robots or negotiations of rejected propositions), will not be entirely necessary for corporate IT resources (besides the trival of consolidation in social borders, printing of special documents, books and photographs, promotion of gaming sites too) reacts negatively to managerial decisions. This food supply should be placed within the competence of personnel and line workers rather than the security service.

WHAT IS THE MARKET?

When deploying a DLP system or just thinking about its problems, it is important to be clear about what is wrong. Without this, it is important not only to choose a decision maker, but also to correctly formulate the possibilities for functionality and adjustment. It is important to focus on the highest priority, and not on the transfer of functional capabilities, in order to clearly demonstrate the usefulness of DLP promotion both for the IT department and for the enterprise in general.

Andriy Prozorov– leading expert with information security InfoWatch, blogger.

The effectiveness of information security features is directly proportional to the maturity of the associated information processes and their integration into the company’s business processes. Particularly noteworthy for the DLP stock.

Pavlo Volchkov
Leading information security consultant
Information Security Center of the Jet Infosystems company

Whether Korobkov's DLP may install dictionaries and rules. And the greater stench is not directly directed towards the protection of the coils.

It is often necessary to avoid the situation when a full-featured DLP system is used by a company either sporadically or to complete local tasks. At the same time, this support is obligatory and financially burdens the budget of the IT or IB department. How can you make the system work more efficiently? Let's find out the best food, looking at the unorganized warehouse, without getting bogged down by the technical.

The main reason for problems with DLP is protection. Many IB accountants are aware that it is necessary to create processes around DLP even after deployment. Our evidence is that this is not a bad thing. For effective functioning of DLP, it must be built alongside existing IB processes, and not on top of them. In other words, in order to effectively defeat the system, the organization must be responsible for rhubarb maturity and “grow” into the system.

What are the main risks associated with the DLP process?

First of all, the DLP system will implement only template rules that do not reflect the specifics of business processes. Due to the service approach, business divisions of the company are “clients” of information security services. And they provide them with various services, such as protection from currents. Unfortunately, the weak point of Russia’s rich IB services is ignorance of its business. And the situation with DLP is aggravated by the fact that business intelligence is not just based on business processes and data flows, but rather on the level of specific information assets.

Another risk is that the DLP “by design” system does not cover all relevant channels of the information flow. Live butt – installation of agentless DLP and availability of control over important media. Such a system can detect a sick person who has sent documents to a special post office in order to apply at home; But those who struggle at work, but who have done everything, cannot be avoided or avoided by the malicious evil of information.

The implemented policies will generate a large number of requests for mercy, and they cannot be processed in a reasonable hour - and this is such a complexity. Often this situation is blamed for initial attempts to implement custom rules. For example, we want to mark the documents as “For official use”, and we need to avoid the innocent phrases “a car for official use”, “please see me for official use”, etc. I cannot access their IB service; I have to comply with certain rules.

Another point is that DLP is not supported for high powered IB. Whether Korobkov's DLP may install dictionaries and rules. And the greater stench is not directly directed towards the protection of the coils. They may know spivorotniks who use obscene language in corporate mail, how to discuss with the authorities or send a resume to someone. But it is all about maintaining corporate ethics, and not protecting the information shared with access.

And the remaining risk of failure is those that influence the process around DLP, and not inadvertently, can have a negative impact on the process itself and lead to the fact that organizational steps are completely adjusted to the available functionality of the system, which fails chewing. In practice, there is a broader situation: “We need to regulate the rules of work in such important areas that we are technically unable to control the implementation of these regulations.”

Why work, since the company already has DLP, and the warehouse process is daily?

The decision is. І due to the methodologically correct implementation of the process approach, the specificity of DLP as a means of protection.

When it comes to organizing a process approach, the most suitable model is the classic PDCA (Plan-Do-Check-Act) model:

• indicates the purpose of the system, those information that is protected and how (planned);
• Implementation of DLP policies (robimo);
• We operate the system, analyze the number of possible and real incidents, hundreds of alarms, test results, technical indicators (verified);
• We change policies based on the results of the analysis (corrigemo);
• a new planning cycle is being carried out, medical goals that have changed; We update information and introduce new approaches (planned).

Is it simple? Ale є nuances.

Planuvati

The first folding devices at this stage may fail when the power supply fails, and finally the DLP. The system can do everything at once. Ale Varto still prioritize the area.

To determine what is required from DLP, a low power supply is sufficient:

• who are the main clients of DLP and who only plans to use it;
• What do the main investors expect from the DLP stagnation in the nearest 1-3 years;
• What does the company’s core business check, and would you like to extract regular statistics in any way;
• What are the non-typical external benefits to the company during the process of protecting the flow of information (for example, the benefits of parent companies)?

Priorities are set. And the problem arises: to move from the abstract to the “shared access information” or “information about the tops” to specific information assets, so as to descend to the level of specific documents that are transmitted between specific people. How can you earn money? In addition to the classic analysis of business processes, which is based on inventory and categorization of information assets. This is an important and complex task, which we will label with the IB project.

A theme that resonates with the process of controlling the flows is the emergence of a commercial secret prison regime. This mode greatly facilitates the analysis of business processes and inventory of information. Thorough adjustment of DLP wines helps to transform the abstract concept of “shared information” into a set of specific documents, which is obvious. Working with them, you can see typical signs: notification format, stamp, serial number format, other design features, typical phrases/preambles/title pages, standardized document forms, etc. It is also possible to apply “granular” control of the spying agents for their daily or daily admission to the commercial warehouse.

Robiti

A very important warehouse robot DLP є fine tuning politics and the creation of non-standard rules in the system. It is based on three approaches to control accessed information:

• for specific signs;
• For additional information, please note standard documents, which are common in all enterprises;
• for the additional rules that allow you to indirectly detect cybersecurity incidents/abnormal behavior of spies.

The implementation of another approach requires the gradual accumulation of information about unique DLP rules and the creation of content filtering databases. It is entirely necessary to get the vendor or Vikonavian company involved in the DLP development project - there are already large bases of content filtering (typical actions, forms, regular call templates, sets key words etc.) behind the curtains. You can also see the implementation of a set of rules that indirectly allow us to reveal the anomalous behavior of security guards, for example, the classic sending of encrypted archives, the transfer of information on time clocks mailboxes, the transmission of a great ceremony.

The effectiveness of such simple rules cannot be underestimated: with the help of this, you can know the underlying evils of information with greater confidence.

Control

DLP is a part of the system for protecting against currents, processes and personnel, the effectiveness of which lies in the skin element, creating a synergistic effect. Integration of DLP in regular IB processes is valuable because it allows you to practically evaluate the implementation of DLP policies.

Regardless of which DLP solution is selected and in which configuration, at the first stage of planning it is also important to understand which channels are the most realistic. For those channels that are not covered by DLP, it is necessary to plan no less careful work with other technical and organizational steps. Let us remember that adjusting DLP is not an end in itself, but a tool for monitoring current channels, and one of the rich ones.

DLP is associated with current IB processes:

• internal communications between the IB service and maintenance;
• management of IB risks;
• provision of access to information resources;
• registration and monitoring of IB applications;
• IB incident management;
• increased awareness of healthcare workers;
• modeling of threats and violators.

By analyzing the effectiveness of reinsurance processes, it is possible to determine the effectiveness of the DLP itself and identify directions for further modernization of policies. Particular respect must be given to the fight against predatory products. A thorough analysis of the details of detected incidents and specific minds will help to understand them.

At this stage, it is also possible to confirm that there is not enough human resources for the system support before seeing human resources, which is important for further development DLP. Administration of DLP and incident management of resource-intensive processes, especially when DLP is installed in a standstill. It is impossible to predict the required number of information security personnel; everything depends on the number of rules implemented. Our evidence is that at least one fakhivet is necessary, the main component of any kind of support for the system and the processes associated with it.

Koriguvati

Having all the information about the functioning of the system, it is possible to adjust existing rules, develop new ones, make changes to the operational procedures of IB processes, see additional human resources and technical modernization ї systems. Such entries must be fully included in accordance with the IB entry plan.

In addition to nutrition, this is what the PDCA cycle is like during pregnancy. There is no single recipe here; everything depends on the information security practices that have developed in the company. We appreciate that the initial stage of control must take place over two quarters to ensure that it covers the activities that occur within the company’s business processes once per quarter, for example, the preparation of quarterly reports.

The development of regulatory documentation is one of the main stages in the promotion of security systems, in order to ensure their continued effectiveness in your company. In this article, we will look at the main relevant legislation and regulators for the development of information security systems in an organization, which should be followed in the DLP implementation process.

So, what is a DLP system? DLP system software product, purposes for storing the flow of confidential information across corporate boundaries. In addition, modern information security systems will also ensure control of the company’s reputation and the identification of bad spies.

Why is a confidential data protection system an indispensable element in establishing an effective security policy in an organization? Just check out the statistics provided by the analytical center Gemalto for the first month of 2018:

• 18,5 millions of drops in the flow of data for extraction;

• 771,9 changes in the flow of data per year;

• 12,8 rounds of tributes for Khvylina;

• 214 drops in the current flow every second.

But that’s not all: updated from the first months of 2017 to the loss of confidential data flows increased by 72%– from 938.8 million to 3.3 billion. Enemy figures, what’s wrong?

Therefore, the promotion of security functions includes the following goals:

• First, to steal intangible assets and objects of intellectual power in the form of unlawful abuse by third parties;

• In another way, enlist the support of legal institutions - the court and law enforcement agencies in case of violation of the rights of the lawful ruler by the leader, creating and providing an evidentiary base in case of each incident;

• Thirdly, ensure the possibility of imposing sanctions on those at fault for the violation of their rights, as well as collecting fees from them.

So, you have decided that your business simply needs a DLP system and you are planning to seriously move towards the highest level of power. Start with what?

Conduct internal investigation

Consider the obvious organizational and ordering documentation;

Please see this list to indicate which potentially important information should be kept confidential;

Rate the company's information resources and divide them into categories:

1) establish a list of employees who require access to confidential information.

2) clearly describe the manipulations that involve confidential information during business processes.

What is this needed for? Conducting an audit will allow you to identify the weakest points in your existing business processes and provide a complete picture of what else needs to be worked on in order to lay the foundation for the development of a DLP system in your organization.

Review the regulatory documentation

On the basis of the captured information, as part of the investigation, it is necessary to develop regulatory documentation. One of the basic benefits of implementing security policies is to implement the commercial secrecy regime. To install the mode, it is necessary to confirm the document that describes the transfer of information to the public. The fact that the DLP system is a mechanism for implementing the exclusive right to intellectual property and intangible assets, information that is protected as confidential, may be designated as but before the law. Thus, according to Article 1225 of the Civil Code, the intellectual property rights that are protected are subject to:

1) create science, literature and mysteries;

2) programs for EOM;

3) basis data;

7) vinakhodi;

8) brown models;

9) commercial expressions;

10) selection achievements;

11) topology integrated circuits;

12) secrets of production (know-how)

15) hiring of goods;

In addition, it is necessary to process the document with a variety of people allowed to work with confidential information, and the person responsible for the pre-trial regime may be familiar with this document when signing . Necessary for the legal support of the introduction of the commercial confidentiality regime is the development of a document that regulates the handling of confidential information within the organization and describes the protection mechanisms.

And, it was decided, the remaining preparatory point is the order given to the regime of a commercial secret prison in the middle of the organization.

What is this needed for? Let's look at some examples from shipboard practice:

On February 28, 2012, the Twelfth Arbitration Court of Appeal (Saratov) upheld the appeal of LLC “Luxurita” against the decision of the Arbitration Court of the Saratov region for the Partnership before an individual enterprise S.Y.V. about contraction 491474, 92 rub. surpluses in the appearance of wasted profits (illegal hijacking of the client base and poaching of clients)

The court of the first instance clearly established that the partnership’s client base is in compliance with the provisions of Part 1 of Article 10 Federal law“About the commercial prison.” Positively, no evidence has been presented to the materials that would support the introduction of a commercial prison regime based on its client base.

In order to recognize the client base as a secret of promotion, it is necessary to rely on Article 1465 of the Civil Code of the Russian Federation, which may be subject to civil law enforcement and Article 1472 of the Civil Code of the Russian Federation.

Celebrate your holidays with your friends

As a progressive technology, DLP systems have become significantly superior to their predecessors. Thus, current DLP systems can combine important functions It will not only serve as a tool for protecting confidential data, but also, for example, as an effective program for monitoring the activity of spies. This solution is optimal for employees who rely on real analysis of the effectiveness of work for personnel, as well as to quickly remove untrustworthy workers.

However, the implementation of monitoring in the organization emphasizes the stagnation of low-level inputs that transmit:

A review of the monitoring regulations, which can report on the rules for storing, processing, saving and transmitting confidential information throughout the organization, as well as what responsibility is passed for their violation;

Awareness of all the company's employees in accordance with the regulations under signature.

In addition, the regulation must include a clause about those, by which means of canceling the time of monitoring of the account may result in vikoristani, and the stated information may be effective. If there is a need to conduct audio and video recording as part of monitoring, information about this may also be specified in the regulations.

Regardless of the widespread use of similar systems in various areas of business, there is still plenty of legality in the implementation of monitoring systems, and this is based on Article 23 of the Constitution of the Russian Federation, which indicates the lack of privacy of private life cha. However, this article is less effective special life physical This person does not need to pay any attention to the completion of his service obligations. Thus, when preparing a document that regulates the activity of a specialist in an organization, it is necessary to indicate that:

all means of communication transferred from the correspondent to the spivorbitnik are recognized only before the Vikonanny of the Posad ob'yazki;

e-mail address and telephone monitoring subscriber organization, in such a manner, the stink is created by the policemen at the time of hourly labor during the hour of the termination of service obligations.

However, on the side of the employer there are also complaints about what kind of faults you are responsible for paying attention to. For example, it is not permissible to permanently collect special information from spies for legitimate purposes.

Understanding all the information could allow you to effectively use the monitoring system without violating the rights of your partners.

What is this needed for? Control over work activity is by no means an innovation, but a mandatory requirement for establishing work schedules, which is prescribed in the labor code. And if you respect the specifics of daily business, monitoring systems are not necessary. Let’s take a look at life, monitoring the activity of a spy worker by allowing confidential information to be stolen from illegal sources: “ On May 28, 2008, the Presnensky Court raised calls to replace the law under Art. 81 clause 6 art. 77 p. 3 (for vlasnym bazhannyam).

Travel agency "Intercity Service" (KPM Group holding) K.B. Over the years, I have sent confidential information to the travel company both from my own computer and from other computers.

The case for a one-time gross violation of labor bonds by a worker - the unrest of the prison, which is protected by law, became known to the police in connection with the violation of labor bonds - the materials inside New insights from the results of automation.
As evidence to the court, electronic sheets were presented, sent from service email screenshots to external mail addresses.

The reason for internal consideration is growth output traffic in the form of a worker, whose equipment did not convey the list of the great obligation to non-corporate addressees.

Convicted for Article 81 Part 6 of the Labor Code - dissolution of the commercial secret chamber.”

Follow vimog FSTEC toDLP-systems

The Federal Service for Technical and Export Control (FSTEC), which is a British government body responsible for ensuring security of key elements of information infrastructure, has special capabilities for DLP systems.

In accordance with the recommendations of the methodological document “Approaches to the protection of information in state information systems”, approved by the FSTEC of Russia on February 11, 2014, adopted organizational and technical approaches to the protection of information ii:

It is our responsibility to ensure the availability of information collected in the automated management system (exclusion of unlawful blocking of information), its integrity (exclusion of unlawful storage, modification of information ii), as well as, for needs, confidentiality (exclusion of unauthorized access, copying, sharing and distribution of information);

Responsible for industrial, physical, fire, environmental, radiation safety, and other safety issues automated system management of a controlled (controlled) object and (or) process;

There is no harm in negatively affecting the normal functioning of the automated control system.

In accordance with the recommendations, in order to ensure the integrity of the information system and information (OCL) presented in the document, the information system is responsible for monitoring the transfer of information ii, what is transmitted from the information system (container, based on the authorities of the object, access, and content, based on the search for a protected before transferring) information using appropriate signatures, masks and other methods), and preventing the unlawful transfer of information from the information system (OCL. 5).

For Vikonannya, the functionality of the daily DLP system is due to the transfer:

• detection of facts of illegal transfer of information that is protected from the information system through different types the merezhevih connections, including the merezhevyh connection of the zagalny koristuvannya, and the response to them;

• identifying and responding to cases of illegal recording of information that is being protected on unprotected computers;

• identifying facts of illegal access to other documents that contain information that is being protected, and responding to them;

• detection of facts of illegal copying of information that is being protected in application security software from the clipboard and response to them;

• control over the storage of information that is protected on servers and automated workstations;

• identification of facts of information storage on hidden edge resources (backdrop folders, document management systems, databases, mail archives and other resources).

What FSTEC can do to strengthen information access to the protection of DLP systems:

• The information system may store all information that is transmitted from the information system, and (or) information that is inadmissible before transmission from the information. ї systems by time, which is determined by the operator;

• The information system may block transmissions from the information system with unacceptable conditions.

What is this needed for?

Failure to comply with regulators can cause a lot of inconveniences; it is strongly recommended, first of all, to carefully review the regulatory documentation, which will formulate the information security policy of your company, and otherwise implement It is only up to the verification of companies that license the software product. , which corresponds to all the benefits of regulators, such as SecureTower.

Don't hesitate on what you have achieved

The DLP system cannot be activated from universal solutions all problems related to cybersecurity. Establishing a competent safety policy at a company is a process, not a chore, that will require constant thoroughness. As such, the key characteristic of any process is its continuity, whether there are any changes in the organization – hiring and increasing the number of employees, optimizing business processes, issuing new documents, etc. . - the faults will also be recorded and displayed by the DLP system.

What is this needed for? When introducing a DLP system into business, it is important to understand that it is simply a tool that requires constant adjustment, and a reliable approach to maintaining the correct system and promptly changing security policies can guarantee achieve maximum protection from turns.