Ron Arden, Vice President of Fasoo, Inc., spoke to members of the Rochester Institute of Internal Auditors (IIA) and Information Systems Audit and Control Association (ISACA) at the Hilton Double Tree Hotel in Rochester, NY on December 10, 2015. Ron delivered a presentation on “Data Protection of Sensitive Information” to this annual event and showed attendees how to use Fasoo’s enterprise digital rights management to protect sensitive information from insider threats and external attacks by hackers.
Given the constant drum beat of news on data breaches and cyber security incidents, the attendees were very interested in how to protect sensitive information in their organizations, since ensuring proper controls and managing risk are the main focus of this group. A number of attendees came up after the presentation and asked about protecting very sensitive documents in their companies. I spoke with a gentleman from a retail company who was concerned about protecting contract information with their suppliers and since they have such high employee turnover, was worried about people moving to competitors with sensitive information.
As discussed during the event, auditors and risk management professionals are very concerned about meeting regulatory compliance, but also following internal audit and security rules. During one of the panel discussions, attendees and panel members talked about security versus compliance. Someone brought up meeting PCI compliance requirements, but still having a data breach. A case in point is the major breach at Target in 2013. The company met the requirements, but was still vulnerable and lost data. Since many regulations are somewhat vague about how to be compliant, the group talked about using cyber security frameworks from NIST and RSA Archer as ways to ensure security that goes beyond compliance. Just because you are compliant, doesn’t mean you are secure.
Another major discussion area was using analytics to understand what is normal behavior in your organization, so you can determine what is abnormal. There are weaknesses in controls around data access for many companies and it is challenging to separate the noise from the important details as IT and auditors review logs from security tools. Organizations need to establish a baseline of normal data access and then look at how activities deviate from the norm. This will help pinpoint insider threats as well as suspicious activity from compromised systems.
The event showed the growing need for data-centric security solutions as companies try to mitigate the risk of both external hackers and insider threats to their most sensitive data.