Blog

Tag: audit trail

Protect your sensitive data with Enterprise DRMCorporate data is the lifeblood of business and because of remote work and constant competitive pressures, it is more vulnerable than ever.  Protecting that data while still making it available to those who need it is why many organizations are turning to Enterprise Digital Rights Management (EDRM).

Information security, privacy, regulatory compliance, and data governance requirements drive how we manage corporate data.  Business requires us to share sensitive information with employees, contractors, business partners, and customers, but we need a way to do it securely without impacting everyone’s productivity.

The realities of today mean that many of us may work from any location at any time, using any device.  Outsourced functions range from finance and human resources (HR) to design and manufacturing.  If you outsource manufacturing or finance to a third party, how do you define your corporate boundary for data, since your sensitive information is in the hands of a business partner?  Add to this the real threat of external hackers and insider threats from employees, contractors, and the third parties you use for key business functions.

How do you protect the most important information in your business?

Here are 5 reasons why you should seriously consider Enterprise DRM as part of your information security, data governance, and compliance strategy.

Protect Your Intellectual Property

Intellectual property (IP) is a critical asset for your business.  It lets you create unique products and services that drive revenue.  It differentiates you from the competition and keeps your customers coming back.  If this information accidentally or deliberately leaks, you can suffer financial loss and possibly go out of business.

EDRM protects your intellectual property from unauthorized access and controls what an authorized user can do with it.  You can grant or block a user’s ability to view, edit, print, copy, and even take a screen capture of the information.  You can control derivatives of documents since people share IP in PDF or other common formats with both internal and external recipients.  Since you have a complete audit trail of user and document activity, you know if someone accessed the documents inside or outside your network.  You can also revoke access or change permissions after you distribute a document if the sensitivity of the information changes or those who should have access to it.

Protect Customer Data

Any business that deals with personal information or takes credit cards must protect it from unauthorized access.  Regulations such as GDPR, CCPA, HIPAA, PCI DSS, and other numerous laws mandate that third-party data is under strict control and only authorized people can access it.  Violations can result in hefty fines and cause major legal and business problems.

EDRM controls how employees, contractors, and business partners use this sensitive information.  It can prevent sharing the data with unauthorized users by controlling access, screen captures, and adding visible watermarks to both printed documents and those viewed on a screen or mobile device.  Since third-party data typically has a shelf life, you can limit access to a specific time and revoke access to any distributed files immediately, regardless of location.

Protect Your Customer’s Intellectual Property

You may also be a steward of your customer’s intellectual property.  Manufacturing and business services organizations commonly have sensitive designs or client data that is worth stealing.  An organization’s supply chain can be the weakest link in its security which makes it an easy target for hackers and trusted insiders.  Your customers trust you with keeping their intellectual property safe and out of the hands of their competitors.

Enterprise DRM protects your customer’s intellectual property from unauthorized access.  You can automatically encrypt and assign access controls to sensitive documents as you save them.  If different groups use this information, you can easily limit access based on projects or customers.  If an employee working with one customer’s data accidentally shares it with another customer, you are protected since only authorized users can see and use the data.  This provides built-in safeguards for those people working on multiple projects.

Protect Employee Privacy

HR, Finance, and other departments have a lot of sensitive employee data, including social security and insurance numbers, health information, salary data, and the results of drug tests or criminal background checks.  Controlling its access and distribution is part of the social and legal compact any employee has with her or his employer.

Enterprise digital rights management can limit access to private information by controlling the users and groups that can see it.  You can control access dynamically through your identity access management (IAM) system so that as roles change in your company, so do access rights.  For information you share with outside service providers, you can provide read-only copies that you can revoke at any time.  Only recipients granted access can see the data, so your employees and outside providers can’t share the data with unauthorized users.

Provide Audit Trails

Regulatory compliance is a requirement for many businesses to prove they can manage critical information in a way that ensures chain of custody and proof that only authorized users had access.  Compliance is not just a matter of the law but is generally considered good business practice.  Compliant companies can prove they take information security and governance seriously and can use this as a selling point to their customers.

Enterprise digital rights management provides an audit trail of all user and file activities to ensure a chain of custody of information for electronic discovery and proves that only authorized users have access to sensitive data. This helps your organization understand the flow of important information and simplifies eDiscovery in the event of litigation.  Since many regulations require you to prove to a regulator that you meet their requirements for protecting privacy, audit trails are easily available in downloadable reports.

 

Enterprise DRM can help you meet information security, regulatory compliance, and data governance objectives, ensure privacy and protect the digital assets of your company.  It is the best way to protect your most important business information and get a good night’s sleep.

To learn more, download our Enterprise DRM whitepaper.

Panel at PwC discussing NYDFS 23 NYCRR 500 Cybersecurity RegulationThe third in a series of NYDFS 23 NYCRR 500 roadshow events at PwC in New York, NY on May 18, 2017, was a great success as a room full of executives, legal, IT and security professionals discussed ways to help financial services organizations meet the new cybersecurity regulations that went into effect on March 1, 2017.  Pathway to compliance with NYDFS Part 500 was part of a continuing series of forums to assist entities regulated by the New York Division of Financial Services (NYDFS) comply with a strict and wide-ranging regulation.

The event started with Joe Nocera, PwC principal and Cybersecurity Financial Services Industry Leader, giving an overview of 23 N.Y.C.R.R. Part 500 and many of the implications this has for financial institutions doing business in New York.  Joe talked about some anticipated challenges to meet encryption of nonpublic information, multi-factor authentication, incident reporting and annual certification.  While technologies and processes to meet these requirements are not new, there are a lot of questions about how to do it.  For example, is using end-point encryption good enough to protect data at rest and in transit?  What happens when you email a file with nonpublic information from your PC to someone else?  The file is no longer encrypted, so you are vulnerable.

Dr. Larry Ponemon of the Ponemon Institute followed with a review of his latest survey, “Countdown to Compliance: Is the Financial Services Industry Ready for New York State’s Cybersecurity Regulations?”.  Sponsored by Fasoo, this survey helped understand the current state of readiness to comply with the new regulations.  One key finding from the survey is that while most organizations believe this regulation will be harder to implement than GLBA, HIPAA or SOX, 65 percent believe it will improve their cybersecurity posture.

Dr. Ponemon’s keynote was followed by a panel discussion on Pathway to DFS Compliance.  Panel members included Dr. Ponemon, John Horn from Harter Secrest, and Ron Arden from Fasoo.  Some of the items discussed by the panel included eliminating information you no longer need, automatically protecting information downloaded from databases and information repositories and the best way to ensure you have a legally defensible environment when the auditors come calling.  Another major discussion point was around third party service provider security policies.  NYDFS gives covered entities two years to comply, since they realize this will be a major challenge.  If you need to meet these requirements, why wouldn’t you make your service providers meet the same requirements?

The panel was followed by three presentations from security vendors Fasoo, ForgeRock, and Securonix that highlighted technologies that can help financial companies become compliant with the new regulation.  Fasoo focused on its 6 Steps to Compliance that features finding and protecting nonpublic information through encryption, audit trails, access control and secure disposal of information no longer needed by the business.  ForgeRock focused on its identity and access management platform that helps meet the requirements for access control, auditing and multi-factor authentication.  Securonix focused on its behavioral analytics platform that can help understand and mitigate the risk of cybersecurity events.

Lunch followed and allowed attendees to discuss their challenges with the speakers and panel members.  The feedback was that a lot of great information was shared and helped give executives and practitioners good ammunition to move their cybersecurity programs forward.

New York Financial Services Cybersecurity RegulationsIn September 2016, the New York State Department of Financial Services (DFS) proposed a broad set of cybersecurity regulations for banks, insurers, and other financial institutions that will enhance data security and require a comprehensive cybersecurity program and policies to ensure compliance.

The proposed rule is the result of DFS’s focus on cybersecurity over the past several years, in which DFS held cybersecurity discussions with various financial institutions, and issued a letter to US regulators asking for feedback on potential cyber-specific requirements.

The regulation contains several requirements that will be new or more expansive than most organizations currently practice. For example, the proposal’s call for encryption of all nonpublic information will be challenging for many organizations. While most entities encrypt data in-transit, they only encrypt data at-rest in more selective circumstances.

The proposal will also require the chair of the board or a senior officer to submit an annual certification that the organization is complying with the regulations. Those submitting the certification could potentially be exposed to individual liability if the organization’s cybersecurity program is found to be noncompliant.

Fasoo can help financial institutions meet several of the requirements in the regulation.

Encryption of Nonpublic Information
Organizations will have to encrypt nonpublic information at-rest and in-transit.  This includes confirming a third party service provider’s adherence to these enhanced data security requirements.  Encryption requirements for data in-transit must be met by March 2018, while compliance for data at-rest must be met by January 2022.  DFS expects that prior to these dates organizations secure nonpublic information using alternative compensating controls.

Fasoo can address these requirements by encrypting documents and controlling who can access them regardless of the user’s or file’s location.  Below are three use cases in a financial institution where this can occur:

  • A user creates or stores confidential files or derivatives in network repositories, on PCs or sends them (legitimately or by error) to third parties.
  • User checks out a file containing confidential data from a document repository. Once checked out the company may not have adequate controls on who has the file or where it’s located.
  • A employee creates reports with customer data downloaded from a database to an Excel spreadsheet and stores it on a PC.

Audit trail
Organizations will have to maintain audit trails of sensitive data, including logs of access to critical systems.  Fasoo provides a complete audit trail of who accessed a document, when and from what location.  An administrator can even receive alerts if there is activity detected which is above normal thresholds.

Access privileges
Access to systems containing nonpublic information need to be restricted to only those people with a business need for access.  Fasoo assigns access control to all sensitive documents so that only those users with legitimate need at the time they open the document, can access the data inside.  If a user moves departments and no longer needs access to specific files, their access is automatically removed.

Risk assessment
Organizations will have to conduct annual cybersecurity risk assessments to determine their potential vulnerability and what existing controls are in place to mitigate any risk.  Since all document access is logged using Fasoo, it is simple for an organization to prove that appropriate controls are in place to mitigate risk of exposing sensitive information.

It is clear that regulators across the financial services industry are focused on raising the bar for
cybersecurity programs.  Organizations need to focus on developing a robust risk-based cybersecurity program rather than reactively responding to regulatory guidance.

The time is now to address these enhanced data security requirements as the deadlines to meet the regulations are coming up fast.

4 Reasons You Need Enterprise Digital Rights ManagementIn today’s business world, information security, regulatory compliance and data governance requirements are driving a top to bottom change in how we manage corporate data.  As the walls of an organization blur, new business models make the definition of employee, business partner and corporate information difficult to define.

Many companies allow employees to work from any location at anytime using any device.  Outsourced functions today range from design to manufacturing to finance and human resources.  If I outsource manufacturing or finance to a third party, how do I define my corporate boundary for data, since my sensitive information is in the hands of a business partner?  Add to this the real threat of external hackers and insider threats from employees, contractors and the third parties I use for key business functions.

How do you protect the most important information in your business?

Here are 4 reasons why you should seriously consider enterprise digital rights management (EDRM) as part of your file security, data governance and compliance strategy.

Protect Intellectual Property

Intellectual property (IP) is a critical asset for your business.  It lets you create unique products and services that drive your revenue.  It differentiates you from the competition and keeps your customers coming back.  If this information accidentally or deliberately leaks, you can suffer financial loss and possibly go out of business.

EDRM protects your intellectual property from unauthorized access and controls what an authorized user can do with it.  You can enable or prevent the ability to view, edit, print, copy and even take a screen capture of the information.  You can control derivatives of documents, since people share IP in PDF or other common formats with both internal and external recipients.  Since you have a complete audit trail of user and document activity, you know if someone accessed the documents inside or outside your network.  You can also revoke access or change permissions after you distribute a document, if the sensitivity of information changes or those who should have access to it.

Protect Third-party Data

Any business that takes credit cards or deals with personal information must protect it from unauthorized access.  Regulations such as HIPAA, PCI and numerous data breach laws mandate that third-party data is under strict control and only authorized people can access it.  Violations can result in hefty fines and cause major legal and business problems.

Enterprise digital rights management controls how employees and business partners use this sensitive information.  It can prevent sharing the data with unauthorized users by controlling access, screen captures and adding visible watermarks to both printed documents and those viewed on a screen or mobile device.  The person sharing the sensitive content can restrict access to a trusted browser-based viewer, which prevents a user from downloading it.  Since third-party data may have a shelf life, you can limit access to a specific time and revoke access to any distributed files immediately, regardless of location.

Protect Employee Privacy

HR and other departments have a lot of sensitive employee data, including social security numbers, health information, and the results of drug tests or criminal background checks.  Controlling its access and distribution is part of the social and legal compact any employee has with her or his employer.

Enterprise digital rights management can limit access to private information by controlling the users and groups that can see it.  You can control access dynamically through your internal access management system so that as roles change in your company, so do access rights.

Provide Audit Trails

Regulatory compliance is a requirement for many businesses to prove they can manage critical information in a way that ensures change of custody and proof that only authorized users had access.  Compliance is not just a matter of the law, but is generally considered good business practice.  Compliant companies can prove they take information security and management seriously and can use this as a selling point to their customers.

Enterprise digital rights management provides an audit trail of all user and file activities to ensure chain of custody of information for electronic discovery. This helps your organization understand the flow of important information and simplifies eDiscovery in the event of litigation.

 

Enterprise DRM can help you meet information security, regulatory compliance and data governance objectives, ensure privacy, and protect the digital assets of your company.  It is the best way to protect your most important business information and get a good night’s sleep.

 

Photo credit Jason Baker

Categories
Book a meeting