Securing regulated data

The regulatory landscape has shifted to such an extent in recent years that data security standards and disclosure laws now impact virtually every business across every industry.

Whether you’re a retailer facing the Payment Card Industry (PCI) Data Security Standard or a healthcare network that needs to comply with HIPAA, this article aims to provide an overview.

Three capabilities to look for

Companies need to protect their enterprise data – whether inside their data centre, traversing the network, or out at the endpoints – and demonstrate compliance with government and industry regulations.

1. Accurately identify all sensitive data at rest across the enterprise. The only viable solution for discovering all of a company’s sensitive data stored on thousands of laptops, desktops and servers in large corporate environments.
2. Detect sensitive data in motion across your network. The most precise network monitoring and blocking solution available on the market today makes it easy to screen network data traffic, create an audit trail and remediate incidents of violated policies.
3. Gain visibility and control over data in use on workstations. Ensure that the solution enables your organisation to monitor data activity on user workstations for irregularities, alert users to at-risk processes and ultimately block the loss of specific, sensitive data before it happens.

Accuracy is key

Effective monitoring and enforcement of compliance with regulations requires that data loss prevention systems attain the highest levels of accuracy in detecting regulated data. To achieve this goal, look towards a modular policy structure that is both powerful and extremely easy to use. There are two key components to this system for achieving accuracy:

1. Content blades

Content blades encapsulate the logic and rules for detecting specific types of data, such as social security numbers, proper names or corporate financials, to name a few. They achieve extreme precision by employing a sophisticated set of data analysis capabilities. Designed to be built once and reused many times, content blades can easily be leveraged in multiple policies that may require the identification of similar sets of data.

2. Policies

Policies also specify the usage and handling rules for each particular type of data. The policy determines if there is a violation, and if so, how the data or transmission should be handled. Users can define a broad set of usage conditions and handling rules to ensure that the system acts in accordance with their specific data protection needs.

It is key to establish whether the solution you are investigating includes pre-built policies within the system, designed around specific regulations and corporate data protection needs. Not only does this speed implementation, but because both are pre-built by industry knowledge engineers, you get the expertise of a team of professionals certified in a range of data security regulations.

Achieving compliance with key regulations

Payment Card Industry (PCI) Data Security Standard

The PCI Data Security Standard (DSS) is designed to protect the private information of account holders gathered throughout the transaction process. An industry-based effort led by MasterCard and Visa, the PCI regulations impact any organisation – retailers, merchants and payment processors – involved in receiving or processing payments.

Retailers and other organisations that need to protect PCI data and comply with the DSS in several ways would require
the following solution capabilities:

• A one-click policy for PCI-DSS pre-built to identify and handle any located cardholder data.
• PCI-related expert content blades to leverage advanced detection capabilities to precisely identify specific data.

Rapid data discovery enables organisations to prepare for PCI audits by scanning their entire network, in hours, to identify PCI compliance issues.

Sarbanes-Oxley (SOX)

The Sarbanes-Oxley Act was passed to reinforce confidence and protect investors by bringing accountability, transparency and responsibility to the accounting and reporting practices of publicly traded companies. Companies comply with SEC regulations requiring stringent disclosure and proper valuation of intellectual property (IP) and intangible assets.

Organisations that need to comply with SOX in several ways would require the following solution capabilities:

• A one-click policy for SOX identifies and handles several categories of sensitive corporate information.
• SOX-related expert content blades are pre-built to detect specific data, including company financials, contracts, source code and patents.
• New content blades that can be easily created to define any type of custom corporate information you need to protect.

Data loss prevention solution checklist

• Will your solution allow me to locate all sensitive data?
• Will your solution allow me to monitor data activity?
• Will your solution allow me to automate policy enforcement?
• Will your solution allow me to easily assess risk?
• Will your solution allow me to maintain audit readiness?

Mark Pullen ANZ Country Manager of RSA, the security division of EMC.