Changes

no edit summary
Line 137: Line 137:     
   <ul>
 
   <ul>
     <li><b>Operational:</b> A data breach often causes an interruption of services until the investigation process is concluded – this can take weeks or months, costing an organization business or other resources in the meantime. DLP ensures redundancies are put in place to counteract important data losses, thereby avoiding cost to operational resources to remediate lost data.</li>
+
     <li><b>Operational:</b> A data breach often causes an interruption of services until the investigation process is concluded – this can take weeks or months, costing an organization business or other resources in the meantime. DLP ensures redundancies are put in place to counteract important data losses, thereby avoiding cost to operational resources to remediate lost data. In 2015, SSC implemented the [http://myssc-monspc.ssc-spc.gc.ca/en/worktools-processes/policy-instruments/it/use-usb Directive on the Use of USB and Other External Storage Devices] to help manage these sorts of risks. All of SSC’s electronic assets have a DLP software-based tool that monitors the use of unauthorized devices on the network. This prevents removal of data from the SCC system or prevent infecting the system with any malware, viruses or other malicious entities.  A second phase of SSC’s DLP program is in the planning stages and will monitor enterprise data in motion and at rest – this is already in place in terms of secret data, however.</li>
 
   </ul>
 
   </ul>
  </div class="inline expand mw-collapsible-content">In 2015, SSC implemented the Directive on the Use of USB and Other External Storage Devices to help manage these sorts of risks. All of SSC’s electronic assets have a DLP software-based tool that monitors the use of unauthorized devices on the network. This prevents removal of data from the SCC system or prevent infecting the system with any malware, viruses or other malicious entities.  A second phase of SSC’s DLP program is in the planning stages and will monitor enterprise data in motion and at rest – this is already in place in terms of secret data, however.</div>
   
   <ul>
 
   <ul>
 
     <li><b>Financial:</b> There are significant financial losses resulting from data breaches, including fines, audit fees and legal expenses. The Ponemon Institute has estimated that the average global cost of a data breach has risen to $3.9 million and $5 million in Canada specifically in a 2018 study. Contrast this to the average annual cost of a subscription based DLP solution of approximately $175,000, according to Forrester.</li>
 
     <li><b>Financial:</b> There are significant financial losses resulting from data breaches, including fines, audit fees and legal expenses. The Ponemon Institute has estimated that the average global cost of a data breach has risen to $3.9 million and $5 million in Canada specifically in a 2018 study. Contrast this to the average annual cost of a subscription based DLP solution of approximately $175,000, according to Forrester.</li>
Line 148: Line 147:     
   <h4>Challenges</h4>
 
   <h4>Challenges</h4>
 +
 +
  <p>Integrating a DLP solution in the infrastructure is a complex undertaking, involving many components such as a database analyzer, an email system, a web proxy, etc. Adding to the complexity, data security and DLP initiatives face several difficulties as a result of the modern technological landscape. When it comes to integrating a DLP solution, there are several challenges and issues that are relevant to SSC:</p>
 +
 
 +
  <ul>
 +
    <li><b>Complex DLP integration:</b> Generally, enforcing DLP technologies is complex, varies depending on the organization’s network architecture, and requires to work across many components such as security, networking, infrastructure, email, web, endpoint, storage, databases. Deploying, configuring, and managing these DLP systems is also complicated. In order to fully protect an IT infrastructure, it is important to employ a holistic approach, however organizations often do not have a clear strategy toward DLP and balancing new ways of working.</li>
 +
    <li><b>User Awareness and Engagement:</b> Organizations face several challenges of control over their employees’ actions. It’s common for employees to lack awareness, accountability and responsibility for their actions. Some training and awareness campaigns do not focus enough on protecting sensitive data and using security tools like file encryption. There is also a general sense that there is no risk involved in breaking the rules.</li>
 +
  </ul>
 +
 +
  <p class="expand mw-collapsible-content">The following trends will continue to be a challenge for IT service providers in protecting data:</p>
 +
 +
  <ul class="expand mw-collapsible-content">
 +
    <li><b>Emerging Consumerism:</b> The availability of computing devices and connectivity to the internet anywhere at any time has its benefits. Unfortunately, it facilitates the disclosure of personal or proprietary information by providing several exit points to the web. Policies like “Bring Your Own Device” (BYOD) are vulnerable to loss of physical assets such as laptops and end users may unintentionally spread confidential information through social media. </li>
 +
    <li><b>Business Continuity and Disaster Recovery:</b> The technological climate forces organizations to have 24/7/365 system availability. Outages interrupting the continuity of IT services could cause financial and reputational loss.</li>
 +
    <li><b>Persistence of Cybercrime:</b> Since data has real world value, cyberattacks are becoming more frequent and more sophisticated. While the majority of attacks are from external sources, The Verizon study estimates that 15% of the attacks involved insiders losing or stealing devices, transferring data to personal storage, etc.</li>
 +
  </ul>
    
   <h4>Considerations</h4>
 
   <h4>Considerations</h4>
 +
 +
  <p>As with any program or tool, it is necessary to align policies with controls. The GC already has various policies in place pertaining to IM/IT infrastructure, including the security of these resources and information. However, if an organization has policies in place that prohibit or monitor certain activities but a control is not yet in place, or completely absent, then data leak still poses a large risk to the organization. Security policies exist but departmental compliance and control implementation remains an issue.</p>
 +
 
 +
  <p>Although DLP protocols and controls have already been implemented into much of SSC’s IT infrastructure, there are some areas in which improvements should be considered. With government-wide strategies around “Open Government” and “cloud computing,” SSC will face increasing need to adapt DLP tools into these platforms as they evolve and expand.</p>
 +
 +
  <p>Once aligned with policies, which may change and evolve as time goes on and technology advances, SSC must be prepared for its DLP controls to change with it. Leading experts in the area of DLP define DLP as a dynamic process, not an end-state. A robust DLP program is an opportunity to work with stakeholders and set the expectation that protocols should change and be adjusted over time. DLP must also be considered when the network architecture and tools change, SSC should evaluate how security checks are integrated into new projects.</p>
 +
 +
  <p>Furthermore, while SSC will play a main role in procuring DLP tools for departments and delivery these services, the protection of data requires a team effort. Collaboration in terms of monitoring, surveillance, and the granting of access to local or departmental networks and resources will be needed. Also, engaging stakeholders helps to identify vulnerabilities that may otherwise be missed. A mindset of collective responsibility is a best practice for ensuring the most effectiveness of DLP.</p>
 +
 +
  <p>One way of helping to achieve buy-in around DLP as an ongoing process, as well as creating a culture of collective responsibility, could be for SSC, along with its partner departments in the GC, to establish “Security Champions”. The GC has introduced a national champion, Mr. David Jean, the GC’s Champion of Security, to be the link between departmental security and national security interests, with respect to all forms of threats or safety issues, not only those related to cybersecurity. However, cyber-specific champions could also be introduced at a more local level and advance DLP “on the ground” as suggested in the [https://www.canada.ca/content/dam/ssc-spc/documents/IT-Transformation-Plan-Consultations-Report-2016.pdf Summer-Fall 2016 Consultations: Information technology Transformation Plan – What We Heard Final Report]. Such employees can help promote the importance of security protocols and behaviours, and can be an important part of the DLP framework.</p>
 +
 +
  <p>However, DLP tools and processes cannot work in isolation of systems and users. Without proper operationalization, DLP runs the risk of offering a false sense of security and merely becoming a risk generator. [http://myssc-monspc.ssc-spc.gc.ca/en/worktools-processes/integrated-business-planning/CITS#toc251 The SSC Departmental Plan of the Cyber and IT Security] program identifies the following five risks with respect to cybersecurity, of which DLP is a part:</p>
 +
 +
  <ul>
 +
    <li><b>Resource Capacity:</b> SSC may not have the adequate financial and human resources to improve services and to introduce the latest technologies to counteract cyber threats.</li>
 +
    <li><b>Aging IT Systems:</b> Current IT infrastructure is at risk of failing due to its end of life.</li>
 +
    <li><b>Cyber and IT Security:</b> SSC is at risk of not being able to respond efficiently to IT security and cyber security threats, which would result in proprietary information being compromised and disaster recovery activities being impeded. </li>
 +
    <li><b>Service Delivery and Management:</b> SSC’s enterprise tools and processes are at risk of not being able to improve the delivery of services to partner organizations. </li>
 +
    <li><b>Availability and Quality of Information:</b> Lack of availability and integrity of information will impede effective planning and decision-making.</li>
 +
  </ul>
    
   <h2>References</h2>
 
   <h2>References</h2>