IRM and DLP strategies from DPRMS are a perfect fit for any organisation that needs to be compliant with the SOX standard. These strategies, provided by DPRMS, will prove to be the perfect addition, further tightening up your security measures and allowing you to have total control over the access to your sensitive data.
As with all services provided by DPRMS, incredible quality of service is assured thanks to extensive industry experience.
So here it is easy to see that the new, upcoming EU regulation is placing serious value on data security and responsibility of those handling said data to maintain its confidentiality with incredibly strict and potentially highly damages penalties should the data be breached.
This is why IRM & DLP solutions from DPRMS make such an incredibly attractive proposition; they allow organisations to conform to the new regulation in a seamless, professional and highly effective fashion. All while increasing levels of personal control over confidential information and enjoying the benefits of extremely intuitive design and implementation.
The Sarbanes-Oxley Act is a regulated standard meaning that publicly held companies must establish effective internal systems and procedures for effective and regular financial reporting. The ultimate goal of the SOX framework is to reduce the possibility and instance of corporate fraud. The Sarbanes-Oxley Act consists of 3 objectives followed by 5 elements of internal controls, a broad summery of which can be found below.
1. The control environment
2. Risk assessment
3. Control procedures
5. Information and communication
Provide reasonable assurance that:
1. Assets are safe guarded and used for pusiness purposes
2. Business information is accurate
3. Employees comply with laws and regulations
a) IRM allows the safeguarding of confidential internal documents and can place restrictions on them, for example to render them as for use for business purposes only. This restricts the document and eliminates instances of a document being opened by unauthorised parties.
b) DLP solutions allow employees to easily comply with appropriate laws and regulations. This is because IRM allows documents to be completely protected whether they are at rest or on the move, inside an organisation’s premises or at an external location.
c) There are almost certainly locations in a domain that contain very sensitive information, as will likely be observed during risk assessments, sensitive information that could prove to be highly damaging if it was to be leaked in a data breach. Thanks to IRM, those documents are rendered completely unreadable by unauthorised parties; even if that document is leaked it is still secure and unable to be accessed.
d) In order to provide an organisation with maximum control over highly sensitive data, access can be monitored with unparalleled ease thanks to IRM. IRM will allow monitored access to designated documents, allowing it to be clearly seen who is accessing them and to maintain a tight grip on data security.
Our DLP solutions are mainly active on Microsoft Exchange, SharePoint and the File server and are able to provide IRM protection on documents that meet appropriate criteria.
Our IRM & DLP solution will maps in to the SOX standard in the following way:
This protection still applies even if an unauthorised user accidentally gets access to a file share.
d) IRM & DLP also affords a large amount of physical protection for confidential documents. For example, if a file server is physically stolen from an organisation’s premises and activated elsewhere the files protected with IRM will still be impossible to access.
e) Our IRM & DLP integration allows easy monitoring and tracking of access to all protected documents, affording the ultimate control over access to confidential data.
f) As it is based on pre-defined security policies, and assists in enforcing them, our DLP solutions offer seamless integration and require next to no manual intervention. The DLP solutions work effectively with Microsoft Exchange, SharePoint and the file server.
a) Properly integrated IRM & DLP solutions are able to effectively and completely protect stored cardholder data that is contained in any electronic documents. This means that unauthorised users cannot access that document even if it leaves an organisation.
b) IRM & DLP allows staff to share documents/emails securely both internally and externally, safe in the knowledge that only intended and authorised recipients will be able to access them.
c) IRM allows effective restriction of access to confidential documents, while still allowing certain users with appropriate permissions easy access.
IRM & DLP will effectively interact with the PCI DSS requirements in the following ways;
PCI DSS Requirements
IRM & DLP
Build and maintain a secure network
Protect cardholder data
Maintain a vulnerability
Implement strong access control measures
Regularlymonitor and test networks
Maintain an information security policy
Install and maintain a firewall configuration to protect cardholder data.
Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks.
Use and regularly update anti-virus software on all systems commonly affected by malware.
Develop and maintain secure systems and applications.
Restrict access to cardholder data by business need-to-know.
Assign a unique ID to each person with computer access.
Restrict physical access to cardholder data.
Track and monitor all access to network resources and cardholder data.
Regularlytest security systems and processes.
Maintain a policy that addresses information security.
The PCI DSS security standard consists of twelve requirements, grouped off into six ‘Control Objectives’. PCI DSS is a set of requirements that needs to be adapted and followed for organisations that handle information related to credit cards (PCI – Payment Card Industry), below we will examine exactly how IRM will map into the PCI DSS requirements.
IRM & DLP with Security
Standards & Regulations
A company may well already be compliant with certain security standards & regulations, PCI DSS for example, in which case it is possible to wonder how IRM will integrate into these.
In this section some of the most commonly regulated security standards will be explained along with ways in which IRM will fit in with those processes. This will provide a clear idea as to how IRM will sit within an organisation that is required to be compliant with these standards.
2. The Sarbanes-Oxley Act (SOX)
3. The New EU - Regulations
A stronger regulation is going to take the place of the first EU Data Protection Directive, produced in 1995, which will take into account the considerable changes and improvements in technology that have occurred since.
If all goes ahead smoothly and as planned, it is estimated that this new regulation could be implemented by 2017, so we would like to give you some insight into what these regulations are going to consist of.
Though please note that we have only seen drafts, drafts of course are subject to change so please take this information as a guide rather than a word-for-word prediction.
Below are some things we feel you should be aware of.
1. PCI DSS
1. EU GDPR Not Directive, Law!
This is no longer a directive; it is going to be the law. The difference is that a directive is something that is implemented and the liable to be enforced in individual countries.
Regulations however become laws as they are passed, and should this be successfully be passed it will take immediate effect and be applicable in ALL 28 EU member states with failure to comply carrying the relevant penalties.
2. Everyone Is Responsible
Under these new regulations the companies and/or individuals processing data are fully responsible for its protection.
This includes 3rd parties, cloud providers for example.
This means that if an organisation has any part in the access to and consumption of confidential information, they are legally bound to act in a professional and responsible manner to ensure that it remains safe.
4. Tough Penalties
Again, this a serious potential cause for concern if an organisation does not abide by the regulations because in the event of a major breach there could potentially be penalties of up to €100M or 5% of global revenue dependant on which figure is higher.
3. User Compensation Claims
This is a serious potential cause for concern and is something to pay special attention to. This regulation will now allow individuals who are affected by a data breach to claim damages where that data breach has been a result of unlawful management and processing.
5. Encryption to the Rescue!
Regulation states that controllers must "meet the individual’s reasonable expectations of data privacy". It is stated that tokenised, encrypted or pseudo-anonymised data does indeed meet these expectations.
This is where DPRMS come in. When deploying IRM to protect confidential files, the encryption of that sensitive information means that individuals’ expectation of data privacy is being met.
It is plain to see that IRM fits seamlessly into an organisation and works extremely well with businesses that handle information relating to payment methods such as credit cards. It affords the ultimate control in maintaining data security and monitoring the access of secure information.
Also, please note, with PCI-DSS v 3.1 companies are now also required to encrypt all cardholder data that is being electronically stored, transmitted or processed. IRM and DLP solutions allow effective and comprehensive compliance, meaning that all confidential data can be stored, transmitted and processed securely.