- Purpose
1.1 Much of data security involves preventing malicious attacks on organisations’ networks. Employees have so many ways to access and share organisational data, making accidental data loss a severe problem. Much of that is due to the distributed nature of modern computing.
1.2 Data storage is available in cloud services and remote locations. As employees are working more and more from remote locations, the data can be accessed from vulnerable laptops and phones, making it harder than ever to secure data.
1.3 Data collection and use (and in some cases abuse) are coming under increased regulatory scrutiny. It comes down to three main reasons for establishing a data loss prevention policy:
• Compliance: Governments have various levels of regulation of how organisations collect and secure personally identifiable information. A data loss prevention policy is an important part of complying with data regulation and reporting information in compliance audits
• Intellectual property: All employees need to protect proprietary information and trade secrets from unauthorised access
• Data visibility: Organizations can gain valuable insights by monitoring how stakeholders access and interact with data
1.4 A data loss prevention policy can help organisations prevent unauthorised data access and protect themselves from potential damage. While no protection will be bulletproof, there are best practices that can help establish a successful data protection policy:
• Identify the primary data that the policy is meant to protect. Most often data is classified according to its vulnerability and risk factors. Taking the time to understand data and classify it can lead to greater organisational insights
• Establish criteria for evaluating data loss prevention vendors. Choosing data loss prevention solutions can be daunting. However, creating an evaluation framework with the right questions can help lead to an educated purchasing decision.
• Clearly define the roles of people who will be involved with data loss prevention – not just about who will monitor data usage and make the rules. Segregating responsibilities helps prevent misuse.
• Keep it simple at first. Choose a specific type of data or risk to address. The goal is to secure the most critical data and get a measurable win early. Then build upon that.
• Each employee has a role in shaping a data loss prevention policy that aligns with corporate culture.
• Educate everyone in the organisation about how and why the data loss prevention policy is in place
• Document the data loss prevention processes carefully. A written policy should focus on how to protect data
• Set and share metrics for success. Data loss prevention metrics will determine the return on investment of policies and solutions.
• Anticipate workarounds to limits. If email rules prevent large files from being attached, will employees find other ways to transfer files? Examine workflows to make sure data loss prevention policies don’t get in the way of employees legitimately doing their jobs
• Assess how much data is needed. Determine what kind of data is needed and why. Don’t save data that isn’t needed
• Monitor data usage before blocking it. Set up data loss prevention tools to report sensitive data loss first. Make sure any rules that block data transfer would not disrupt workflow - Definition
2.1 Threats of data loss from internal users have always been a risk. To sum up the changing landscape and increasing risk: –
• There are now many more ways data can leave an organisation.
• Storage is cheap. Many gigabytes of data can walk out of the door on an employee’s keychain, or smartphone or staff can send through online systems such as Dropbox
• Data is everywhere. Decentralised systems and work collaboration tools make it much more difficult for organisations to track and control information within the business.
• Data has value in the real world, including from seemingly legitimate sources.
• The most recent generation of workers to join companies has grown up with openness and information sharing as a cultural norm
• It is easier than ever for data to cross borders, and demand for sensitive data is coming from all over the world as companies (and nations) try to gain competitiveness in the global marketplace
• The sheer volume of data is increasing as never before.
2.2 The volume, impact and visibility of incidents have resulted in renewed focus from regulators. Data protection requirements, particularly breach notification rules, for organisations are becoming more strict, and enforcement penalties are on the rise. From a company’s perspective, reducing the risk of data loss reduces regulatory risk and helps to protect the company’s brand, strategic business data and intellectual property.
2.3 We categorise the Data Loss Risk taxonomy as follows: –
• Loss or theft of laptops and mobile devices
• Unauthorised transfer of data to USB devices
• Improper categorisation of sensitive data
• Data theft by employees or external parties
• Printing and copying of sensitive data by employees
• Insufficient response to intrusions
• Unintentional transmission of sensitive data
2.4 We categorise the consequences of a Data Loss event as follow: –
• Brand damage and loss of reputation
• Loss of competitive advantage
• Loss of clients
• Loss of market share Erosion of shareholder value fines
• Civil litigation/legal action regulatory fines/sanctions
• Significant cost and effort to notify affected parties and recover from the breach - DLP Policy Overview
3.1 We base our approach to DLP on the following understanding: –
• What data we have.
• The value of our data
• Our obligations for protecting that data
• Where our data resides
• Who is accessing our data
• Where our data is going
• How we protect our data
3.2 We have the following data that resides on our Dropbox shared service between the two managing directors
• Quant Foundry set up information
• Quant Foundry policies and HR information
• Marketing Information
• Client presentations
• Thought Leadership
• Staff information – NDA, CVs, QCVs, daily rates
• Project artefacts
3.3 We have the following data that resides on our Trello shared boards between the two managing directors
• People targets
• Client Pipeline
• Quant Foundry set-up information
3.4 We have the following data that resides on our Trello boards between the two managing directors and project leads
• Quant Labs project information
• Quant Forge project information
• Quant Works project information
3.5 We have the following data that resides on our WhatsApp
• General non-sensitive information
3.6 We have the following data that resides on our Slack account
• Project non-sensitive information
3.7 We minimise the use of emails that is hosted in the cloud by Bluehost:-
• Both managing directors are administrators
• Avoid using emails for internal traffic
• Restrict to external communication
3.8 We must ensure that we hold all client information securely: –
• We manage all client information under NDA arrangements
• We communicate with clients via email
3.9 Quant Labs division store model analytics on a physical server at the location of 68 Lombard Street. All version of code follows standard SDLC protocol.Data Lifecycle
4.1 From a data loss perspective, we have adopted three industry standard terms related to the states in the data lifecycle:
• Data at rest is data that is stored within the IT infrastructure and on media. Common components containing data at rest are servers, databases, file shares, intranet sites, workstations, laptops, mobile devices and portable storage. Data at rest can also be stored externally with third parties or through external extensions of the IT infrastructure, such as cloud storage.
• Data in motion is data that is in transit, flowing across internal networks and to the outside world (i.e., data on the wire and in the air).
• Data in use is data that is being accessed or used by a system at a point in time.
4.2 Currently, Quant Foundry does not allow third-party data access to their information.
4.3 DLP principles that drive security requirements include:
• We will not transmit sensitive data through public networks without adequate encryption
• Only internally approved technologies may be used to exchange data with third parties
• We must log access to sensitive data and monitored where appropriate
• We must restrict access to sensitive data stored on information systems to those who require it to perform their job responsibilities
• We will not share sensitive data with third parties without sufficient contracts in place specifying information security requirements
• We must anonymise sensitive data before storing in less controlled environments, such as test and development environments
• We must adequately protect sensitive data through all stages of the data lifecycle and the systems development lifecycle (SDLC).
4.3 Defining sensitive data is a fundamental requirement to avoid an adverse and costly impact on the business. By defining sensitive data up front and aligning the program to protect their most sensitive data, we can ensure that resources are spent managing the highest risks.
4.4 Data in motion
• Perimeter security
• Network monitoring
• Internet access control
• Data collection and exchange with third parties
• Use of instant messaging
• Remote access
4.5 Data in flight
• Privileged user monitoring
• Access/usage monitoring
• Data sanitation
• Use of test data
• Data redaction
• Export/save control
4.6 Data at rest
• Endpoint security
• Host encryption
• Mobile device protection
• Network/intranet storage
• Physical media control
• Disposal and destruction
5 Supporting information security processes
5.1 DLP controls cannot operate effectively in a vacuum. For a DLP program to be effective, the links to other information security processes must be understood so that multiple layers of defence are established and monitored. For example, effective logical access controls may be in place, but if physical controls fail and sensitive hard copy information is removed from your facilities, data loss still occurs. 5.2 It is essential to keep up to date DLP controls and supporting information security controls and that we monitor the effectiveness of these controls over time.
5.3 We plan to implement a data loss risk program with a clear set of commands to mitigate data loss risks and provide a holistic view of data loss potential across the Quant Foundry. We also aim to build a data loss risk dashboard and performing current-state assessments
6 Unauthorised devices on our network.
6.1 We do not allow unapproved devices on our network.
Allowing non-corporate assets to access the internal network can lead to several risks. These include unauthorised parties with physical access to the company’s premises accessing internal network resources, and internal users connecting personal devices to the corporate network. Personal devices will most likely lack organisational device protection measures and endpoint security controls.
6.2. We do not permit the copying of sensitive data to removable media. Endpoints should be configured to disable writing to all removable storage devices. Content-aware endpoint DLP technology should be in place to prevent sensitive data from being copied from the source. Mobile devices like laptops and mobile smartphones should have full disk encryption, and we should have the ability to erase them remotely if they are lost or stolen.
6.3 We review and tighten data access controls and
6.4 We will continue to improve our security program to incorporate data loss awareness in line with company policies to ensure that everyone is aware of the potential data loss risks. Clear guidance will educate employees on what is expected from them when handling data. We will continue to develop a clear and well-understood data protection policy will encourage proper behaviour by employees and data owners concerning data handling, storage and transfer.