News

IPLocks Lays Down the Seven Laws of Risk Management

• By John K. Waters
• June 13, 2005

In 2002, when IPLocks was founded, the enterprise database security conversation was all about perimeters and encryption, and the company’s products reflected that focus. But the conversation has taken a turn in recent years. Organizations are concerned about internal intrusions, the misuse of sensitive information by trading partners and sustaining regulatory compliance. IPLocks has responded to that shift with a broader approach, says CTO Adrian Lane, which it calls information risk management.

“Increasingly, our customers are interested in the role of information security as it relates to corporate governance,” he says. “They’re asking, ‘How do I implement good, sound corporate governance while ensuring that there’s a holistic framework for data governance across the organizations?’”

IPLocks' Information Risk Management Platform is a automated lifecycle solution designed to centrally assess, monitor and audit information access on all databases across an enterprise, globally, without the use of agent software. The 5.0 version launched last month supports regulatory compliance and includes the ability to capture user behavior SQL statements, support for a command-line interface and full platform support for monitoring Teradata databases.

To bring further focus to this new risk-management paradigm, the company has published a set of guidelines, “The Seven Laws of Information Risk Management.” These read like from-the-hip observations, forming a common-sense framework to get the security discussion started, says Christine Crandell, IPLocks’ VP of marketing.

"The intention of the Laws is to encourage people to talk about security,” Crandell says. "It's time to get the skeletons out of our closets, to really understand the threats we face and how to address them."

1. Your partners and employees will steal from you:
   As globalization and interconnectedness increases, without proper vetting and security, employees, customers and trading partners can accidentally corrupt your data or cause regulatory compliance issues through misuse of the data. In the worst-case scenario, they can steal confidential data and sell it.
2. Bust up policy barriers:
   Security, auditing, regulatory affairs and privacy impact the entire organization and should not be kept in departmental silos. People, process and technology must be integrated.
3. It's all about privacy:
   Security is a building block for privacy, which is a major component of regulatory initiatives. For example, CA1386, HIPAA and GLBA in the U.S. and the Japan Information Privacy Law are primarily about privacy. The fundamental weakness to such laws is they cannot protect your brand, sensitive data, business continuity or financial position against a breach.
4. Don't stop working:
   Effective information risk management should not radically alter work or its flow. Examples are rife of organizations implementing draconian policies that substantially reduce productivity and impair customer service, while providing questionable security benefits.
5. Don't spend foolishly:
   You must match the level of information risk management investment directly to the level of risk. For each dollar invested, ascertain the quantitative and qualitative risk mitigated by the technology.
6. Be afraid—it will happen to you:
   Expect the unexpected by assigning responsibilities before a privacy breach occurs. Information theft only happening to the other guy is a myth, and the chance is greater than 50 percent that it has already happened at your organization. Ernst & Young recently reported that 70 percent of all security breaches that involve losses of more that $100,000 are perpetrated internally.
7. No silver bullet:
   There is no single technology that will solve security problems or provide regulatory compliance. Information risk management is a process that requires continuous monitoring, auditing and adjustment of how sensitive information is used—not just an initial risk assessment.