IPLocks Lays Down the Seven Laws of Risk Management
- By John K. Waters
In 2002, when IPLocks was founded, the enterprise database security conversation
was all about perimeters and encryption, and the company’s products reflected
that focus. But the conversation has taken a turn in recent years. Organizations
are concerned about internal intrusions, the misuse of sensitive information by
trading partners and sustaining regulatory compliance. IPLocks has responded to
that shift with a broader approach, says CTO Adrian Lane, which it calls information
“Increasingly, our customers are interested in the role of information security
as it relates to corporate governance,” he says. “They’re asking,
‘How do I implement good, sound corporate governance while ensuring that
there’s a holistic framework for data governance across the organizations?’”
IPLocks' Information Risk Management Platform is a automated lifecycle solution
designed to centrally assess, monitor and audit information access on all databases
across an enterprise, globally, without the use of agent software. The 5.0 version
launched last month supports regulatory compliance and includes the ability
to capture user behavior SQL statements, support for a command-line interface
and full platform support for monitoring Teradata databases.
To bring further focus to this new risk-management paradigm, the company has
published a set of guidelines, “The Seven Laws of Information Risk Management.”
These read like from-the-hip observations, forming a common-sense framework
to get the security discussion started, says Christine Crandell, IPLocks’
VP of marketing.
"The intention of the Laws is to encourage people to talk about security,”
Crandell says. "It's time to get the skeletons out of our closets, to really
understand the threats we face and how to address them."
The seven issues are listed here, with summaries. More details are available
on the company Web site at: www.iplocks.com/challenges.html.
- Your partners and employees will steal from you:
As globalization and interconnectedness increases, without proper vetting
and security, employees, customers and trading partners can accidentally corrupt
your data or cause regulatory compliance issues through misuse of the data.
In the worst-case scenario, they can steal confidential data and sell it.
- Bust up policy barriers:
Security, auditing, regulatory affairs and privacy impact the entire organization
and should not be kept in departmental silos. People, process and technology
must be integrated.
- It's all about privacy:
Security is a building block for privacy, which is a major component of regulatory
initiatives. For example, CA1386, HIPAA and GLBA in the U.S. and the Japan
Information Privacy Law are primarily about privacy. The fundamental weakness
to such laws is they cannot protect your brand, sensitive data, business continuity
or financial position against a breach.
- Don't stop working:
Effective information risk management should not radically alter work or its
flow. Examples are rife of organizations implementing draconian policies that
substantially reduce productivity and impair customer service, while providing
questionable security benefits.
- Don't spend foolishly:
You must match the level of information risk management investment directly
to the level of risk. For each dollar invested, ascertain the quantitative
and qualitative risk mitigated by the technology.
- Be afraid—it will happen to you:
Expect the unexpected by assigning responsibilities before a privacy breach
occurs. Information theft only happening to the other guy is a myth, and the
chance is greater than 50 percent that it has already happened at your organization.
Ernst & Young recently reported that 70 percent of all security breaches
that involve losses of more that $100,000 are perpetrated internally.
- No silver bullet:
There is no single technology that will solve security problems or provide
regulatory compliance. Information risk management is a process that requires
continuous monitoring, auditing and adjustment of how sensitive information
is used—not just an initial risk assessment.
John K. Waters is a freelance writer based in Silicon Valley. He can be reached
at [email protected].