Inside a data leak audit
Editor's note: Security consultancy Networks Unlimited allowed freelance reporter Sandra Gittlen to tag along as it conducted a data leak audit at a Boston pharmaceutical firm, then presented its findings to company execs. In exchange for this type of access, we agreed not to identify the pharma firm.
When the director of IT at a Boston-based, midsize pharmaceutical firm was first approached to participate in a data leakage audit, he was thrilled. He figured the audit would uncover a few weak spots in the company's data leak defenses and he would then be able to leverage the audit results into funding for additional security resources.
"Data leakage is an area that doesn't get a lot of focus until something bad happens. Your biggest hope is that when you raise concerns about data vulnerability, someone will see the value in allowing you to move forward to protect it," the IT director says.
But he got way more than he bargained for. The 15-day audit identified 11,000 potential leaks, and revealed gaping holes in the IT team's security practices. (Read a related story on the most common violations encountered.)
The audit, conducted by Networks Unlimited in Hudson, Mass., examined outbound e-mail, FTP and Web communications. The targets were leaks of general financial information, corporate plans and strategies, employee and other personal identifiable information, intellectual property and proprietary processes.
Networks Unlimited placed one tap between the corporate LAN and the firewall and a second tap between the external e-mail gateway and the firewall. Networks Unlimited used WebSense software on two servers to monitor unencrypted traffic. Then it analyzed the traffic with respect to company policy. Specifically, Networks Unlimited looked for violations of the pharmaceutical firm's internal confidentiality policy, corporate information security policy, Massachusetts Privacy Laws (which go into effect in 2010), Health Insurance Portability and Accountability Act (HIPAA), and Security and Exchange Commission and Sarbanes-Oxley regulations.
Auditor Jason Spinosa, senior engineer at Networks Unlimited, says that while he selected the criteria for this audit, he usually recommends that companies take time to determine their policy settings based on their risk profile.
That said, Spinosa was shocked at what he found -- more than 700 leaks of critical information, such as Social Security numbers, pricing, financial information and other sensitive data in violation of the Payment Card Industry's standards. He also found serious lapses – more than 4,000 – that ran counter to HIPAA and Defense Department Information Assurance Certification rules.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
data leak
Powered by Twitter
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
Interesting article
Typical IT driven approach. Gaining exec sponsorship means the audit comes first....tackle with technology. In this tight economy, is this not the trend????? At least it leads firms to understanding via the governance approach.I'll talk to John about taking on Attevo... Dan