Tag Archives: Tagging

NMH survival strategy

26 July 2014

Business people are quick in demanding the highest IT security standards, but when it comes to the implementation, the security measures should not have any impact on their daily business.

What impact is a just about acceptable? The answer to this question depends on many factors. Moreover, there is no universally applicable answer to this question.

Last week this question came up in a discussion about the impact of protection measures on scientists. My answer was: Lets try the NMH (No Medium High) impact approach.

No impact

Start with protection measures that have no impact on daily work. Many technical measures and few organizational measures could be implemented in the background, in the best case without a downtime.

Present your approach and the measures to the business groups. Show that there is no impact on their daily work. I bet, everyone will welcome this approach. And, if it works, everyone will trust you and you will feel like a super hero.

Medium impact

In the next step develop measures with low or medium impact on daily work. It is very important that this is done in close collaboration with the business groups. This measures are mostly organizational measures or small changes of the way of working, e.g. waiving of USB sticks, encryption of emails if sensitive information is exchanged, or the set up of a data handling policy.

Offer at least equal or better and easy to use alternatives. Agree with the business groups in the set of measures that should be implemented, in the schedule and the remaining risk as well. Make clear that the business groups have to cover the remaining risk! Implement the changes in close cooperation with the business groups.

High impact

Finally, discuss measures that have a high impact on the way of working, e.g. strong passwords, two factor authentication to systems which are used for access to core business data or classification and tagging of data.

If there are legal requirements to implement those measures, that’s a more easy job. Anyway, you have to make the advantages clear! Finally , the business groups have to agree in the set of measures which should be implemented. In the worst case, they take the remaining risk and reject any proposals for high impact measures. If there are no legal requirements that’s ok.

From my point of view with the NMH approach you will get a high level of security without infuriating the business groups too much!

Become a superhero!

Security Think Tank: How to share data securely

21 June 2014

This post of Tim Holman is absolutely worth reading.

Security Think Tank: How to share data securely

Tim presents the elementary basics on the People and Process level for sharing of classified data with trusted third parties. From my point of view these basic principles must be applied for handling of classified data inside a company as well.

In particular for strictly confidential classified information I would strongly recommend to take further actions:

  • Review of all authorizations and permissions with strict regards to the Need-to-Know and the Separation of Duties principle.
  • Reorganization of all filing structures

Both measures can be implemented rapidly and will raise the overall level of security because we know in detail who is authorized to access the information and where the information is stored.

In addition technical measures like an integrated Tagging/DLP solution could be applied to support the employees in enforcing the company’s security policy. In my opinion encryption is  the last line of defence.