TQMC has acquired wide Domain Knowledge and Experience. You can FREELY access it here and here

DISCLAIMER: This matter here is a guide only. For authentic and up-to-date information, please contact TQMC.

The DIRECTIVES and STANDARDS listed here may have been subsequently REVISED . You must refer to the CURRENT REVISION and AMENDMENTS if any.

Thursday, June 24, 2010

ISMS Topics

I'd recommend Googling for 'data exfiltration' or 'data leakage protection'
tools that might be run on your network, but I guess your key issue is that
most webmail sites use HTTPS so, unless you have a suitable HTTPS
man-in-the-middle proxy (which introduces its own significant security
issues), you won't be able to scan the plaintext.

It is feasible to ban such services and to ensure compliance by strict
network controls as well as policies and procedures, but you will have to
draw up a decent security risk analysis and make your case to counteract the
perceived value of allowing staff free access.  If you can get any of those
DLP or similar tools in for evaluation, see if you can gather some
statistics to get a handle on the current scale of the problem: proven
exfiltration of sensitive/valuable data makes your business case more
powerful than mere conjecture.

By the way, your job is to make a clear recommendation but let "management"
make the risk-based control decision, unless YOU want to be held accountable
for any incidents (security, HR or otherwise) that flow from this.  Don't
let them get away with a plain "No!", make it crystal clear that in so
deciding, they would be unwisely accepting what you presumably consider to
be an unnecessary risk, and therefore a range of compensating controls would
be necessary, such as additional training/awareness, policies & procedures,
compliance measures, incident and contingency plans etc.

Kind regards,

Gary Hinson
UPS: abbreviation or oxymoron?  Creative awareness materials  ISO/IEC 27000 standards 

No comments:

Post a Comment