white paper preventing information leakage

IT AdvIsory

Information Leakage Prevention – Putting your information first KPMG‘s view on preventing Information Leakage

AdvIsory

Information Leakage Prevention 2

An introduction to Information Leakage

The 21st century is all about technology and communication.

As the global village becomes smaller, and people become better connected and more knowledgeable, organisations find themselves being challenged daily by the need to ensure that data related to their most sensitive activities will not leak, either due to intentional or unintentional activities.

A survey conducted by KPMG IT Advisory (hereafter KPMG) indicates a significant growth in the number and impact of data loss incidents throughout 2007-2008. The survey anticipates that during 2009, over 190 million people may become victims of data loss incidents.

Maintaining the confidentiality of an organisation’s activities and sensitive information is vital to its stability, reputation and to support stakeholders’ decision making processes.

Organisations are required to balance between the need to strive for better efficiency and excellence (by allowing information and knowledge flow throughout the organisation) and the

relevant risks driven from that with regard to the confidentiality, integrity and availability of the organisation’s information assets.

Throughout 2009, global and social trends, as well as the current global financial crisis, have created challenging and highly complex internal and external environments for information assets and their confidentiality.

The purpose of this whitepaper is to present the challenge that currently faces organisations, the size of the Information Leakage problem as well as the main threats and challenges that organisations are faced with in their attempt to control valuable information and prevent it from leaking, whilst ensuring the sufficient flow of information to support and promote their activities internally and externally.

The paper points out the recommended measures aimed to serve as guidelines for organisations in the implementation of measures to prevent Information Leakage, the implementation of sustainable Information Leakage Prevention (hereafter ILP).

This white paper has been sponsored by RSA for the RSA Information Security MarketPlace on the Ordina Open on 16 June 2009.

© 2009 KPMG Advisory N.V.


Describing the Information Leakage Challenge in the current business environment

Organisations have rapidly developed from isolated entities into networked entities: information flows no longer stay within company borders and clients, third parties and partners all play an active role in creating and processing information. These networked entities need to open up to the outside world in order to interact with these external parties.

In addition, the increased level of outsourcing of process activities (as part of business process outsourcing initiatives) and the outsourcing of IT

activities mean that organisations are facing the challenge of how to govern and control their information.

Opening up to the outside world leads to an increased risk of being vulnerable to the unintended exposure of confidential information to external parties. Varying Information Leakage caused by, for example, the loss of a memory stick containing confidential information or the theft of confidential information by hackers, or the increasing threat of organised crime and even espionage.

In this context, the role of the regulators has also increased. Regulators do recognise the challenge which organisations face to be able to prove that they are in control of their information. Answering questions such as “Who has access to what information at what time?”, “Are applicable Seggregation of Duty requirements enforced?” and “Is this information being destroyed at the appropriate time and not too soon or too late?” can be difficult for many organisations, leading to control defencies regarding the use of information.

Figure: Current business environment



Figure: visualising the Information Leakage challenge

Finally, due to the lower cost of locations across the globe. All of these storage (amongst other things), the developments lead to the fact that amount of information within many organisations do not know companies and the means by which where their information is stored, what information can be stored have the quality of this information is or who exploded over the last couple of years. owns the information. It is also Furthermore, due to IT outsourcing unknown if the information stored is initiatives, a large portion of this still being used or not and what version information may be stored outside of of the information is the most the organisation’s boundaries at accurate.

In conclusion, the Information Leakage Challenge that organisations face is how to find a way to govern, protect and manage companies valuable information in the most effective and efficient manner.



Quantifying the Information Leakage Challenge

Preventing Information Leakage and governing business information is becoming a greater challenge for organisations to handle. To quantify the Information Leakage Challenge, KPMG LLP in cooperation with other European KPMG firms regularly conducts two major surveys addressing risks, trends, impact and awareness related to data loss:

1&2,1. KPMG’s Data Loss Barometer , conducted anually since 2005, addresses the growth in publicly known data loss incidents and their impact in recent years:

• Over 1,057 data loss incidents were reported between January 2005 and December 2008, with over 280 million people affected

• Estimations for 2009 are that if the trend since September 2008 continues, over 190 million people could become victims of data loss in 2009 (not taking into consideration the unforeseeable effects of the credit crunch)

• Over 50% of incidents are caused by internal sources

• Between 2007-2008 4.6 million people were affected by human or system errors, 3.8 million were people affected by dishonest employees and 5.0 million people were affected by leaks in web sites

• Even sectors that are required to comply with strict laws and regulations governing data privacy are exposed to data loss risks. 19% of data loss incidents were linked to government organisations and 14% of data loss incidents occurred within the Financial Services sector

2.KPMG’s e-Crime survey3

conducted by KPMG International in partnership with AKJ Assiciates Ltd.

• The survey points out the top three sensitive information assets in organisations, as outlined by the representatives of over 300 businesses globally:

1. Customer data (76% of respondents identified this as one of their top 3)

2.Customer personal identifiable information (60% of respondents)

3.Login/password information and account information (53% of respondents)

• The participants outlined that the main drivers for increased investment in security capabilities over the past year were:

1. High-profile incidents within other organisations (42% of respondents)

2.Regulatory compliance (41% of respondents)

3.Fear of a major incident resulting in negative media coverage of their organisation (40% of respondents)

• 67% of respondents selected ’Budget‘ as a major bottleneck preventing their organisation from increasing its proactive capabilities to reduce the impact of e-Crime.

There is a substantial growth in the implementation of information security-related technologies and a subsequent growth in managerial awareness of the relevant impact of Data Loss incidents in all sectors due to increased media attention. However as both surveys indicate, there is still an even greater noticeable growth in Information Leakage incidents and the risks and threats of leaking information. The current economic situation only adds to this.

1 Data Loss barometer – September 2008, September 2008 (publication number RDD – 102553) 2 KPMG’s Data Loss Barometer – Review of 2008 and predictions for 2009, December 2008 (publication number RRD – 120084) 3 e-Crime survey 2009, 5 March 2009



Economic pressures will increase the Information Leakage problem

The global financial crisis is having a direct impact on the growth and changes in direct and indirect risks that are applicable to organisational information assets.

As budgets decrease and internal and external environments become more unstable, the ability to monitor and apply controls over the confidentiality of information assets becomes a challenge.

The e-Crime survey conducted by KPMG International in partnership with AKJ Associates Ltd points out the following main e-Crime risks that are of the greatest concern in the current economic climate to the representatives of over 300 businesses globally:

1. An increase in out-of-work IT professionals during the recession may lead to more people with technical skills joining the cyber-criminal underground economy (66%)

2.Theft of customer or employee data by insiders or ex-employees (64%)

3.Knowledge of weak points in business processes/systems being deliberately exploited by insiders or ex-employees (62%)

4.Theft of intellectual property or business sensitive data by insiders or ex-employees (61%)

5.Loss of undocumented business knowledge (e.g. processes, encryption keys) relevant to security (38%)

6.Employees placing personal information on the Internet that can be exploited by attackers (36%)

7. Knowledge of weak points in business processes/systems being sold (27%)

“As organisations are involved in redundancies and downward pressure on costs forces them to drastic changes, there is a significant risk that disgruntled employees can cause serious damage to an organisation through data breaches.”

Edge Zarrella, KPMG’s Global Head of IT Advisory



Exploring Information Leakage risks The business perspective

Information is the lifeblood of all organisations. By managing the information flow both internally and externally, stakeholders can steer and monitor activities, introduce more efficient business processes, create a competitive edge and market trends and ensure the quality of services and products.

As technology and communication channels evolve and people become more capable and accessible, the challenge to manage the flow of information and the applicable risks grows.

In most organisations the most substantial risks evolve from the internal factor (as employee loyalty changes throughout time) and external conditions (i.e. the credit crunch). In addition to the increased use of potential leakage areas such as social networks, the need to share information, using various mechanisms such as Enterprise Content Management systems, is followed by a growing

concern due to the obvious inherited risks. Therefore, the need to identify and monitor the embedded risks becomes essential.

The impact of Information Leakage can be assessed based on a combination formulated by integrating stakeholders’ vision and needs, the industry-based competitive landscape and the quantity and value of the organisational information assets.

In most organisations, impact ranges from the actual disruption of business processes (the cancellation of a merger and acquisition process, loss of partnership, loss of clients, litigations, being non-compliant, etcetera), through to the loss of actual assets (i.e. financial assets), to the loss of hard-earned non-measurable assets such as reputation, competitive edge, etcetera.

The following table demonstrates possible impact categorised by types of business risk:

It is important to note that as the potential impact varies from one organisation to the next, changes over time and changes in the internal and external environments, the overall impact of an incident or a series of incidents, where information confidentiality is comprised, is difficult to assess. It is therefore important to address identified risks while carefully monitoring the accepted risks.

Business Risks

Strategic •Lossofcompetitiveedge/reputationdamage •Lossofabilitytosteerbusiness

Regulatory/ Legal

•Finesfromregulatorsorlitigation/contractdamage/prison

Asset • Fraud/theft/misuse • Lossoftrustincapitalinformation/reputationdamage • Inabilitytomeasureinvestments/valueofassets/

intellectual capital

Operational • Lossoftrustpartners • Lossofqualityofservice/processes • Businessinterruption

Market • Lossofcompetitiveedge/lossofincomeand opportunities • Lossoftrustinfinancialinformation/reputationdamage • Lossofincomeandopportunities



Exploring Information Leakage risks The IT perspective

If we look at the challenge from an IT perpective, the possible impact of inherent IT risks on these types of Information Leakage incidents also become clear on a more technical level. To enable us to show the particular types of risks involved here, we have organised the risks according to the various states that the information can be in, such as:

• Information in rest: Information that is stored in some form of an information container (i.e. hard disk, USB memory stick, paper)

• Information in transit: Information that is being communicated using some form of communication medium (i.e. computer network, inter-process communication, sound)

• Information in use: Information that is being processed somewhere (i.e. changed, removed, transformed)

Each state of information can be associates with specific risk. An overview of these risks is shown in the table below.

ILP and Enterprise Content Management (ECM) Systems

The challenge of controlling information in a shared work culture Organisational information assets were traditionally stored in a variety of media: physical media (i.e. paper), human factor, and, more recently, various databases that were relatively complex to access and use.

By introducing Enterprise Content Management Systems, organisations are challenged by the need to control information and prevent leakage whilst aiming to create a new organisational culture of sharing and collaboration in order to strive for improved work processes and developmental excellence.

The ability to access information, through user-friendly interfaces, and the influence of the ’share all culture‘ introduced by the internet to users globally, has changed processes and work relations substantially, and the risks embedded in these cultural changes has grown accordingly.

Controlling information confidentiality in such an environment – where content is constantly changing and being accessed by different parties, potentially with the ability to leak information – is a challenge that requires careful planning and implementation of appropriate controls on all levels: data, processes, users (people) and physical access, while maintaining the goal to share and collaborate.

IT Risks

Information in... Confidentiality Integrity Availability Others (with quality aspect)

Rest (store) • ‘Leakage’ofinformation • Corruptionofstorage • Destructionofinformation containers

• Inabilitytounhidehidden information

• Duplicateinformation sources(effectiveness, efficiency,maintainability)

Transit (communicate)

• Eavesdropping/‘Leakage’of information

• Unauthorisedhidingof information

• Alterationofcommunication streams

• Unavailabilityof communicationpaths

• Multiplecommunication paths(maintainability)

Use (process) • Unauthorisedaccessto information

• Unauthorisedtransformation ofinformation

• Unauthorisedchangeof information

• Unauthorisedremovalof information

• Unauthorisedduplicationof Information(efficiency, maintainability)



Who should fear the most?

All types of organisations are at risk. Information

Leakage is not bound to a specific industry

Looking at the total amount of reported incidents from the Data Loss Barometer, the sector Education (16 incidents), followed by the sectors Government and Healthcare (both 11 incidents) and Financial Services (eight incidents) should worry the most. Looking however at the number of affected people, Consumer Markets heads the pack (51 million people affected) just ahead of Government (33 million people affected).

The conclusion of these numbers is that Information Leakage can happen anywhere and that organisations that hold the most valuable information should fear the most. So what information is most valuable? That depends on the type of organisation you are.

Examples of information asset categories include:

• Personalidentifiableinformation: Available within most organisations

• Identificationandauthentication details: Available within most organisations

• Competitiveintelligence:Available within most organisations

• Financialsteeringinformation: Available within most organisations

• Medicalinformation:Insurance companies and the Healthcare industry

• Bankdetails:Financialservices,card processing industries

• Intellectualproperty:TheEntertainment industry (books, films, music), the Software industry (source code) and Consumer Market (recipes)

In many cases sensitive information assets actually reside in more than one category, however, whether it is information related to decision makers (such as board room communication, merger and acquisition processes, layoffs, etcetera), development processes, marketing and sales, employees, customers or partners, loss of information may have an impact on parties and activities throughout the organisation.

In the foundation of the identification of applicable risks lies the need to identify sensitive information assets and related organisational activities

Each organisation is unique, and so are the applicable risks resulting from internal and external sources. In the foundation of the identification and mapping of risks lies the need to identify sensitive information assets and related organisational activities. When exploring sensitive information assets, the full Information Life Cycle of this sensitive information asset needs to be taken into account. In the following paragraph the Information Life Cycle will be explained in detail.



The different types of information media physical media, and the information that should be taken into consideration in resides in the human factor, should all the process of mapping the risks. be considered in such mapping and the Computer related data (inside and applicable impact to each media should outside the borders of the organisation), be addressed.

ILP and the Information Life Cycle

Information is a live entity: it changes over time and according to the conditions in which it lives. Threats that can impact on the completeness, correctness and confidentiality of information are constantly changing.

Phase 1 - Generation s�Ownership s�Classification s�Governance

Phase 2 - Use s�)NTERNAL�VERSUS�%XTERNAL s�4HIRD�0ARTY s�Appropriateness s�$ISCOVERY�3UBPOENA

Phase 3 - Transfer s�0UBLIC�VERSUS�0RIVATE�.ETWORKS s�%NCRYPTION�2EQUIREMENTS s�!CCESS�#ONTROL

Phase 4 - Transformation s�$ERIVATION� s�Aggregation s�Lineage s�)NTEGRITY

Phase 5 - Storage s�!CCESS�#ONTROL s�3TRUCTURED�VERSUS�5NSTRUCTURED s�)NTEGRITY�!VAILABILITY�#ONFIDENTIALITY s�%NCRYPTION

Phase 6 - Archival s�,EGAL�AND�#OMPLIANCE s�/FFSITE�#ONSIDERATIONS s�-EDIA�#ONCERNS s�2ETENTION

Phase 7 - Destruction s�3ECURE s�#OMPLETE

Compliance s�!UDIT��2EGULATORY s�,EGAL s�-EASUREMENT s�"USINESS�/BJECTIVES

Like every growing organism, information has a lifecycle. All phases in this life cycle have special properties that play an important role during the life of the information. At creation, ownership needs to be defined and based on the value of the information, the information needs to be classified and tagged accordingly. Furthermore, a governance structure needs to be put into place for this information element. At the end of its life, information needs to be destructed in a complete and secure way. Between birth and death, a number of other properties that need the attention of management become less or more important based on the phase that the information is in. In order for organisations to control their information, this needs to be recognised.



Information Leakage Prevention defined

ILP is all about putting the organisation’s most

sensitive information assets first

To prevent Information Leakage, ILP concerns putting the organisation’s most sensitive information assets first; identify and classify it, map the specific risks that apply to it and implement measures to protect and monitor it.

Creating sustainable ILP is a complicated task that requires a comprehensive approach and that addresses organisational information assets in all forms incorporating forensics, legislation and compliance drivers, industry and organisationalspecific threats as well as stakeholders’ vision.

At the basis of al ILP concepts lies the model below.

The outlined layers represent both the different aspects of the applicable risks to organisational information assets and the different categories of preventive and detective measures required to protect it:

• People: A variety of measures addressing the human factor. Applicable measures include awareness, information ownership, enforcement measures, reporting mechanisms, etcetera

• Processes: A variety of measures combined to identify and redesign controls and address violations related to information assets

• Data: Refers to a variety of measures combined to identify, monitor and control information in use (end-point activities), in motion (transferred through communication) and in rest (stored)

• Physical infrastructure: Physical and technological measures aimed to control inventory, physical access, eavesdropping prevention, loss of media, etcetera

Information Leakage Prevention

People

Processes

Data

Physical infrastructure



Applying measures to preventInformation Leakage

The prevention of Information Leakage is a multidimensional challenge. When attempting to prevent Information Leakage, all aspects and dimensions should be considered and taken on board.

Preventing Information Leakage requires organisations to implement and maintain a management system consisting of policies, processes and technology measures that enable organisations to govern, protect and manage information in an effective and efficient manner.

It is important to note that the effort to prevent Information Leakage is an ongoing process and is strongly dependent on changes in the organisational environment (i.e. structural changes, mergers and acquisitions, etcetera) and changes in risk and the stakeholders’ vision. It is essential that organisations implement a management system to support this ongoing process.

The scheme on this page provides an overview of relevant Information Leakage Prevention processes as well as measures that could be implemented within organisations, based on the four layers as explained in the previous paragraph.

Implementing ILP requires a set of processes aimed at addressing the information confidentiality challenge. The main processes to be identified are:

1. Mapping of information assets (‘Know what you own’): This process is aimed at identifying an organi-

Information Leakage Prevention

Mapping Classification &

Risk Mapping

Controlling Access

Controlling Activities-Policy

enforcement

Monitoring & Incident response

Information ownership

Awareness & enforcement

ECM

DLP

Asset management systems

Redesign & workflows

DLP+SIEM

Monitoring devices, policies and procedures

People

Processes

Data

Physical infrastructure

IAM

IAM

Access control

sation’s information and where this information is available within that organisation, regardless of the media type. The first effort is targeted at creating an inventory list pointing out information assets and their location.

2.Classification and risk mapping: This process is aimed at addressing the value of information assets. The process is usually performed using classification matrices including the mapping of the applicable risks and the impact of losing this information.

3.Controlling Access: Whether addressing physical or logical information assets, defining appropriate access to it is a fundamental mechanism to ensure confidentiality of information. This needs to be performed by preventing unauthorised access to information using techniques such as securing systems, secure programming and software patching while at the same time enabling authorised access to information using techniques such as authentication and authorisations.

4.Controlling process (policy enforcement): Combining stakeholders’ vision with applicable risks to a set of clear and unambiguous rules aimed at preventing different types of activities (i.e. copying, allocating, etcetera) with regard to information assets. This set of rules and policies, supported by technological means and business processes, is likely to be implemented in multiple layers within the organisation and is to be communicated via awareness programmes.

5.Monitoring and incident response process: The creation of mechanisms to allow constant monitoring of changes and combinations of events to identify changes to risk, impact, location, access, and potential incidents, whilst being able to respond and handle potential events promptly.



Taking into account the four layer model to outline possible measures and recognising that applicable measures may vary from one organisation to the next, the following list demonstrates a partial overview of measures within a typical organisation:

• Humanrelatedinformationassets are to be controlled and monitored through measures such as awareness programmes, enforcement activities, information ownership and delegation models

• TheILPprocessesmustbemapped and classified. The result of these actions should be stored and made accessible (using, for example, Enterprise Content Management systems). Access to this environment must be controlled via Identity & Access Management mechanisms. To ensure the approval of the processes, monitoring and policy enforcement can be performed by

redesigning these processes and implementing workflows

• Thetechnicalmeasuresconcerning preventing Information Leakage can be implemented by the combination of processes and infrastructures at different levels. Examples include:

- Data Loss prevention (DLP) software solutions that are a substantial part of an overall ILP concept, allowing the information owner to identify, label, monitor and control information in use (end-point activities), motion (transferred through communication) and in rest (stored)

- Identity and access management (IAM) infrastructures, allowing the owner to control the access to that information by controlling identities, access mechanisms, authentications and authorisations and applying a business context to it

- Security Incident and Event Management (SIEM), allowing the monitoring and identification of violations to policies and incident response

• Physicalsecuritymeasuresshould include the ability to prepare an inventory of and classify physical information assets via asset Management systems, enforce access controls and monitor violations via traditional monitoring devices, integrated physical security mechanisms and the enforcement of policies and procedures

In order to achieve a sustainable ILP mechanism, organisations must be able to integrate measures and obtain an overall vision and understanding of the relationship between the different layers and types of information assets.

ILP and Identity & Access Management (IAM)

IAM combined with DLP infrastructures and classification matrices are essential components of the technical aspects of a sustainable ILP Programme

A fundamental element of a IAM provides the business context to value of the information assets), is sustainable ILP programmes is the the ILP programme by attaching vital to ensure that information essential IAM infrastructure. business processes and roles to confidentiality (as well as

information assets identified and completeness and correctness) is IAM has become the primary monitored by the DLP infrastructure. maintained and controlled. measure to control the confidentiality of information assets over the last ten A viable IAM infrastructure supported years by preventing unauthorised by a DLP infrastructure (indicating the access and enabling authorised location of the relevant assets) and a access to information assets. classification matrix (defining the



DLP and Security Incident and Event Management (SIEM)

Enhancing the ability to investigate, monitor and respond

SIEM infrastructures are widely implemented in many organisations to allow identification of and incident response to security violations by collecting log information and analysing, prioritising and correlating it to an identified violation.

SIEM mechanisms are highly dependent on the quality of log information generated by systems, applications, databases and network devices and lack the information-centric focus to compliment and provide context to the aggregated

information. Integrating DLP capabilities with a SIEM infrastructure allows an organisation to:

• Beabletomonitorsensitive information assets

• Beabletorespondandhandle incidents related to violation of confidentiality

• Beabletoinvestigateandcollect evidence through a complete and comprehensive audit trail

Compliance is a significant driver of the integration of DLP and SIEM, and when taken into consideration beforehand in the process of design, such an infrastructure allows organisation to be able to provide legislators and auditors with complete and correct scenarios and to demonstrate ’due diligence‘ and the ability to respond to significant incidents promptly.



Setting up an ILP Improvement Programme

Tackling the Information Leakage Challenge requires a staged, multidisciplinairy improvement programme. Initiating an ILP Improvement Programme within your own organisation requires awareness, commitment and endorsement from the senior management.

High

As an ILP improvement programme should be considered as a strategic initiative, senior management should be driving this improvement programme and involving key stakeholders. In this context key stakeholders are the information owners followed by the Chief Information Officer and to a lesser extent those responsible for IT operations.

Level 1 Informal Awareness that problems exist but the organization has taken little action regarding data quality.

Level 2 Planned and Tracked Awareness but actions only occur in response to issues. Action is either system or department specific.

Level 3 Well Defined Information is part of the IT Strategy and Enterprise Management processes exist

Level 4 Controlled Information is managed as an enterprise asset and well developed governance processes and organizational structures exist

Low

Level 5 Continuous Improvement Information Governance is a strategic initiative, issues are either prevented or corrected at the source, and a leading in class solution architecture is implemented. Focus is on continuous improvement.

Info

rmat

ion

Gove

rnan

ce M

atur

ity

Level 1 Informal: The organisation knows it has issues around Information Governance but is doing little to respond to these issues. Awareness has typically come as the result of some major issues that have occurred and that have been Information Governance-related. An organisation may also be at the ‘Aware’ state if they are going through the process of moving to a state where they can effectively address issues, but are only in the early stages of the programme.

Level 2 Planned and Tracked: The organisation is able to address some of its issues, but not until some time

after they have occurred. The organisation is unable to address the root causes or predict when they are likely to occur. External help is often needed to address complex data quality issues and the impact of fixes made on a system-by-system level are often poorly understood.

Level 3 Well Defined: The organisation can stop issues before they occur as it is empowered to address root cause problems. At this level, the organisation also conducts the ongoing monitoring of data quality so issues that do occur can be quickly resolved.

Level 4 Controlled: The organisation has a mature set of information management practices. This organisation is not only able to proactively identify issues and address them, but defines its strategic technology direction in a manner focused on Information Development.

Level 5 Continuous Improvement: In this model, Information Governance is treated as a core competency across strategy, people, process, technology and controls.

Information Accuracy and Organizational Confidence

In addition, a solid and confirmed ILP strategy must be in place to steer the ILP Improvement Programme. Since preventing Information Leakage is a profound challenge, organisations should choose the right ambition level for this improvement programme based on the current and envisioned ILP state of the organisation.

High



In order to choose the appropriate ambition level for the programme, organisations may use the above Information Governance Maturity Model shown above. The Information Governance Maturity Model outlines the different levels of Information Governance whereby Information Governance incorporates ILP.

By recognising an organisation’s current ILP maturity level as well as confirming the envisioned maturity level, an organisation will be able to develop the appropriate programme strategy and detail the required improvement project(s) and activities that will enable the organisation to reach its envisioned ILP maturity level.



To conclude

Companies face an ever increasing challenge to control their important business information and prevent Information Leakage. KPMG’s Data Loss Barometer and e-Crime survey indicate that regardless of the growth in the implementation of information security technologies, there is still a noticeable growth in Information Leakage incidents as well as growth of the risks and threats addressing organisational information assets. All types of organisations are at risk. The Information Leakage Challenge is not bound to a specific industry.

Being ’in control‘ over information assets is a management responsibility who must address changes in risks and threats either due to changes in the global economy, in the competitive landscape or in the organisationspecific activities.

About the authors:

Preventing Information Leakage requires organisations to implement and maintain a management system consisting of policies, processes and technology measures that enable organisations to govern, protect and manage information in an effective and efficient manner.

Sustainable ILP can only be achieved by implementing a comprehensive concept addressing different types of information and risks, endorsed by senior management. As previously mentioned, ILP is all about putting the organisation’s most sensitive information assets first, and, as information is the core of all organisations, controlling it is a task that combines both business technology and people’s vision.

Ing. John A.M. Hermans RE Drs. Hans (J.W.) de Jong CISA CISSP Associate Partner Manager +31 (0) 20 656 8394 +31 (0) 20 656 8049 [email protected] [email protected]


kpmg.nl

Contact us

KPMG

Burgemeester Rijnderslaan 10-20

1185 MC Amstelveen

P.O. Box 74555 1070 DB Amsterdam The Netherlands

© 2009 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682 and a Dutch limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. 113_0609

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

white paper preventing information leakage

Documents

sensitive information

information leakage

information flows

valuable information

processing information

information leakage

sufficient flow of information

organisations activities