Optimize Your Data Protection Investment for Bottom Line Results

Providing DLP Since 2002 Deployed 400+ DLP Projects Completed 500+ Assessments Manage DLP Solutions in 22 Countries Provide Daily Management of 1,000,000+ Users Globally DATA LOSS PREVENTION EXPERTISE QUICK FACTS Symantec Master Specialization DLP Partner RSA’s Only Authorized Managed DLP Partner 1st Managed DLP Services Provider (2008) Localized Chinese DLP Practice (2011) Global Support in 130 countries Data Mining, Custom Policies, & Scripting

SYMANTEC DLP COMPONENTS Endpoint Prevent Symantec Data Loss Prevention Endpoint Prevent monitors files downloaded to local drives; transferred over , IM, Web or FTP; copied to USB, CompactFlash®, SD, or other removable media; burned to CD/DVD; copied or pasted; captured via Print Screen; and printed or faxed electronically. With Symantec Data Loss Prevention, you can monitor and block: Instant messages sent to a partner containing confidential M&A information Web mail with product plans attached going to a competitor Customer lists being copied to USB or other removable media devices containing PII sent via hosted security services Source code that is copied to a local drive Mobile devices for sent containing confidential data Product design documents being burned to CD/DVD Price lists being printed or faxed to a competitor WHAT WE WILL COVER TODAY Developing the DLP Program DLP Use Cases – How Did They Get There? Developing the DLP Program Avoiding Common DLP Pitfalls Open Q&A

HOW TO GET STARTED WITH DLP Processes Developing the DLP Program Scope Understanding Work Place Monitoring Requirements Designing and Implementing the DLP Program Measuring the DLP Program

What incidents or events are retained? Who develops reports? Are DLP system generated reports adequate? Who drives report requirements? Requestors, Reviewers, others? Report accuracy tied into QA process? USE CASE 1: INCIDENTS DETECTED 2 MONTHS INTO DLP PROGRAM Captured group of s going to Gmail with unencrypted data:  Combination of design standards, CAD files and pro-forma product business plans including unit costs, forecasted revenue and margin data  Customer and vendor lists, proprietary development processes and procedures, and pricing data from similar current product lines Performed real-time DLP correlation analysis:  Identified 78 design standards focused on “highly classified” next-gen product development  Downloaded to personal USB with no legitimate business use within 1 hour after Incidents reported to information security team within 2 hours of both incidents generated and correlated Employee was in manager’s office submitting resignation as InfoSec notified the manager

What incidents or events are retained? Who develops reports? Are DLP system generated reports adequate? Who drives report requirements? Requestors, Reviewers, others? Report accuracy tied into QA process? USE CASE 1: OBTAINING BUSINESS BUY-IN Compliance & Risk Management tasked with implementing DLP in organization of 50,000+employees Needed to develop DLP Program allies:  Key technology stakeholders: Desktop, Networking, Messaging and Storage  Strong relationship with key Business Units within the DLP Program Scope  Generate awareness of program with key senior leadership (not excessive on front end) Targeted one business unit as early adopters and used their success to expand the DLP program into neighboring business units or processes. Earned Business Unit, Data Owner or Process Advocate’s trust and leveraged their internal relationships to navigate corporate structure and help message value proposition. 18-months into DLP Program there is 100% business unit involvement.

What incidents or events are retained? Who develops reports? Are DLP system generated reports adequate? Who drives report requirements? Requestors, Reviewers, others? USE CASE 2: INCIDENTS DETECTED 14 DAYS INTO DLP PROGRAM Vendor provides upgrade on enterprise HIS system, follows all change management procedures and obtains sign-off from customer on upgrade. DLP detects unencrypted patient information being transferred via unsecured FTP site; had been configured for SFTP prior to change. Information was detected the first time the bi-monthly batch-processing was completed. Comprehensive audit trail of incident data available to the organization for investigation. Upgrade caused numerous unforeseen changes in the HIS application that created vulnerabilities and potential for inadvertent data leakage. Information was sent to Business Associate but was exposed in an non-encrypted state.

What incidents or events are retained? Who develops reports? Are DLP system generated reports adequate? Who drives report requirements? Requestors, Reviewers, others? Report accuracy tied into QA process? USE CASE 1: OBTAINING BUSINESS BUY-IN Leveraged relationship between CISO, Internal Audit and Privacy to obtain the necessary funding - hard to get dollars being allocated to patient care. Defined DLP Program scope around specific elements of primary concern, specifically infectious diseases. HIV/AIDS patient data had been leaked in the past causing significant impact to the organization. Shared DLP Program Scope to skeptical physician lead healthcare management team. Senior leadership was in the loop on the project but once again, not too much information overload on the front-end. CISO and IA/Privacy developed costs around previous breach as well as negative press as part of their DLP justification pitch. Clearly identified the previous costs and impacts to the organization, obtaining buy-in from senior leadership and board members.

What incidents or events are retained? Who develops reports? Are DLP system generated reports adequate? Who drives report requirements? Requestors, Reviewers, others? Report accuracy tied into QA process? USE CASE 3: INCIDENTS DETECTED 72 HOURS INTO DLP PROGRAM Company is approached in confidential manner in regards to a “hostile” takeover situation and has 48 hours to respond until public notice is provided. Company crafted a set of policies within 2 hours to monitor all communication channels and endpoints within the DLP scope. Policy was enabled to:  Quarantine all communication  Block all web based traffic or any downloading of specific keywords or specific documents related to the topic - management imposed gag order Within 3 hours of the submission of the bid documents to the customer, 5 senior staff members had a attempted to disclose the existence of the transaction.  2 transmissions to friends/family members (spouses)  2 instant message/chat messages to friends/family members  1 Google mail to friend at a investment bank who works for direct competitor of company outlining the key terms of the offer. Employee was a Senior VP with access to term sheet.

What incidents or events are retained? Who develops reports? Are DLP system generated reports adequate? Who drives report requirements? Requestors, Reviewers, others? Report accuracy tied into QA process? USE CASE 3: OBTAINING BUSINESS BUY-IN CIO driven DLP program that “dragged” the COO, CFO and General Counsel to demo and presentation of the capabilities of DLP. General Counsel set-up meeting with CEO and Board to bring visibility to the “real dangers of a digital commerce environment”. CEO and executive team allocated discretionary budget to build out a DLP pilot system at corporate headquarters to monitor for pre-disclosed earning information, M&A activity and competitor communications. 100 employees at HQ out of 10,000 global employees. Recent trend seems to be more top down approach in regards to the assessment and adoptions of DLP programs. Had no problem with rapid deployment, policy development and building the supporting incident response program.

USE CASE: DLP PRE-PROJECT STATE Organization Overview: 40,000 employees globally, Manufacturing DLP Scope: Protection of Intellectual Property (General) DLP Primary Issue: Customer overwhelmed with inaccurate incident data, no meaningful information Application Management: Operated and managed by IT Security with limited input from business. Policy Governance: Failure to use a lifecycle software development process for policy construction Incident Triage: Infrequently reviewed by IT with little to no review by business owners. Event Management: Hard to accomplish due to large # of false positives. No “gold nuggets.” Reporting and Metrics: Zero customized reports. No relevant business analysis provided. Status: System generates 25,000 incidents/day / 750,000 incidents/month

MANAGING WORKPLACE PRIVACY 1.Understand your company’s data flows 2.Identify your monitoring purpose 3.Understand general principles underlying personal data processing 4.Determine if other countries law’s apply to your company 5.Understand other countries approach to workplace monitoring 6.Understand other countries requirements to workplace monitoring 7.Understand other countries laws 8.Implement technology that fosters compliance with legal requirements Framework

IDENTIFY PURPOSE FOR MONITORING Generally Acceptable Business Reasons Include: Monitor & maximize employee productivity Protect against unauthorized use, disclosure or transfer of PII Monitor employee compliance with employer workplace policies Investigate complaints of employee misconduct Prevent industrial espionage Prevent or respond to unauthorized access to employer’s computer systems Protect computer networks from becoming overloaded Prevent or detect unauthorized utilization of employer’s computer system for criminal activities & terrorism Help prepare employer’s defense to lawsuits or administrative complaints Respond to discovery requests in litigation related to electronic evidence

1.Does your company operate in that country? 2.Does your company have affiliates or subsidiaries that collect personal data in that country? 3.Does your company have employees residing in that country? 4.Does your company collect or process personal data in that country? 5.Does your company process personal data using equipment in that country? DETERMINE IF COUNTRY LAWS APPLY TO YOU

INTERNATIONAL PRIVACY LAWS BUSINESS IMPACT Must comply with privacy laws in countries where have operations, where laws can be significantly more restrictive than in the US Transfer of personal information can be blocked in other countries unless specific requirements are met Countries across the globe are adopting privacy laws

UNDERSTAND GENERAL PRINCIPLES: SAFE HARBOR NOTICE - Individuals must be informed that their data is being collected and about how it will be used. CHOICE - Individuals must have the ability to opt out of the collection and forward transfer of the data to third parties. ONWARD TRANSFER - Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles. SECURITY - Reasonable efforts must be made to prevent loss of collected information. DATA INTEGRITY - Data must be relevant and reliable for the purpose it was collected for. ACCESS - Individuals must be able to access information held about them, and correct or delete it if it is inaccurate. ENFORCEMENT - There must be effective means of enforcing these rules.

APPLICATION SUPPORT & INTEGRATION Primary System DLP Management = Human Resource / Expertise Requirements Integrated System Management = Cross Department Collaboration Processes Health Check & System Validation Management = System Resource Requirements Vendor Management = Primary and Integrated Technology Vendor Relationships

POLICY & RULE GOVERNANCE Who requests rules & policy requirements? Are business owners engaged? Who reviews rule requests? Criteria for approved rule? What’s the process for converting a rule request into a policy? Who’s responsible for converting a rule into technical policy? Do they have technical policy authoring expertise? What is the formal policy development process? First drafts rarely work as expected! Is there a process to relay production policy metrics to stakeholders?

WORKFLOW DEVELOPMENT & MANAGEMENT Who develops & manages policy “buckets”? False positive, inbound partner, outbound employee Who defines thresholds that determine response rules for each “bucket”? Are 10 SSNs a high, medium or low severity incident? Who designs & sets the policy response triggers? Malicious, Inadvertent, Suspicious, above threshold. Triage response options: Human notification System notification (auto) Hybrid? Who’s responsible for building alerts, alarms & notifications? Has business been engaged on event management? Who manages the DLP policy & rules repository? Why recreate the wheel?

Who reviews volume & yield of incidents & events? What’s the review frequency? How are events/incidents routed? Who owns the incident/event? How does DLP fit in overall incident/event management process? Can this be mapped to DLP system? What metrics are developed to measure success of rules & related policy? Who ‘s responsible for developing metrics? Revision of rules based on quality of policy results. Who manages policy optimization process? How will integrated systems be tied together to yield valued info? Secure mail, web gateway, GRC, SIEM INCIDENT TRIAGE & EVENT MANAGEMENT

BUSINESS ANALYTICS Who develops reports? Are DLP system generated reports adequate? Who drives report requirements? Requestors, Reviewers, others? Do they have the expertise with 3 rd party reporting tools? Are the metrics valuable & driving meaningful change? Report accuracy tied into QA process?

PITFALL 1: NO PLAN OF ATTACK

5 Pieces of DLP Advice You Can’t Afford to Ignore 23 PITFALL 2: FAILURE TO ENGAGE THE BUSINESS

5 Pieces of DLP Advice You Can’t Afford to Ignore 24 PITFALL 3: INADEQUATELY TRAINED RESOURCES

DATA-IN-MOTION PITFALLS: Missing the Target – False Sense of Security Mis-configured Tap or Port Span Problem Missing segments of network traffic or protocols Solution Comprehensive test plan that maps to in scope business processes and related data types transmitted from various network locations to ensure all relevant data streams are being captured. Encryption – The Masked Data Problem Analysis of data DID NOT take place prior to encryption. Solution Comprehensive test plan that proves ALL DLP data assessment takes place prior to the gateway encryption & implement managed “test” DLP policies that identify encrypted transmissions as part of the test plan. Misfire of Network Discovery Scans Problem Locations of sensitive data never targeted by the organization for scanning due to lack of an effective policy governance process. Solution Identify potential data stores by discussing the DLP program with staff to understand process. Network versus Endpoint Discovery Problem Running DAR scans using a combo of network & endpoint without thinking about which policy types & detection methods are not the same. Solution Prior to acquiring DLP solution, have an understanding of the data types that make up your target environment & then, decide on scanning method..

DATA-IN-MOTION (ENDPOINT) PITFALLS: The Pandora’s Box of DLP Environment Assessment Staying in Contact User Performance Impacts Network/System Performance Impacts Problem No rigorous endpoint environment assessment prior to the selection of the application & enablement. Solution Address age of environment, performance capabilities, technical & human issues, & load of applications, in conjunction with education on the DLP endpoints. Problem Failure to monitor endpoint population & their frequency of “checking-in” to the management server with validated results. Solution Phased deployment of endpoint with validation via test plan on initial success of ALL agents & on- going endpoint agent health reports. Problem Implementing same policies for network based & endpoint assessments without testing or modification. Solution Utilize a comprehensive test plan outlining specific metrics (time to open files, open/send s, open applications) prior to deployment. Problem Failure to calculate & measure the impact of endpoint policy traffic across wide & local area network connections. Solution Thorough assessment of endpoint policies that addresses all of the concerns including policy design requirements, timing, frequency & delivery methods.

USE CASE –POST PROJECT STATE Organization Overview: Defined specific business units to initiate program DLP Scope: Focused on 3 specific product lines linked to highest revenue & earnings DLP Primary Goal: Identification of unauthorized movement of specific elements of IP Application Management: Operated by a combination of IT, messaging & desktop management teams Policy Governance: 100% customized policies based on data collected from business unit Incident Triage: Daily review of incidents by Information Security Event Management: Incidents meeting severity criteria routed to business unit for investigation Reporting and Metrics: Behavioral pattern analysis leading to preventive actions Status: R&D teams have high-level of confidence in ability to identify leakage of IP.

QMS SAMPLE QUARTERLY REPORT

BEW GLOBAL HQBEW GLOBAL EMEABEW GLOBAL APAC 5613 DTC Parkway Suite 1250 Greenwood Village, CO USA (ph) (fax) Albany Court Albany Park Camberley GU16 7QR England (ph) +44 (0) (fax) +44 (0) Oxford Street Level 23, Tower 1 Bondi Junction Sydney 2022 (ph) +61 (2) (fax) +61 (2)