Latest News
Demand Action for your Privacy - 12th May 2011[View the story "Cybersight2020 campaign: Call to ACTION: Everyone demand Credit c...
Risk of IP theft disrupting a quarter of organisations - 28th Mar 2011
Read more: http://www.v3.co.uk/v3-uk/news/2037455/risk-ip-theft-disrupting-quarter-organ...
Privacy Talks Blog - 25th Feb 2011
http://privacytalks.blogspot.com/2011/02/privacy-talks-february-2011.html...
Dr Simon Moores discusses Privacy - 06th Dec 2010
http://zentelligence.blogspot.com/2010/12/privacy-is-dead.html...
Counter Terror Business Features Cryptic - 02nd Dec 2010
http://www.counterterrorbusiness.com/case-studies/44-communications/393-security-as-an-a...
eCrime Congress Abu Dhabi - 30th Nov 2010
Dave surrounded by interest ...
@Privacytalks Newsletter - 22nd Nov 2010
Cryptic has launched its first Newsletter and tweet @privacytalks Contact Cryptic for a...
SIEM: Security Info and Event Management - 26th Oct 2010
Ask teams within the organization to rank these criteria in terms of their importance to...
BBC Live Interview with Cryptic - 20th Oct 2010
Cryptic interviewed by the BBC live 20th October 2010 How can we keep the online experi...
Half of wi-fi networks can be hacked in seconds - 14th Oct 2010
RT @TelegraphNews 'Half of wi-fi networks at risk of hacking in seconds'http://bit....
$70 million cyber crime exposed by US and European police - 02nd Oct 2010
http://www.telegraph.co.uk/news/worldnews/europe/ukraine/8038233/70-million-cyber-crime-...
Data Loss Prevention - an ICO point of view - 27th Sep 2010
Regulation for PETswithin the UKThe fact that the UK Information Commissioner has taken ...
Cryptic begins its Facebook journey with Facebook pages - 23rd Sep 2010
Look out for the FAB Fan page at Cybersight 2020. you can simply search and add your tho...
Cryptic adds Cybersight to eCrime Congress in Dubai May 29th 2010 - 29th May 2010
Meet with Cryptic and see how Cybersight can deliver security as an asset at Ecrime in D...
Infosec 2010: A quarter of all firms have seen data integrity attacks - 20th Apr 2010
Over a quarter (28 per cent) of European organisations have been subject to a data inte...
Cryptic Web Site goes Live - 16th Apr 2010
Cryptic Software enters the market for unified monitoring and intelligence services....
Social networks 'draining' corporate resources - 16th Apr 2010
"There are two real concerns here: firstly that employees will download applica...
Unified Threat Management Market Poised for Growth, Report Finds - 09th Apr 2010
Analysis from Frost & Sullivan’s World UTM Products Market report found that t...
To Catch a Thief - Enterprises often underestimate the potential threat to data from disgruntled ex-employees. Piers Ford reveals the available safeguards. - 05th Apr 2010
If the findings of a new study are true, CIOs should wake up to a stark and rapidly-app...
Cyber Security Strategy of the United Kingdom safety, security and resilience in cyber space - 01st Jun 2009
Cyber Security - Cabinet Office Report The average cost of an information security inci...
Data Loss Prevention - an ICO point of view
Regulation for PETs
within the UK
The fact that the UK Information Commissioner has taken the
trouble to issue guidance on PETs renders it hardly
surprising that he has also adopted a PETs-based regulatory
strategy. This is best evidenced by his November 2007
enforcement strategy for laptop computers and portable
storage media, titled “Our Approach to Encryption”. This
strategy teaches the following:
“There have been a number of reports recently of
laptop computers, containing personal information
which have been stolen from vehicles, dwellings or
left in inappropriate places without being protected
adequately. The Information Commissioner has
formed the view that in future, where such losses
occur and where encryption software has not been
used to protect the data, enforcement action will be
pursued.
The ICO recommends that portable and mobile
devices including magnetic media, used to store and
transmit personal information, the loss of which could
cause damage or distress to individuals, should be
protected using approved encryption software which
is designed to guard against the compromise of
information.
Personal information, which is stored, transmitted or
processed in information, communication and
technical infrastructures, should also be managed
and protected in accordance with the organisation’s
security policy and using best practice methodologies
such as using the International Standard 27001.
Further information can be found at 27001-
online.com.
There are a number of different commercial options
available to protect stored information on mobile and
static devices and in transmission, such as across
the internet.
Encryption software uses a complex series of
embedded mathematical algorithms to protect and
encrypt information. This process hides the data and
prevents any inadvertent access or unauthorised
disclosure of information. Since encryption
standards are always evolving, it is recommended
that data controllers ensure that any solution which is
implemented, meets the current standard such as
the recommended FIPS 140-2 standard or
equivalent.”
We can draw many conclusions from the Commissioner’s
approach to encryption, with an important one being that it
is highly likely that the Commissioner will start to regulate
for the absence of other PETs. As such, it is possible that
the Commissioner will eventually regulate for DLP, once
he becomes aware of how DLP can increase an
organisation’s security rating by a significant order of
magnitude when compared to encryption technologies
alone.
What is DLP?
As one of the technology analyst companies puts it, a DLP
solution consists of “tools to prevent inadvertent or
accidental leak or exposure of sensitive enterprise
information using content inspection technologies”. In
general terms DLP software works as follows:
Sensitive information within a network is identified
and marked as such. Use and access policies can
be attached to this information.
Processing of sensitive information across the
network is tracked.
• Where processing of sensitive information is in breach
of policy, that processing is blocked.
• A person acting in breach of policy can be notified of
their policy violation, as part of an educational
programme.
• The data controller is informed of policy violations.
If all of this functionality is distilled down to its essence it
will be appreciated that DLP keeps sensitive data within
the network; sensitive data can only be moved from the
network, whether by TCP/IP protocol or from an endpoint
where that movement is in accordance with policy.
Consequently, DLP software has the potential to eliminate
many of the security risks that might otherwise lead to data
loss.
Conclusion
Eventually DLP will be regarded as part of the de facto
data security standard, in much the same way as
encryption nowRegulation for PETs
within the UK
The fact that the UK Information Commissioner has taken the
trouble to issue guidance on PETs renders it hardly
surprising that he has also adopted a PETs-based regulatory
strategy. This is best evidenced by his November 2007
enforcement strategy for laptop computers and portable
storage media, titled “Our Approach to Encryption”. This
strategy teaches the following:
“There have been a number of reports recently of
laptop computers, containing personal information
which have been stolen from vehicles, dwellings or
left in inappropriate places without being protected
adequately. The Information Commissioner has
formed the view that in future, where such losses
occur and where encryption software has not been
used to protect the data, enforcement action will be
pursued.
The ICO recommends that portable and mobile
devices including magnetic media, used to store and
transmit personal information, the loss of which could
cause damage or distress to individuals, should be
protected using approved encryption software which
is designed to guard against the compromise of
information.
Personal information, which is stored, transmitted or
processed in information, communication and
technical infrastructures, should also be managed
and protected in accordance with the organisation’s
security policy and using best practice methodologies
such as using the International Standard 27001.
Further information can be found at 27001-
online.com.
There are a number of different commercial options
available to protect stored information on mobile and
static devices and in transmission, such as across
the internet.
Encryption software uses a complex series of
embedded mathematical algorithms to protect and
encrypt information. This process hides the data and
prevents any inadvertent access or unauthorised
disclosure of information. Since encryption
standards are always evolving, it is recommended
that data controllers ensure that any solution which is
implemented, meets the current standard such as
the recommended FIPS 140-2 standard or
equivalent.”
We can draw many conclusions from the Commissioner’s
approach to encryption, with an important one being that it
is highly likely that the Commissioner will start to regulate
for the absence of other PETs. As such, it is possible that
the Commissioner will eventually regulate for DLP, once
he becomes aware of how DLP can increase an
organisation’s security rating by a significant order of
magnitude when compared to encryption technologies
alone.
What is DLP?
As one of the technology analyst companies puts it, a DLP
solution consists of “tools to prevent inadvertent or
accidental leak or exposure of sensitive enterprise
information using content inspection technologies”. In
general terms DLP software works as follows:
Sensitive information within a network is identified
and marked as such. Use and access policies can
be attached to this information.
Processing of sensitive information across the
network is tracked.
• Where processing of sensitive information is in breach
of policy, that processing is blocked.
• A person acting in breach of policy can be notified of
their policy violation, as part of an educational
programme.
• The data controller is informed of policy violations.
If all of this functionality is distilled down to its essence it
will be appreciated that DLP keeps sensitive data within
the network; sensitive data can only be moved from the
network, whether by TCP/IP protocol or from an endpoint
where that movement is in accordance with policy.
Consequently, DLP software has the potential to eliminate
many of the security risks that might otherwise lead to data
loss.
Conclusion
Eventually DLP will be regarded as part of the de facto
data security standard, in much the same way as
encryption now is.
Cryptic Comment
Cryptic's services monitor and prevent data loss, whether deliberate or by mistake.
Cybersight can automate data loss prevention and alert you to any risk within 6 seconds.
