AdvI so ry
An introduction to
Information Leakage
Leakage Challenge
1
2
3
Data Loss barometer September 2008, September 2008 (publication number RDD 102553)
KPMGs Data Loss Barometer Review of 2008 and predictions for 2009, December 2008 (publication number RRD 120084)
Leakage problem
The global financial crisis is having a
direct impact on the growth and
changes in direct and indirect risks
that are applicable to organisational
information assets.
As budgets decrease and internal and
external environments become more
unstable, the ability to monitor and
apply controls over the confidentiality
of information assets becomes a
challenge.
The e-Crime survey conducted by
KPMG International in partnership
with AKJ Associates Ltd points out
the following main e-Crime risks that
are of the greatest concern in the
current economic climate to the
representatives of over 300
businesses globally:
1. An increase in out-of-work IT
professionals during the recession
may lead to more people with
technical skills joining the cybercriminal underground economy
(66%)
2. Theft of customer or employee data
by insiders or ex-employees (64%)
3. Knowledge of weak points in
business processes/systems being
deliberately exploited by insiders or
ex-employees (62%)
4. Theft of intellectual property or
business sensitive data by insiders
or ex-employees (61%)
5. Loss of undocumented business
knowledge (e.g. processes, encryp
tion keys) relevant to security (38%)
Business Risks
Strategic
Regulatory/
Legal
Asset
Fraud/theft/misuse
Loss of trust in capital information/reputation damage
Inability to measure investments/value of assets/
intellectual capital
Operational
Market
The IT perspective
If we look at the challenge from an IT
perpective, the possible impact of
inherent IT risks on these types of
Information Leakage incidents also
become clear on a more technical
level. To enable us to show the
particular types of risks involved here,
we have organised the risks according
to the various states that the
information can be in, such as:
IT Risks
Information in...
Confidentiality
Integrity
Availability
Others (with
quality aspect)
Rest (store)
Leakage of information
Corruption of storage
Destruction of information
containers
Inability to unhide hidden
information
Duplicate information
sources (effectiveness,
efficiency, maintainability)
Transit
(communicate)
Eavesdropping /Leakage of
information
Unauthorised hiding of
information
Use (process)
Unauthorised change of
Unauthorised access to
information
information
Unauthorised transformation
of information
Unauthorised removal of
information
Multiple communication
paths (maintainability)
Unauthorised duplication of
Information (efficiency,
maintainability)
organisations
industry
Phase 3 - Transfer
s 0UBLIC VERSUS 0RIVATE .ETWORKS
s %NCRYPTION 2EQUIREMENTS
s !CCESS #ONTROL
Phase 2 - Use
s )NTERNAL VERSUS %XTERNAL
s 4HIRD 0ARTY
s Appropriateness
s $ISCOVERY3UBPOENA
Phase 1 - Generation
s Ownership
s Classification
s Governance
Phase 4 - Transformation
s $ERIVATION
s Aggregation
s Lineage
Phase 5 - Storage
s )NTEGRITY
s !CCESS #ONTROL
s 3TRUCTURED VERSUS 5NSTRUCTURED
s )NTEGRITY!VAILABILITY#ONFIDENTIALITY
s %NCRYPTION
Compliance
s !UDIT 2EGULATORY
s ,EGAL
s -EASUREMENT
s "USINESS /BJECTIVES
Phase 6 - Archival
s ,EGAL AND #OMPLIANCE
s /FFSITE #ONSIDERATIONS
s -EDIA #ONCERNS
s 2ETENTION
Phase 7 - Destruction
s 3ECURE
s #OMPLETE
Like every growing organism, information has a lifecycle. All phases in this life
cycle have special properties that play an important role during the life of the
information. At creation, ownership needs to be defined and based on the
value of the information, the information needs to be classified and tagged
accordingly. Furthermore, a governance structure needs to be put into place
for this information element. At the end of its life, information needs to be
destructed in a complete and secure way. Between birth and death, a number
of other properties that need the attention of management become less or
more important based on the phase that the information is in. In order for
organisations to control their information, this needs to be recognised.
Classification
&
Risk Mapping
Information
ownership
Controlling
Access
People
IAM
ECM
Processes
Controlling
Activities-Policy
enforcement
Monitoring &
Incident
response
Awareness
& enforcement
Redesign &
workflows
IAM
DLP
Data
Access control
Physical infrastructure
DLP+SIEM
Monitoring devices,
policies and procedures
Programme
High
Level 4
Controlled
Level 3
Well Defined
Level 2
Planned and Tracked
Level 1
Informal
Low
Information is managed as an
enterprise asset and well developed
governance processes and
organizational structures exist
Level 5
Continuous
Improvement
Information Governance is a
strategic initiative, issues are
either prevented or corrected at
the source, and a leading in class
solution architecture is
implemented. Focus is on
continuous improvement.
High
To conclude
kpmg.nl
Contact us
KPMG
Burgemeester Rijnderslaan 10-20
1185 MC Amstelveen
P.O. Box 74555
1070 DB Amsterdam
The Netherlands
The information contained herein is of a general nature and is not intended to address the
circumstances of any particular individual or entity. Although we endeavor to provide accurate and
timely information, there can be no guarantee that such information is accurate as of the date it is
received or that it will continue to be accurate in the future. No one should act on such information
without appropriate professional advice after a thorough examination of the particular situation.