I T AdvI s o ry

Information Leakage Prevention

Putting your information first
KPMGs view on preventing Information Leakage

AdvI so ry

Information Leakage Prevention 2

An introduction to
Information Leakage

The 21st century is all about

technology and communication.
As the global village becomes smaller,
and people become better connected
and more knowledgeable,
organisations find themselves being
challenged daily by the need to ensure
that data related to their most sensitive
activities will not leak, either due to
intentional or unintentional activities.
A survey conducted by KPMG IT
Advisory (hereafter KPMG) indicates a
significant growth in the number and
impact of data loss incidents
throughout 2007-2008. The survey
anticipates that during 2009, over 190
million people may become victims of
data loss incidents.
Maintaining the confidentiality of an
organisations activities and sensitive
information is vital to its stability,
reputation and to support stakeholders
decision making processes.
Organisations are required to balance
between the need to strive for better
efficiency and excellence (by allowing
information and knowledge flow
throughout the organisation) and the

relevant risks driven from that with

regard to the confidentiality, integrity
and availability of the organisations
information assets.
Throughout 2009, global and social
trends, as well as the current global
financial crisis, have created challenging
and highly complex internal and external
environments for information assets
and their confidentiality.
The purpose of this whitepaper is to
present the challenge that currently
faces organisations, the size of the
Information Leakage problem as well
as the main threats and challenges that
organisations are faced with in their
attempt to control valuable information
and prevent it from leaking, whilst
ensuring the sufficient flow of
information to support and promote
their activities internally and externally.
The paper points out the
recommended measures aimed to
serve as guidelines for organisations in
the implementation of measures to
prevent Information Leakage, the
implementation of sustainable
Information Leakage Prevention
(hereafter ILP).

This white paper has been sponsored by RSA for the

RSA Information Security MarketPlace on the Ordina
Open on 16 June 2009.

2009 KPMG Advisory N.V.

Information Leakage Prevention 3

Describing the Information Leakage

Challenge in the current business
environment

Organisations have rapidly developed

from isolated entities into networked
entities: information flows no longer
stay within company borders and
clients, third parties and partners all
play an active role in creating and
processing information. These
networked entities need to open up to
the outside world in order to interact
with these external parties.
In addition, the increased level of
outsourcing of process activities (as
part of business process outsourcing
initiatives) and the outsourcing of IT

activities mean that organisations are

facing the challenge of how to govern
and control their information.
Opening up to the outside world leads
to an increased risk of being vulnerable
to the unintended exposure of
confidential information to external
parties. Varying Information Leakage
caused by, for example, the loss of a
memory stick containing confidential
information or the theft of confidential
information by hackers, or the
increasing threat of organised crime
and even espionage.

Figure: Current business environment

2009 KPMG Advisory N.V.

In this context, the role of the

regulators has also increased.
Regulators do recognise the challenge
which organisations face to be able to
prove that they are in control of their
information. Answering questions such
as Who has access to what
information at what time?,
Are applicable Seggregation of Duty
requirements enforced? and Is this
information being destroyed at the
appropriate time and not too soon or
too late? can be difficult for many
organisations, leading to control
defencies regarding the use of
information.

Information Leakage Prevention 4

Figure: visualising the Information Leakage challenge

Finally, due to the lower cost of

storage (amongst other things), the
amount of information within
companies and the means by which
information can be stored have
exploded over the last couple of years.
Furthermore, due to IT outsourcing
initiatives, a large portion of this
information may be stored outside of
the organisations boundaries at

locations across the globe. All of these

developments lead to the fact that
many organisations do not know
where their information is stored, what
the quality of this information is or who
owns the information. It is also
unknown if the information stored is
still being used or not and what version
of the information is the most
accurate.

2009 KPMG Advisory N.V.

In conclusion, the Information

Leakage Challenge that organisations
face is how to find a way to govern,
protect and manage companies
valuable information in the most
effective and efficient manner.

Information Leakage Prevention 5

Quantifying the Information

Leakage Challenge

Preventing Information Leakage and

governing business information is
becoming a greater challenge for
organisations to handle. To quantify the
Information Leakage Challenge,
KPMG LLP in cooperation with other
European KPMG firms regularly con
ducts two major surveys addressing
risks, trends, impact and awareness
related to data loss:
1. KPMGs Data Loss Barometer1&2,,
conducted anually since 2005,
addresses the growth in publicly
known data loss incidents and
their impact in recent years:
Over 1,057 data loss incidents were
reported between January 2005 and
December 2008, with over 280
million people affected
Estimations for 2009 are that if the
trend since September 2008
continues, over 190 million people
could become victims of data loss in
2009 (not taking into consideration
the unforeseeable effects of the
credit crunch)
Over 50% of incidents are caused by
internal sources

1
2
3

Between 2007-2008 4.6 million

people were affected by human or
system errors, 3.8 million were
people affected by dishonest
employees and 5.0 million people
were affected by leaks in web sites
Even sectors that are required to
comply with strict laws and
regulations governing data privacy
are exposed to data loss risks. 19%
of data loss incidents were linked to
government organisations and 14%
of data loss incidents occurred
within the Financial Services sector
2. KPMGs e-Crime survey3
conducted by KPMG International
in partnership with AKJ Assiciates
Ltd.
The survey points out the top three
sensitive information assets in
organisations, as outlined by the
representatives of over 300
businesses globally:
1. Customer data (76% of
respondents identified this as one
of their top 3)
2. Customer personal identifiable
information (60% of respondents)
3. Login/password information and
account information (53% of
respondents)

Data Loss barometer September 2008, September 2008 (publication number RDD 102553)

KPMGs Data Loss Barometer Review of 2008 and predictions for 2009, December 2008 (publication number RRD 120084)

e-Crime survey 2009, 5 March 2009

2009 KPMG Advisory N.V.

The participants outlined that the

main drivers for increased
investment in security capabilities
over the past year were:
1. High-profile incidents within other
organisations (42% of
respondents)
2. Regulatory compliance (41% of
respondents)
3. Fear of a major incident resulting
in negative media coverage of their
organisation (40% of respondents)
67% of respondents selected
Budget as a major bottleneck
preventing their organisation from
increasing its proactive capabilities to
reduce the impact of e-Crime.
There is a substantial growth in the
implementation of information securityrelated technologies and a subsequent
growth in managerial awareness of the
relevant impact of Data Loss incidents
in all sectors due to increased media
attention. However as both surveys
indicate, there is still an even greater
noticeable growth in Information
Leakage incidents and the risks and
threats of leaking information. The
current economic situation only adds
to this.

Information Leakage Prevention 6

Economic pressures will increase the Information

Leakage problem
The global financial crisis is having a
direct impact on the growth and
changes in direct and indirect risks
that are applicable to organisational
information assets.
As budgets decrease and internal and
external environments become more
unstable, the ability to monitor and
apply controls over the confidentiality
of information assets becomes a
challenge.
The e-Crime survey conducted by
KPMG International in partnership
with AKJ Associates Ltd points out
the following main e-Crime risks that
are of the greatest concern in the
current economic climate to the
representatives of over 300
businesses globally:

1. An increase in out-of-work IT
professionals during the recession
may lead to more people with
technical skills joining the cybercriminal underground economy
(66%)
2. Theft of customer or employee data
by insiders or ex-employees (64%)
3. Knowledge of weak points in
business processes/systems being
deliberately exploited by insiders or
ex-employees (62%)
4. Theft of intellectual property or
business sensitive data by insiders
or ex-employees (61%)
5. Loss of undocumented business
knowledge (e.g. processes, encryp
tion keys) relevant to security (38%)

2009 KPMG Advisory N.V.

6. Employees placing personal

information on the Internet that can
be exploited by attackers (36%)
7. Knowledge of weak points in
business processes/systems being
sold (27%)
As organisations are involved in
redundancies and downward pressure
on costs forces them to drastic
changes, there is a significant risk that
disgruntled employees can cause
serious damage to an organisation
through data breaches.
Edge Zarrella, KPMGs Global Head of
IT Advisory

Information Leakage Prevention 7

Exploring Information Leakage risks

The business perspective

Information is the lifeblood of all

organisations. By managing the
information flow both internally and
externally, stakeholders can steer and
monitor activities, introduce more
efficient business processes, create a
competitive edge and market trends
and ensure the quality of services and
products.
As technology and communication
channels evolve and people become
more capable and accessible, the
challenge to manage the flow of
information and the applicable risks
grows.
In most organisations the most
substantial risks evolve from the
internal factor (as employee loyalty
changes throughout time) and external
conditions (i.e. the credit crunch).
In addition to the increased use of
potential leakage areas such as social
networks, the need to share infor
mation, using various mechanisms
such as Enterprise Content Management
systems, is followed by a growing

concern due to the obvious inherited

risks. Therefore, the need to identify
and monitor the embedded risks
becomes essential.
The impact of Information Leakage can
be assessed based on a combination
formulated by integrating stakeholders
vision and needs, the industry-based
competitive landscape and the quantity
and value of the organisational
information assets.

It is important to note that as the

potential impact varies from one
organisation to the next, changes over
time and changes in the internal and
external environments, the overall
impact of an incident or a series of
incidents, where information
confidentiality is comprised, is difficult
to assess. It is therefore important to
address identified risks while carefully
monitoring the accepted risks.

In most organisations, impact ranges

from the actual disruption of business
processes (the cancellation of a
merger and acquisition process, loss of
partnership, loss of clients, litigations,
being non-compliant, etcetera), through
to the loss of actual assets (i.e.
financial assets), to the loss of hardearned non-measurable assets such as
reputation, competitive edge, etcetera.
The following table demonstrates
possible impact categorised by types
of business risk:

Business Risks
Strategic

Loss of competitive edge/reputation damage

Loss of ability to steer business

Regulatory/
Legal

Fines from regulators or litigation/contract damage/prison

Asset

Fraud/theft/misuse
Loss of trust in capital information/reputation damage
Inability to measure investments/value of assets/
intellectual capital

Operational

Loss of trust partners

Loss of quality of service/processes
Business interruption

Market

Loss of competitive edge/loss of income and

opportunities
Loss of trust in financial information/reputation damage
Loss of income and opportunities

2009 KPMG Advisory N.V.

Information Leakage Prevention 8

Exploring Information Leakage risks

The IT perspective
If we look at the challenge from an IT
perpective, the possible impact of
inherent IT risks on these types of
Information Leakage incidents also
become clear on a more technical
level. To enable us to show the
particular types of risks involved here,
we have organised the risks according
to the various states that the
information can be in, such as:

ILP and Enterprise Content

Management (ECM) Systems

Information in rest: Information that

is stored in some form of an
information container (i.e. hard disk,
USB memory stick, paper)

By introducing Enterprise Content Management Systems, organisations are

challenged by the need to control information and prevent leakage whilst
aiming to create a new organisational culture of sharing and collaboration in
order to strive for improved work processes and developmental excellence.

Information in transit: Information

that is being communicated using
some form of communication
medium (i.e. computer network,
inter-process communication, sound)

The ability to access information, through user-friendly interfaces, and the

influence of the share all culture introduced by the internet to users globally,
has changed processes and work relations substantially, and the risks
embedded in these cultural changes has grown accordingly.

Information in use: Information that

is being processed somewhere (i.e.
changed, removed, transformed)
Each state of information can be
associates with specific risk. An over
view of these risks is shown in the
table below.

The challenge of controlling information in a shared work culture

Organisational information assets were traditionally stored in a variety of
media: physical media (i.e. paper), human factor, and, more recently, various
databases that were relatively complex to access and use.

Controlling information confidentiality in such an environment where content

is constantly changing and being accessed by different parties, potentially with
the ability to leak information is a challenge that requires careful planning
and implementation of appropriate controls on all levels: data, processes,
users (people) and physical access, while maintaining the goal to share and
collaborate.

IT Risks
Information in...

Confidentiality

Integrity

Availability

Others (with
quality aspect)

Rest (store)

Leakage of information

Corruption of storage

Destruction of information
containers
Inability to unhide hidden
information

Duplicate information
sources (effectiveness,
efficiency, maintainability)

Transit
(communicate)

Eavesdropping /Leakage of
information
Unauthorised hiding of
information

Alteration of communication Unavailability of

streams
communication paths

Use (process)

Unauthorised change of
Unauthorised access to
information
information
Unauthorised transformation
of information

Unauthorised removal of
information

2009 KPMG Advisory N.V.

Multiple communication
paths (maintainability)

Unauthorised duplication of
Information (efficiency,
maintainability)

Information Leakage Prevention 9

Who should fear the most?

All types of organisations

are at risk. Information
Leakage is not bound to a
specific industry

Looking at the total amount of reported

incidents from the Data Loss Baro
meter, the sector Education
(16 incidents), followed by the sectors
Government and Healthcare (both
11 incidents) and Financial Services
(eight incidents) should worry the most.
Looking however at the number of
affected people, Consumer Markets
heads the pack (51 million people
affected) just ahead of Government
(33 million people affected).
The conclusion of these numbers is that
Information Leakage can happen
anywhere and that organisations that
hold the most valuable information
should fear the most. So what
information is most valuable? That
depends on the type of organisation
you are.
Examples of information asset
categories include:
Personal identifiable information:
Available within most organisations
Identification and authentication
details: Available within most

organisations

Competitive intelligence: Available

within most organisations
Financial steering information:
Available within most organisations
Medical information: Insurance
companies and the Healthcare

industry

Bank details: Financial services, card

processing industries

2009 KPMG Advisory N.V.

Intellectual property: The Enter

tainment industry (books, films,
music), the Software industry (source
code) and Consumer Market (recipes)
In many cases sensitive information
assets actually reside in more than one
category, however, whether it is
information related to decision makers
(such as board room communication,
merger and acquisition processes, lay
offs, etcetera), development processes,
marketing and sales, employees,
customers or partners, loss of
information may have an impact on
parties and activities throughout the
organisation.

In the foundation of the

identification of applicable
risks lies the need to
identify sensitive infor
mation assets and related
organisational activities
Each organisation is unique, and so are
the applicable risks resulting from
internal and external sources. In the
foundation of the identification and
mapping of risks lies the need to
identify sensitive information assets and
related organisational activities. When
exploring sensitive information assets,
the full Information Life Cycle of this
sensitive information asset needs to be
taken into account. In the following
paragraph the Information Life Cycle will
be explained in detail.

Information Leakage Prevention 10

The different types of information media

should be taken into consideration in
the process of mapping the risks.
Computer related data (inside and
outside the borders of the organisation),

physical media, and the information that

resides in the human factor, should all
be considered in such mapping and the
applicable impact to each media should
be addressed.

ILP and the Information Life Cycle

Information is a live entity: it changes over time and
according to the conditions in which it lives. Threats
that can impact on the completeness, correctness and
confidentiality of information are constantly changing.

Phase 3 - Transfer
s 0UBLIC VERSUS 0RIVATE .ETWORKS
s %NCRYPTION 2EQUIREMENTS
s !CCESS #ONTROL

Phase 2 - Use
s )NTERNAL VERSUS %XTERNAL
s 4HIRD 0ARTY
s Appropriateness
s $ISCOVERY3UBPOENA
Phase 1 - Generation
s Ownership
s Classification
s Governance

Phase 4 - Transformation
s $ERIVATION
s Aggregation
s Lineage
Phase 5 - Storage
s )NTEGRITY
s !CCESS #ONTROL
s 3TRUCTURED VERSUS 5NSTRUCTURED
s )NTEGRITY!VAILABILITY#ONFIDENTIALITY
s %NCRYPTION

Compliance
s !UDIT  2EGULATORY
s ,EGAL
s -EASUREMENT
s "USINESS /BJECTIVES

Phase 6 - Archival
s ,EGAL AND #OMPLIANCE
s /FFSITE #ONSIDERATIONS
s -EDIA #ONCERNS
s 2ETENTION
Phase 7 - Destruction
s 3ECURE
s #OMPLETE

Like every growing organism, information has a lifecycle. All phases in this life
cycle have special properties that play an important role during the life of the
information. At creation, ownership needs to be defined and based on the
value of the information, the information needs to be classified and tagged
accordingly. Furthermore, a governance structure needs to be put into place
for this information element. At the end of its life, information needs to be
destructed in a complete and secure way. Between birth and death, a number
of other properties that need the attention of management become less or
more important based on the phase that the information is in. In order for
organisations to control their information, this needs to be recognised.

2009 KPMG Advisory N.V.

Information Leakage Prevention 11

Information Leakage Prevention

defined
ILP is all about putting
the organisations most
sensitive information
assets first

To prevent Information Leakage, ILP

concerns putting the organisations
most sensitive information assets first;
identify and classify it, map the specific
risks that apply to it and implement
measures to protect and monitor it.

People: A variety of measures

addressing the human factor.
Applicable measures include
awareness, information ownership,
enforcement measures, reporting
mechanisms, etcetera

Creating sustainable ILP is a

complicated task that requires a
comprehensive approach and that
addresses organisational information
assets in all forms incorporating
forensics, legislation and compliance
drivers, industry and organisational
specific threats as well as stakeholders
vision.

Processes: A variety of measures

combined to identify and redesign
controls and address violations
related to information assets

At the basis of al ILP concepts lies the

model below.
The outlined layers represent both the
different aspects of the applicable risks
to organisational information assets and
the different categories of preventive
and detective measures required to
protect it:
Information Leakage Prevention
People
Processes
Data
Physical infrastructure

2009 KPMG Advisory N.V.

Data: Refers to a variety of

measures combined to identify,
monitor and control information in
use (end-point activities), in motion
(transferred through communication)
and in rest (stored)
Physical infrastructure: Physical and
technological measures aimed to
control inventory, physical access,
eavesdropping prevention, loss of
media, etcetera

Information Leakage Prevention 12

Applying measures to prevent

Information Leakage
The prevention of Information Leakage
is a multidimensional challenge. When
attempting to prevent Information
Leakage, all aspects and dimensions
should be considered and taken on
board.
Preventing Information Leakage
requires organisations to implement
and maintain a management system
consisting of policies, processes and
technology measures that enable
organisations to govern, protect and
manage information in an effective and
efficient manner.
It is important to note that the effort to
prevent Information Leakage is an
ongoing process and is strongly
dependent on changes in the
organisational environment (i.e.
structural changes, mergers and
acquisitions, etcetera) and changes in
risk and the stakeholders vision. It is
essential that organisations implement
a management system to support this
ongoing process.
The scheme on this page provides an
overview of relevant Information
Leakage Prevention processes as well
as measures that could be implemen
ted within organisations, based on the
four layers as explained in the previous
paragraph.
Implementing ILP requires a set of
processes aimed at addressing the
information confidentiality challenge.
The main processes to be identified
are:
1. Mapping of information assets
(Know what you own): This process
is aimed at identifying an organi-

Information Leakage Prevention

Mapping

Classification
&
Risk Mapping

Information
ownership

Controlling
Access

People
IAM

ECM

Processes

Controlling
Activities-Policy
enforcement

Monitoring &
Incident
response

Awareness
& enforcement
Redesign &
workflows

IAM
DLP

Asset management systems

Data
Access control

Physical infrastructure

sations information and where this

information is available within that
organisation, regardless of the media
type. The first effort is targeted at
creating an inventory list pointing out
information assets and their location.
2. Classification and risk mapping: This
process is aimed at addressing the
value of information assets. The
process is usually performed using
classification matrices including the
mapping of the applicable risks and
the impact of losing this information.
3. Controlling Access: Whether
addressing physical or logical
information assets, defining
appropriate access to it is a
fundamental mechanism to ensure
confidentiality of information. This
needs to be performed by preventing
unauthorised access to information
using techniques such as securing
systems, secure programming and
software patching while at the same
time enabling authorised access to
information using techniques such as
authentication and authorisations.

2009 KPMG Advisory N.V.

DLP+SIEM
Monitoring devices,
policies and procedures

4. Controlling process (policy

enforcement): Combining
stakeholders vision with applicable
risks to a set of clear and
unambiguous rules aimed at
preventing different types of
activities (i.e. copying, allocating,
etcetera) with regard to information
assets. This set of rules and policies,
supported by technological means
and business processes, is likely to
be implemented in multiple layers
within the organisation and is to be
communicated via awareness
programmes.
5. Monitoring and incident response
process: The creation of mechanisms
to allow constant monitoring of
changes and combinations of events
to identify changes to risk, impact,
location, access, and potential
incidents, whilst being able to
respond and handle potential events
promptly.

Information Leakage Prevention 13

Taking into account the four layer

model to outline possible measures
and recognising that applicable
measures may vary from one
organisation to the next, the following
list demonstrates a partial overview of
measures within a typical organisation:
Humanrelated information assets
are to be controlled and monitored
through measures such as
awareness programmes,
enforcement activities, information
ownership and delegation models
The ILP processes must be mapped
and classified. The result of these
actions should be stored and made
accessible (using, for example,
Enterprise Content Management
systems). Access to this environ
ment must be controlled via Identity
& Access Management mechanisms.
To ensure the approval of the
processes, monitoring and policy
enforcement can be performed by

redesigning these processes and

implementing workflows
The technical measures concerning
preventing Information Leakage can
be implemented by the combination
of processes and infrastructures at
different levels. Examples include:
- Data Loss prevention (DLP) software
solutions that are a substantial part
of an overall ILP concept, allowing
the information owner to identify,
label, monitor and control
information in use (end-point
activities), motion (transferred
through communication) and in rest
(stored)
- Identity and access management
(IAM) infrastructures, allowing the
owner to control the access to that
information by controlling identities,
access mechanisms, authenti
cations and authorisations and
applying a business context to it

- Security Incident and Event

Management (SIEM), allowing the
monitoring and identification of
violations to policies and incident
response
Physical security measures should
include the ability to prepare an
inventory of and classify physical
information assets via asset
Management systems, enforce
access controls and monitor
violations via traditional monitoring
devices, integrated physical security
mechanisms and the enforcement of
policies and procedures
In order to achieve a sustainable ILP
mechanism, organisations must be
able to integrate measures and obtain
an overall vision and understanding of
the relationship between the different
layers and types of information assets.

ILP and Identity & Access Management (IAM)

IAM combined with DLP infrastructures and classification matrices are essential
components of the technical aspects of a sustainable ILP Programme
A fundamental element of a
sustainable ILP programmes is the
essential IAM infrastructure.
IAM has become the primary
measure to control the confidentiality
of information assets over the last ten
years by preventing unauthorised
access and enabling authorised
access to information assets.

IAM provides the business context to

the ILP programme by attaching
business processes and roles to
information assets identified and
monitored by the DLP infrastructure.
A viable IAM infrastructure supported
by a DLP infrastructure (indicating the
location of the relevant assets) and a
classification matrix (defining the

2009 KPMG Advisory N.V.

value of the information assets), is

vital to ensure that information
confidentiality (as well as
completeness and correctness) is
maintained and controlled.

Information Leakage Prevention 14

DLP and Security Incident and

Event Management (SIEM)
Enhancing the ability to investigate, monitor and respond
SIEM infrastructures are widely
implemented in many organisations to
allow identification of and incident
response to security violations by
collecting log information and
analysing, prioritising and correlating it
to an identified violation.
SIEM mechanisms are highly
dependent on the quality of log
information generated by systems,
applications, databases and network
devices and lack the informationcentric focus to compliment and
provide context to the aggregated

information. Integrating DLP capa

bilities with a SIEM infrastructure
allows an organisation to:
Be able to monitor sensitive
information assets
Be able to respond and handle
incidents related to violation of
confidentiality
Be able to investigate and collect
evidence through a complete and
comprehensive audit trail

2009 KPMG Advisory N.V.

Compliance is a significant driver of

the integration of DLP and SIEM, and
when taken into consideration
beforehand in the process of design,
such an infrastructure allows
organisation to be able to provide
legislators and auditors with complete
and correct scenarios and to
demonstrate due diligence and the
ability to respond to significant
incidents promptly.

Information Leakage Prevention 15

Setting up an ILP Improvement

Programme

As an ILP improvement programme

should be considered as a strategic
initiative, senior management should
be driving this improvement
programme and involving key
stakeholders. In this context key
stakeholders are the information
owners followed by the Chief
Information Officer and to a lesser
extent those responsible for IT
operations.

Tackling the Information Leakage

Challenge requires a staged,
multidisciplinairy improvement
programme. Initiating an ILP
Improvement Programme within your
own organisation requires awareness,
commitment and endorsement from
the senior management.

In addition, a solid and confirmed ILP

strategy must be in place to steer the
ILP Improvement Programme. Since
preventing Information Leakage is a
profound challenge, organisations
should choose the right ambition level
for this improvement programme
based on the current and envisioned
ILP state of the organisation.

Information Governance Maturity

High

Level 4
Controlled
Level 3
Well Defined
Level 2
Planned and Tracked
Level 1
Informal

Awareness that problems exist but

the organization has taken little
action regarding data quality.

Awareness but actions only occur in

response to issues. Action is either
system or department specific.

Low

Information is managed as an
enterprise asset and well developed
governance processes and
organizational structures exist

Information Accuracy and Organizational Confidence

Level 1 Informal: The organisation

knows it has issues around
Information Governance but is doing
little to respond to these issues.
Awareness has typically come as the
result of some major issues that have
occurred and that have been
Information Governance-related. An
organisation may also be at the
Aware state if they are going through
the process of moving to a state
where they can effectively address
issues, but are only in the early
stages of the programme.
Level 2 Planned and Tracked: The
organisation is able to address some
of its issues, but not until some time

Information is part of the IT Strategy

and Enterprise Management
processes exist

after they have occurred. The

organisation is unable to address the
root causes or predict when they are
likely to occur. External help is often
needed to address complex data
quality issues and the impact of fixes
made on a system-by-system level are
often poorly understood.
Level 3 Well Defined: The
organisation can stop issues before
they occur as it is empowered to
address root cause problems. At this
level, the organisation also conducts
the ongoing monitoring of data quality
so issues that do occur can be quickly
resolved.

2009 KPMG Advisory N.V.

Level 5
Continuous
Improvement

Information Governance is a
strategic initiative, issues are
either prevented or corrected at
the source, and a leading in class
solution architecture is
implemented. Focus is on
continuous improvement.

High

Level 4 Controlled: The organisation

has a mature set of information
management practices. This
organisation is not only able to
proactively identify issues and
address them, but defines its
strategic technology direction in a
manner focused on Information
Development.
Level 5 Continuous Improvement:
In this model, Information Governance
is treated as a core competency
across strategy, people, process,
technology and controls.

Information Leakage Prevention 16

In order to choose the appropriate

ambition level for the programme,
organisations may use the above
Information Governance Maturity
Model shown above. The Information
Governance Maturity Model outlines
the different levels of Information
Governance whereby Information
Governance incorporates ILP.
By recognising an organisations
current ILP maturity level as well as
confirming the envisioned maturity
level, an organisation will be able to
develop the appropriate programme
strategy and detail the required
improvement project(s) and activities
that will enable the organisation to
reach its envisioned ILP maturity level.

2009 KPMG Advisory N.V.

Information Leakage Prevention 17

To conclude

Companies face an ever increasing

challenge to control their important
business information and prevent
Information Leakage. KPMGs Data
Loss Barometer and e-Crime survey
indicate that regardless of the growth
in the implementation of information
security technologies, there is still a
noticeable growth in Information
Leakage incidents as well as growth of
the risks and threats addressing
organisational information assets. All
types of organisations are at risk. The
Information Leakage Challenge is not
bound to a specific industry.
Being in control over information
assets is a management responsibility
who must address changes in risks
and threats either due to changes in
the global economy, in the competitive
landscape or in the organisation
specific activities.

Preventing Information Leakage

requires organisations to implement
and maintain a management system
consisting of policies, processes and
technology measures that enable
organisations to govern, protect and
manage information in an effective and
efficient manner.
Sustainable ILP can only be achieved
by implementing a comprehensive
concept addressing different types of
information and risks, endorsed by
senior management. As previously
mentioned, ILP is all about putting the
organisations most sensitive
information assets first, and, as
information is the core of all
organisations, controlling it is a task
that combines both business
technology and peoples vision.

About the authors:

Drs. Hans (J.W.) de Jong CISA CISSP
Manager
+31 (0) 20 656 8049
dejong.hans@kpmg.nl

Ing. John A.M. Hermans RE

Associate Partner
+31 (0) 20 656 8394
hermans.john@kpmg.nl

2009 KPMG Advisory N.V.

kpmg.nl

Contact us
KPMG
Burgemeester Rijnderslaan 10-20
1185 MC Amstelveen
P.O. Box 74555
1070 DB Amsterdam
The Netherlands

The information contained herein is of a general nature and is not intended to address the
circumstances of any particular individual or entity. Although we endeavor to provide accurate and
timely information, there can be no guarantee that such information is accurate as of the date it is
received or that it will continue to be accurate in the future. No one should act on such information
without appropriate professional advice after a thorough examination of the particular situation.

2009 KPMG Advisory N.V., registered

with the trade register in the Netherlands
under number 33263682 and a Dutch limited
liability company and a member firm of the
KPMG network of independent member
firms affiliated with KPMG International,
a Swiss cooperative. All rights reserved.
113_0609