Information Management, Data Theft, and the Kill Chain

Joe Shepley, Doculabs

2Doculabs, Inc. 2017

Session Objectives

• Information security requires defending against what is often the weakest link in the cyberattack kill chain at organizations: data theft

• In this session, you'll learn how InfoSec can address the information management risk posed by data theft and drive value for the organization

3Doculabs, Inc. 2017

Why Information Management is Important to InfoSec

• The question of a breach isn’t if, it’s when

• When they get in, what will they find?

• When they find 5, 10, 15+ years of sensitive data that’s past it’s legal and operational life, InfoSec is on the hook, not (typically) records, legal, or IT

• InfoSec needs to address information management to reduce the organization’s risk surface and do their job effectively

4Doculabs, Inc. 2017

The Kill Chain

Historically, data theft has been the weakest link in the Kill Chain, and Chief Information Security Officers (CISOs) are now turning to

address it.

Research the Organization

Introduce Malware

Control a Device

Find Other Devices to Control

Stay or Leave

Data Theft

Find the Source of the Data

5Doculabs, Inc. 2017

An Information Management Framework for InfoSec

Defensible Content Disposition Playbook

Policy Alignment

Procedure Alignment

ContentCleanup

Change Management

6Doculabs, Inc. 2017

Policy Alignment

• You need to align your corporate policies with information management good practices

• This alignment ensures that if you’re following the good practices, you’re also following corporate policy

• The specifics will differ from organization to organization, but there are some general areas that any policy alignment will need to cover:

• Corporate records management policy must address both paper and electronic records

• You need to address the security classification of data – e.g. public, internal, confidential, highly confidential

• You need to address orphaned and abandoned data

7Doculabs, Inc. 2017

Procedure Alignment

• You need to align your disposition procedures with your policies (and therefore your playbook)

• You need to provide detailed, step-by-step guidance for how to disposition data – guidance which, if followed, makes it reasonable for courts or regulatory bodies to assume that the policies (and playbook) are also being followed

• You need to be granular – not content disposition, but rather a series of linked procedures to guide your technical resources in content disposition:

• E.g. file analytics procedure, disposition procedure, testing procedure, remediation procedure, application decommissioning

8Doculabs, Inc. 2017

Defensible Content Disposition Playbook

• The primary concern in content disposition is getting it right technically

• But the legal risks are more critical and potentially more damaging

• You need a playbook to memorialize the requirements of the disposition and the results

• You need to be able to defend what you did regarding content disposition for the courts or regulators – 5, 10, or 15 years later

9Doculabs, Inc. 2017

Content Cleanup

• For some organizations, cleanup is a standalone effort to purge; for others, it may be part of the preparations for a content migration

• You need tools to help in the effort; it’s not reasonable to expect end users to manually comb through their content to purge junk or stale data, or to identify sensitive data that needs to be protected

10Doculabs, Inc. 2017

Content Cleanup

• The results of your repository scan are likely to be something like the following, which we’ve observed at dozens of clients over the last 10 years:

• Approximately 30 to 70 percent “junk” content, which can be removed immediately

• Approximately 20 to 40 percent stale content (defined as older than 3 years, based on date last accessed), which can be archived or purged, depending on your approach

• An estimated 1 to 10 TB of stale sensitive content, which can be quarantined immediately with no operational impact

• By classifying your content into these buckets and purging, archiving, etc., you’ll reduce your overall unstructured data footprint significantly (by anywhere from 30 to 90 percent)

• Doing so reduces the overall risk posed by your unstructured data, because you have less junk and stale data to distract you, as well as less sensitive data to protect

11Doculabs, Inc. 2017

Change Management

Stakeholder Matrix

• Who are the key stakeholders that need to be informed of the change and managed throughout your information management initiative?

Communications and Training Matrix

• What are the key communications and training events required for managing the changes in information management?

• When do these communications and training events need to be delivered, and to whom?

• What are the most appropriate vehicles for delivering communications and training to your various stakeholders and user groups?

Communications and Training Schedule

• When do we need to execute the planned training and communications events?

12Doculabs, Inc. 2017

So Now What?

• Raise awareness in InfoSec about the importance of information management

• Articulate the quick win efforts InfoSec can take to reduce junk and stale data, identify sensitive data, and take preliminary steps to protect it – which reduces their risk footprint and shows progress to the C-level, the board, the courts, and regulators

13Doculabs, Inc. 2017

Thank You

• Give me your card to get two Doculabs white papers on the intersection of information management and InfoSec.

• Connect with me to continue the conversation:

• LinkedIn: https://www.linkedin.com/in/joeshepley/

• Twitter: @joeshepley

• Email: jshepley@doculabs.com

• Phone: 773.827.2945

I'd love to help you figure out how to partner effectively with your information management team

Thank You

www.doculabs.comD C U L A B S

Joe Shepley

jshepley@docuabs.com

773.827.2945