Using Information Rights Management to Prevent Snooping by IT Staff

Friday, July 09, 2010

Contributed By:
Peter Abatan

Human beings by nature are inquisitive and there will always be the temptation to pry into unauthorised confidential information. At the same time organizations must be able to control the viewing, movement and usage of sensitive data to prevent inappropriate distribution or leakage.

In a recent news article a survey carried out by Cyber-Ark global survey claimed that 41% of IT pros admit to snooping on confidential information.

The research also confirmed that snooping continues to rise within organizations both in the UK and the US. Forty-one percent of respondents confessed to abusing administrative passwords to snoop on sensitive or confidential information – an increase from 33 percent in both 2008 and 2009.

When examining the information that people were willing to circumvent the rules to access, US respondents targeted the customer database first (38 percent versus 16 percent in the UK) with HR records most alluring to UK respondents (30 percent versus 28 percent in the US).

When it comes to confidential information in unstructured format it is imperative that business takes responsibility for securing such information. Information Rights Management needs to be managed and administered by business and not IT, this rules out the possibility of unauthorised access.

In addition to encrypting each document or email, access to these documents are logged giving the data owner a full audit trail. Information Rights Management prevents staff from accessing information that is not relevant to their role.

Smart and best-in-class organizations are beginning to realize the benefits of using Information Rights Management.

Typical deployments for these organizations can vary from 3 days to 3 months, with exceptional deployments lasting between 6 months and a year, these tend to be global deployments across multiple departments with a high element of integration or customization.

The best way to get started is to ask for a proof of concept to see whether Information Rights Management meets your requirements.

For additional information on how to get started with Information Rights Management you can access Gartner’s latest publication called “Key Selection Criteria for Enterprise Digital Rights Management Solutions” by Eric Ouellet and Ray Wagner. There is also a ton of information on the Enterprise DRM blog.

Reference:

Help Net Security - 41% of IT pros admit to snooping on confidential information

Share This! |

Views:	3788
Categories:	General
Tags:	Security Management Data Loss Prevention

Post Rating I Like this!

Comments:

Michael Menefee this reminds me of a UK study put out a couple of years ago regarding the staggering percentage of employees that claimed to know their boss's password.

this really points to the overall failure of the operating systems and monitoring software used by the majority of organizations to properly track object access and enforce stated policies...

good read

1278705481

Mister Reiner This really get back to the inadequacies of information access audit logs and instilling a higher level of personal integrity in administrators to prevent snooping. Of the 41%, how many of those individuals do you think received ethics training? How many of them do you think signed confidentiality agreements or other types of agreements to reduce the likelihood of snooping?

It's important that organizations educate and reinforce workplace ethics - not just for administrators, but for everyone. Every employee has the potential to become an insider threat.

1278835615

Peter Abatan @Michael thanks for comments. I do think that many organisations can still do more to prevent snooping, but they have to acknowledge this as a potential problem first.

@Mister Reiner Ethics training is a great tool, but needs to be reinforced constantly throughout the employees tenure as you mentioned. Like the first day at work orientation, it can be easily forgotten if not repeated. Thanks for comments

1278972004

Vishal Gupta I think one of the key factors here is separation of information from its control .. so the IT folks can do their jobs of repairing, backups etc. but the IRM technology can ensure that even though they have physical access to the information they cannot abuse it .. I think its pretty powerful.

Vishal
www.seclore.com

1280852440

Peter Abatan Completely agree with you Vishal, that is the whole idea.

1280855953

You Must Register or Login to Comment

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked

Latest Member Comments

"I thought this article discuss a very important issue of security.If we have well developed technology in one particular field then we ..."

Mobile Security Processes Could Be Applied t... Johnnie Nix on 05-21-2013

"ATM machine are for our convenience but if we are not careful they can compromise our safety. Discount theater tickets "

ATM Security (And Really Learning from the P... Johnnie Nix on 05-21-2013

"A expressive case study is used to explore causation in order to find underlying principles. Case studies may be prospective in which c..."

New Study Published on Mobile Malware... Caitlin Rachel on 05-21-2013

"In the social sciences and life sciences a case study or case report is a descriptive or descriptive analysis of a someone, group or ev..."

Case Study: A Cloud Security Assessment... Caitlin Rachel on 05-21-2013