Network Organization and Governance                                         4-9

            operational, and financial implications. For organizations to protect such information, they must put
            policies and monitoring/filtering tools in place to monitor and control privacy-sensitive identity infor-
            mation from data leakage.
              The question is: What is better—monitoring the data or the people? Monitoring company data itself
            is a strong control of “security-in-depth” and gives enterprises a significant and valid means of data
            security. However, not all threats are data-centric. The challenge of the insider threat is that it covers a
            variety of behaviors that put business at risk—people might do bad things. When management decides
            to put more emphasis on the employees’ side, new roles and responsibilities must be created and imple-
            mented. Examples are:

              •   Responsibilities for protecting company and customer data
              •   The value of understanding employee behavior and the need for situational context
              •   Behaviors that put businesses at risk: accidental or process failure, to the malicious, hacks, sabo-
                 tage, IP theft, customer theft, and fraud
              •   Where policies fail and breaches take place
              •   How to enact company policies that will curtail malicious behavior
              Most of the vendors primarily address the data-leakage issue from the network perimeter as their
            products are designed to sit at the network edge and scan multiple communication protocols. These
            protocols are used for supporting various applications, such as e-mail, Web browsing, IM, and FTP, to
            determine whether sensitive content is wrongly communicated outside the boundaries of the enterprise
            network. A monitor that typically hangs off a network switch captures traffic and passes information
            about it back to the administrative console for analysis and storage purposes. Most enterprises ini-
            tially install these products and run them for several months in a simple monitoring mode (instead of
            immediately blocking suspicious outgoing traffic) to watch employee work activities so they can identify
            trends that will assist in establishing appropriate policies. Many products offer policy wizards that help
            define the keywords or patterns to look for in addition to monitoring for specific user behavior, such as
            altering certain documents. When these attributes are used in conjunction with policy rules, adminis-
            trators reduce the risk of false positives.
              Once administrators have imported specific data formats, such as social security numbers, credit
            card numbers, and intellectual property brand identifications, into monitoring and filtering products,
            they can create policies that will notify them whenever data has left the corporate boundary with these
            patterns. Some products combine filtering and monitoring with regulatory compliance and security.
              How a company uses these products is unique to the internal culture of the organization, the industry
            it plays in, and what it ultimately hopes to gain from using these products.
              Content filtering and monitoring technology should be one component of an overall internal or exter-
            nal auditing process, as it keeps an eye toward improving operational efficiencies by identifying internal
            policy violations, providing more accurate financial reporting, limiting exposure to class-action law-
            suits, and complying with applicable industry, local, and federal regulations. But can the audit logs gen-
            erated by these products help in legal situations involving employees who criminally violate company
            policy? While noting that the privacy laws have not yet been tested in the courts, consultants say the
            logs and reports generated by these tools indicate that a corporation is taking effective, efficient actions
            to maintain privacy practices required to avoid the courtroom.
              In general, these products are costly. Pricing varies greatly, but most vendors will charge per user/
            workstation, per appliance, or per the exit points at which information can leave the corporate network,
            such as through e-mail attachments, IM, and data uploading to a FTP server.
              When selection of tools is under consideration, the following attributes could become important:

              •   Can documents be defined based on categories (e.g., internal names, draft press releases, price
                 lists, etc.)
              •   Can documents be assigned different access controls?