There are two factors at work that are driving interest in outbound scanning —regulatory compliance and protection of intellectual property. Regulatory compliance can be put into three basic buckets—the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLB) and the Sarbanes-Oxley Act (SOX).
HIPAA requires that any entity dealing with personal healthcare information (PHI) put very specific safeguards in place to ensure this information is protected. The language around “safeguards” is open to interpretation, but in plain English it means any company that is transmitting patient health information such as doctor’s appointments, medical charts, etc., put in place encryption and access controls to make sure this information isn’t accidentally or intentionally exposed to unauthorized eyes. The intent of this act is to ensure that if an employee has a serious illness and leaves a job, they won’t be denied health coverage at their new employer.
For any company in the health care or insurance industry, this is a very significant regulation that requires a deep understanding of the act itself and a thorough review of enterprise wide workflow to ensure safeguards are in place, back to front. But, for small or medium sized business that are not specifically in the healthcare industry, there are still potential risks— especially since the HR team at a smaller enterprise may not have experience with the specifics of HIPAA. It’s not inconceivable that an HR generalist may email a patient’s history to an insurance provider—a clear HIPAA violation.
The IronPort appliances have built-in logic to provide basic safeguards against HIPAA violations. There is a pre-populated dictionary that looks for data that would appear on a patient healthcare record, such as treatment codes, medical names, and codes of drugs. These are very specific data types, so it is relatively easy for the system to identify healthcare information entering or leaving the firewall—and to flag it for encryption or review.
Having this type of protection in place is excellent practice to ensure someone doesn’t unknowingly violate HIPAA requirements and expose the enterprise to legal liability.
There are similar requirements for GLB. GLB applies to financial institutions (banks, mortgage companies, credit unions, etc.). It has specific guidelines for safeguarding personal financial information. The IronPort appliance has a
set of pre-populated filter terms to look for GLB triggers—things like social security numbers or credit card numbers. It is unlikely that a small or medium sized enterprise outside of the financial industry would need GLB filters, but this is a must have item for any enterprise dealing with financial services.
The third act is much more broad—Sarbanes Oxley. The spirit behind Sarbanes Oxley is intended to protect the market from inaccurate financial reporting in the wake of the Enron scandal. The majority of these regulations apply to internal finance and accounting procedures. However, there are some steps that can be taken with outbound email. Email coming to and from certain groups, such as legal or finance, should all be archived. This can be done with a few simple mouse clicks in IronPort Email Security Manager™. Beyond this, filters that look for financial indicators, such as social security numbers, can be employed.
However, this is a coarse protection layer (and likely to snag legitimate mail) so it is not recommended outside of the financial regulations driven by GLB.
Many small and medium sized businesses are looking for the lowest cost and easiest way to comply with regulations. IronPort email security appliances offer capabilities that meet this need. For more sophisticated compliance capability, IronPort has partnered with industry specialists such as PostX and PGP corporation. Together with PostX and PGP, IronPort can yield a fully integrated solution which can identify mail that needs special handling, and automatically take the appropriate measures such as archiving or encrypting the messages.These more sophisticated solutions tend to apply to the specific requirements called out in the healthcare and financial services industries.
Beyond compliance, there is growing interest in protecting the intellectual property of the enterprise. There have been many high profile cases of accidentally releasing sensitive information, such as press releases or earnings announcements. There is an important element of common sense that needs to be applied here. If an employee is intent on stealing and distributing information, it is very difficult to stop them. Information can leave the enterprise
on a USB drive or even on the back of a napkin. However, in many of the most publicized cases, the information leak was done accidentally. This is a problem that can be greatly reduced with some simple safeguards. The IronPort appliance has the ability to implement basic rules which look for sensitive information that should not be destined for the outside world.
These rules can be tied to information about the employee sending the mail (e.g. are they from the engineering department?) and to the destination of the mail (e.g. is it destined to a competitor?). Having simple rules that look
for mail coming from engineering going to a competitor, or a rule that looks for mail coming from the marketing team that contains the words “press release draft” can be very useful in detecting accidental dissemination of information. Think of it as a goalie for your private information.
These rules are easy to implement using IronPort Email Security Manager. Email Security Manager provides a graphical representation of the various rules being implemented for various groups, making it easy and quick to implement policies that ensure good housekeeping and prevent good people from doing bad things.
No comments:
Post a Comment