Comprehensive Electronic Data Monitoring Should Supplement Encryption Efforts

Protecting edata requires a thorough understanding of what is most important and what is most at risk in your system, a leading analyst said at a recent webinar.

That puts a lot of responsibility on companies because the FDA regulations don't spell out what constitutes compliance, said Paul Proctor a vice president in the security and risk practice of Gartner Research.

Minus absolute rules from regulators, firms should aim for these overarching regulatory compliance goals:

Accountability: This ties actions to people and assigns necessary responsibility in "a decent" governance framework, he said. "Who is doing what and, more importantly, who is responsible?" Transparency: Makes the operations of an organization more auditable by increasing visibility into the core processes. What is going on inside your network and understanding how controls are operating; and Measurability: Provides the basis for continuous improvement and allows for the creation of a baseline that can be compared. "What was the significance of the actions detected during monitoring?"

At the same time, because no regulation provides a "definitive assertion" of what constitutes compliance, that vagueness means companies must define, articulate and execute their own program that is "reasonable and appropriate," Procter said.

In fact, it has emerged as a big issue for FDA-regulated life sciences firms for several years as the FDA backed off on many of its 21 CFR Part 11 compliance requirements. While that new relaxed policy was generally applauded by industry, there has been some concern that risk is not adequately spelled out by the FDA, making it tough for companies to know how to meet or exceed compliance requirements.

Assessing and Documenting Risk

Procter noted that most regulations recognize that you can't protect yourself from everything, but that you should focus on "what you are most afraid of," via risk assessment. It should be organized in a well-documented, proactive program."

The "secret" to all of this is producing a "defensible case that you picked the right thingthat is how to effectively address regulation," Procter said at the May 4 webinar sponsored by Tizor. "Don't rely on regulations to specify your monitoring requirements," he stressed.

To build an effective comprehensive monitoring program, firms must first identify all sources that generate events such as email, laptops, data centers, databases, servers and applications. It's not easy, but it must be done, Procter stressed. "You can't build an effective monitoring" program without it.

After these sources are identified, detection requirements should be defined. That means knowing where sensitive data is and understanding what external and internal threats it is most likely to face. The system should be tuned to look for discrepancies, Procter said.

Comprehensive monitoring is a complex topic that many companies struggle with and some rely on encryption too much, he suggested.

Decipher Encryption's Limits

"Encryption is not a silver bullet. You must balance it with monitoring," Proctor said. It is a preventative control, but the problem is that when an organization encrypts something, the data still has to be used and it moves around. It has to be decrypted to be moved around -- something many organizations don't realize, he added.

"Use access controls as the first line of data security but do not rely [solely] on stored data encryption," Procter advised.

Most organizations are blind to some very obvious behaviors, Proctor said. For example, many send out sensitive intellectual property to contractors as part of doing business.

With so much outsourcing, it is a concern and "rightly should be," he added. Protecting edata is no longer just about intrusion. Outsourcing and sending out edata opens up a whole new set of challenges that some firms are slow to acknowledge, he said. -- Michael Causey