Content Controls for Regulatory Compliance

February 1, 2007

“Chief security officers need to fingerprint sensitive content to monitor outgoing flow,” says Robert Moeller.

A key requirement of Sarbanes-Oxley (SOX) is the definition, documentation, implementation and assessment of effective internal controls.

Controls are used to ensure the integrity of corporate information and the prompt reporting of material events that may affect the performance of the enterprise. While initial compliance efforts have focused on financial reporting, the scope of SOX is far broader and requires corporations--and CSOs--to develop effective internal controls for protecting key digital assets in a number of areas called Content Protection Controls.

To effectively protect sensitive content in a compliant manner, an enterprise must implement a set of policies and an automated technology solution to continuously monitor policy enforcement. Because of the many and varied lines of business and types of digital assets used, there is no single path to content protection. However, an enterprise looking to implement effective content protection controls should consider the following:

IDENTIFYING CONTENT AT RISK

There are multiple areas where an enterprise might have numerous levels of unprotected information assets. Typical digital information that is often at risk includes intellectual property such as source codes, product plans, engineering drawings, product formulations and patent materials, sensitive security video and database lists of customers and vendors. Understand and document these various types of information assets and the current control procedures in place.

CLASSIFICATION RULES

Content protection surveys will result in a long list of information assets. Enterprises should look at all of the identified data assets and decide which are most vulnerable, of which will receive priority for content protection controls. Special scrutiny should be given to content stored in a document management or content management system since this is of high value. Since an enterprise will not be able to establish content protection controls over all data assets, there should be a formal, documented record outlining content asset priority.

CULTURE OF CONTENT COMPLIANCE

Content protection policies and procedures need to be clearly stated to all stakeholders – employees, vendors and others. Clearly define types of sensitive content and how they can be copied or captured. All stakeholders should be required to sign and date a letter that states their acknowledgement of the document and that they agree to abide by them. With IT providing some guidance, the CSO, CFO or other senior officers should voice their concerns about content protection risks and vulnerabilities.

CONTENT PROTECTION TECHNOLOGY

Sensitive content leakage incidents can occur at many levels, including accidental postings of sensitive data on a public Web domain. Traditional IT control procedures such as identity management and access control lists are insufficient. New automated tools (content monitoring and filtering tools) are available to control content risks and vulnerabilities. These tools “fingerprint” sensitive content stored in the file system or in content management repositories. Installed at an organization’s Internet gateway, such tools monitor all of the content flowing out of and onto the Internet, thus deterring accidental or intentional sensitive data postings. Actions may include alerting, logging and actual blocking the attempted transmission.

There are several critical features to look for in an effective content protection solution:

Content Format Support – Ability to fingerprint and detect the large number of file formats.
Derivative Work Detection – Ability to accurately detect fragments of the original content that may be transmitted.
Language Independence - Ability to fingerprint and accurately detect content written in any language and character set.
Content Repository Support – Ability to register content to be protected from all storage locations and repositories.
Defensible Audit Trail – Audit trail and reporting capabilities that meet robust auditing standards.
Flexible Policy Definition – Ability to easily define policies that meet business needs.
Appliance Packaging – Software and hardware bundled together for ease of installation, optimum performance and lower total cost.

About the Author Robert Moeller is an expert and consultant specializing in compliance issues and internal controls. He has led teams to help organizations achieve Sarbanes-Oxley compliance and also is the author of several books including Sarbanes-Oxley and the New Internal Auditing Rules and Brink’s Modern Internal Auditing, 6th Edition, both published by Wiley. Moeller has an MBA in finance from the University of Chicago and has accumulated a wide range of professional certifications including the CPA, CISA, PMP and CISSP.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.