A key requirement of Sarbanes-Oxley (SOX) is the definition, documentation, implementation and assessment of effective internal controls.  These controls are seen to ensure the integrity of corporate financial information and the prompt reporting of material events that may affect the financial performance of the firm. While initial compliance efforts have been focused largely on financial reporting, the scope of Sarbanes-Oxley is far broader and requires corporations to develop effective internal controls for protecting their key assets in a number of areas. These controls are called “Content Protection Controls.”

To effectively protect sensitive content in a compliant manner, an enterprise must implement a set of policies and an automated technology solution to continuously monitor the enforcement of those policies. Because of the many and varied lines of business and types of digital assets used, there is no single path to content protection that fits all situations. However, an enterprise that is looking to implement effective content protection controls should consider the following:

IDENTIFYING CONTENT AT RISK

There are multiple areas where an enterprise might have numerous levels of unprotected information assets where they do not realize their legal importance. Typical digital information that is often at risk includes intellectual property such as source code, product plans, engineering drawings, product formulations and patent materials and database lists of customers and vendors. A good first step for chief security officers and security directors is to understand and document these various types of information assets and the current control procedures in place.  

CLASSIFICATION RULES

Content protection surveys will almost always result in a long list of information assets for which the enterprise could be at risk. Using risk management techniques, an enterprise should look at all of the identified data assets and decide which are the most vulnerable. These should then receive priority for content protection controls. Special scrutiny should be given to content stored in a document management or content management system since this is likely to be of high value. Since an enterprise will almost certainly not be able to establish content protection controls over all data assets, there should be a formal, documented record outlining why one set of content assets are at a higher, more immediate corrective action level than others.

CULTURE OF CONTENT COMPLIANCE

Content protection policies and procedures need to be clearly stated to all stakeholders – employees, vendors and others. This is similar to employee Code of Conduct rules where a rules violator cannot claim the “I didn’t know that was a rule” type of excuse in matters that were clearly addressed in the Code.

The rules as to what types of content are sensitive and how they can be copied or captured should be defined as clearly as possible. All stakeholders should be asked to acknowledge that they have read and understand these content protection rules and they agree to abide by them. With security providing some guidance, the CEO or CFO or other senior officers should voice their concerns both about content protection risks and vulnerabilities.

CONTENT PROTECTION TECHNOLOGY

Sensitive content leakage incidents can occur at many levels including accidentally posting of sensitive information on a public Web site or e-mailing sensitive information to a personal, Web mail account. Traditional security control procedures such as identity management and access control lists are necessary, but not sufficient. Several new and very promising automated tools are becoming available to monitor and control content risks and vulnerabilities. Analysts refer to these tools as content monitoring and filtering tools or as information leak prevention tools.

Typically, these tools register or “fingerprint” sensitive content stored in the file system or in content management repositories. Installed at an organization’s Internet gateway, they monitor all of the content flowing out of an organization and onto the Internet. If someone attempts to transmit sensitive information, through any content protocol, the tool will detect it and invoke a management-defined policy. Policy actions may include alerting, logging and actual blocking the attempted transmission.

While products vary in capabilities, there are several critical features to look for in an effective content protection solution:


Content Format Support – Ability to fingerprint and detect the large number of different file formats (pdf, xls, ppt, doc, etc.) used for content in the modern enterprise including engineering drawings, image files, rich media and industry-specific application formats.

Derivative Work Detection – Ability to accurately detect fragments of the original content that may be transmitted.

Language Independence – Ability to fingerprint and accurately detect content written in any language and character set (including non-Roman character sets such as Japanese.}

Content Repository Support – Ability to register content to be protected from all storage locations and repositories including file systems, document management systems and content management systems.

Defensible Audit Trail – Audit trail and reporting capabilities that meet robust auditing standards.

Flexible Policy Definition – Ability to easily define policies that meet the organization’s business needs.

Appliance Packaging – Software and hardware bundled together for ease of installation, optimum performance and lower total cost of ownership over the lifespan of the system.