True, but technology can help prevent accidents, of which there are very many on a regular basis.
Furthermore, it makes enforcement of the policy that much more precise, because anyone who circumvents the technology has to do so deliberately. * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Fri, Jan 27, 2012 at 11:25 AM, James Rankin <[email protected]>wrote: > DLP taken to logical extremes is extremely difficult. How to stop people > using Print Screen, printers, forwarding emails, even camera phone shots? > There's rarely a technological solution that can account for all of the > above. AppSense can handle some of it, but short of draconian measures that > prisons would be proud of, employee training and good corporate policies > are really the only way to try and progress it. > > > On 27 January 2012 16:19, Kevin Lundy <[email protected]> wrote: > >> You could also look at something like the Ironport, which includes some >> very basic DLP capabilities. >> >> Broadly speaking, DLP is not a quick project. It could easily take a >> year to properly scope, evaluate, plan, test, and deploy. >> >> On Fri, Jan 27, 2012 at 11:01 AM, Kurt Buff <[email protected]> wrote: >> >>> For an email gateway to protect your Exchange infrastructure >>> (including antispam and antivirus), and which can be put in the DMZ, >>> there's an open source project called Maia Mailguard. Commercial >>> alternatives include Barracuda's offerings. >>> >>> On Fri, Jan 27, 2012 at 07:32, [email protected] <[email protected]> >>> wrote: >>> > I am figuring on putting somekind of smtp/owa forwarding device in the >>> dmz. Leave Exchange 2003 or even 2010 out of the DMZ but off my core >>> tellering (SQL server) LAN as well just to apease them. >>> > >>> > VPN is currently Cisco anyconnect. I am going to add some kind of >>> multi factor and ACL to the firewall for those that do get access. As well >>> the software or agent that verifies windows updates and virusscan patching >>> prior to authentication. >>> > >>> > Looking at DLP now. Currently all I do is look at outgoing emails. >>> So anything more will be better. >>> > >>> > >>> > >>> > -----Original Message----- >>> > From: Kurt Buff [mailto:[email protected]] >>> > Posted At: Friday, January 27, 2012 10:04 AM >>> > Posted To: [email protected] >>> > Conversation: DLP, SIEM, Network Access Control, VPN multi factor >>> authentication, Moving Exchange into a DMZ >>> > Subject: Re: DLP, SIEM, Network Access Control, VPN multi factor >>> authentication, Moving Exchange into a DMZ >>> > >>> > DLP is way more than just restricting access to removable devices. >>> > http://code.google.com/p/opendlp/ >>> > >>> > VPN access restrictions such as you mentioned are a good thing. There >>> are open source two factor auth solutions. >>> > >>> > Exchange doesn't go in a DMZ >>> > >>> > On Fri, Jan 27, 2012 at 06:46, [email protected] <[email protected]> >>> wrote: >>> >> >>> >> >>> >> Ok, so we have had a NCUA IT audit and some of the recommendations are >>> >> as >>> >> follows: >>> >> >>> >> >>> >> >>> >> Data Loss Prevention (DLP) >>> >> >>> >> The Credit Union should have the the ability to use USB storage >>> >> devices, DVD, and CD drives turned off unless required. With some for >>> >> of alerting if a user is trying to use those devices without >>> permission. >>> >> >>> >> >>> >> >>> >> Security Information and Event Management (SIEM) system >>> >> >>> >> The Credit Union should have a SIEM system in place to consolidate >>> >> logs from all devices and applications, encrypt those logs, have real >>> >> time alerting, and compliance reporting. >>> >> >>> >> >>> >> >>> >> VPN access >>> >> >>> >> The Credit Union should have Network Access Controls such as scanning >>> >> the connecting machine for correct configuration prior to allowing >>> >> access to the network, some kind of multi factor token or device, and >>> >> a more detailed access list on the VPN client area of the firewall. >>> >> >>> >> >>> >> >>> >> DMZ >>> >> >>> >> The Credit Union should move the Microsoft Exchange server into a DMZ >>> >> of the firewall or industry best practice for proxing email traffic >>> >> into and out of the DMZ to protect the Credit Union's internal network >>> >> if a breach occurs on the email system. >>> >> >>> >> >>> >> >>> >> With all of this being said, can you get me some vendor information >>> >> about about each of these areas. It can be freeware, it can be >>> >> appliances, it can be anything that is easily managable. >>> >> >>> >> And Management is looking for a quick turn around on this so >>> >> whitepapers and recommendations first. >>> >> >>> >> >>> >> >>> >> This is what I sent my software vendors. Did I ask the right >>> questions? >>> >> >>> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
