Академический Документы
Профессиональный Документы
Культура Документы
CONTENTS
1. INTRODUCTION ........................................................................................................................................................................ 3
2. THE NEW INFORMATION SECURITY AGE ....................................................................................................................... 3
3. IS IT DATA, INFORMATION OR CONTENT? ..................................................................................................................... 4
4. THE ORIGINS OF CONTENT SECURITY ............................................................................................................................ 4
5. THE NEED FOR A SINGLE PERVASIVE SECURITY POLICY ........................................................................................ 5
6. THE RISK LANDSCAPE—TODAY AND TOMORROW ..................................................................................................... 6
7. TECHNOLOGY—THE PROBLEM AND THE SOLUTION................................................................................................. 8
8. CONCLUSION—PULLING IT ALL TOGETHER—DATA LOSS PREVENTION ......................................................... 12
REFERENCES................................................................................................................................................................................... 13
ABOUT THE SPONSORS ................................................................................................................................................................ 14
ABOUT QUOCIRCA ........................................................................................................................................................................ 15
5. The need for a single pervasive practice, which, in all too many cases, no one has got
around to formalising before.
security policy
All this said, breaches will occur, so as well as having
In February 2007 a well known UK financial a policy for data protection it is also necessary to have
institution, the Nationwide Building Society, had a a clear policy for what actions to take when the
laptop stolen from an employee‘s home. The incident inevitable happens:
led to a fine of £980K, which may seem excessive until
you look at the underlying judgement. This focussed Who is responsible for handling the breach?
more on poor practice around data security at Who needs to be informed and at what stage?
Nationwide and the delays in doing anything about the When to, and when not to, involve the police and
theft of the PC and the 11 million customer records regulators
stored on it. The theft was almost certainly Is it possible that personal data has been
opportunistic and there is no evidence that data was compromised?
ever compromised, but for Nationwide the damage was Have in place a process to inform potentially
done—the direct cost of the fine and the indirect cost compromised individuals and handle any
of reputational damage. subsequent publicity.
Had Nationwide had a coherent policy, both for data Informing outsiders needs to be timely but should not
handling and for managing a breach, it would have always be rushed as that can be unnecessarily costly,
been much more likely to be able to defend itself when as the Whittington Hospital Trust in the UK discovered
the regulators came knocking, perhaps demonstrating in July 2008. It had a suspected breach when a CD
that although a laptop has indeed be stolen, there was went missing containing details of 18,000 current and
no chance that data could be compromised, whatever former staff. £25,000 was spent writing to all
the intent of the thief. concerned; the missing CD was then found after a
wider search. There is only a certain amount of time
What that policy should be will vary from one
informing outsiders can be delayed, but that might be
organisation to the next; in the case of laptop PC
long enough to establish there has been no breach after
security any of the following policy points, if enforced,
all.
would have protected Nationwide:
A policy must have an owner and they need to be
Customer data must not be copied to laptops
responsible for keeping policy up to date. The policy
Laptops must not be taken out of the office needs to link two things together, the data itself and the
All data on laptops must be encrypted people that use it—people, content and policy.
How pragmatic these points are is not the issue, it is People
having a policy in place for data handling, making sure
employees are aware of it and, where reasonable, People are the users of content and it must be
enforcing it, that matters. understood who they are, where they are, what rights
they have and in what context they plan to use it. From
Fortunately the starting point for drafting policy is not the point of view of a specific business, these users of
a blank sheet; there are standards for good practice. content are not just employees but may include
The highest profile is ISO 27001 which lays out a contractors, customers, suppliers and partners. As
model for, in its own words, ―establishing, Quocirca‘s March 2008 report, The Distributed
implementing, operating, monitoring, reviewing, Business Index2 shows, nearly all businesses are
maintaining and improving an Information Security sharing data externally in some way (Figure 1).
Management System (ISMS)‖. In other words policy
management is cyclic and needs constant review.
The IT Governance Institute, which was founded in
1998, defines COBIT (Control Objectives for
Information and related Technology) and AICPA‘s
SAS 70 (American Institute of Certified Public
Accountants/Statement on Auditing Standards), lays
out how data centres should be run. In particular,
organisations that outsource should check for SAS 70
compliance in any hosted data centre service providers
they are considering using.
The documents outlining these standards are generally
dreary reads, so, while they provide guidance, they are
not consumable by the average IT user who needs
something clear and business orientated. The basis for
writing a policy should be common sense good For many organisations internal users will already be
listed in one of the widely used directory formats such
as Microsoft Active Directory or LDAP. The use of 8)—reported that 90% of employees who were warned
these directories may need extending to include in this way never made the same mistake or
external users. Any technology used to enforce policy misjudgement again.
must be able to interface with existing user directories;
Of course employees remain fallible and exerting
having more than one place for defining users at least
control over external users is not easy. To this end,
requires some sort of federated management, but is
where possible, policy should be enforced with
harder to manage and best avoided.
technology (see section 7 and 8) and, increasingly,
Content regulators will look to see that the appropriate steps
have been taken to do so.
Several attributes need to be understood about content;
where it is, what it contains and what value it has to There are three pressures for keeping policy up to date:
whom. Some content is meant to be shared and its
1. New business processes and practices must be
value increases the more it is used, for example,
tested against existing policy and if the policy does
marketing materials. Other data must be protected and
not stand up it must be modified (as ISO 27001
its value is decreased if shared, for example sales
labours to tell us).
forecasts and patent applications. Other content should
2. Policy should be regularly reviewed in the light of
not be shared without explicit permission and its
new technology and the way it is being used.
compromise can lead to penalties and fines. This is
3. Policy must be able to stand up to new legislation.
most commonly personal and financial information
(referred to in data protection law as personally In all cases the aim should be to have policy that is
identifiable information) and includes health records, robust enough that an organisation can be confident
credit card numbers and bank account details. changes can be accommodated without needing
wholesale change. A solid pervasive policy mitigates
Policy
risk and, to make sure it does that properly, needs a
Most businesses are drowning in a sea of information good understanding of the risk landscape and how that
and the people that need to use it often don‘t work for is likely to change.
or within the physical boundaries of the organisation
responsible for it. Nevertheless, it is essential to 6. The risk landscape—today and
understand the data and have clear policies about how tomorrow
different people can use it. Policy needs to be clear,
easily and regularly relayed to the users and kept up to Much of the press coverage about data breaches
date. The implementation of policy needs to be focuses on the dark practices of hackers, thieves and
transparent to any external auditors, who will want to fraudsters. Good IT security will of course attempt to
assess, when investigating a breach, if it was keep such people at bay, but the biggest, much more
unavoidable despite good policy. insidious, threat is closer to home; employees and
other individuals to whom businesses grant access to
However, policy is just the starting point. Policy points information.
like the following may make sense:
Whilst it is true that some employees set out to steal
Employees should not use memory sticks to content, most breaches involving employees can be
transfer data blamed on well intentioned insiders following poorly
Customer details must not be emailed to third defined practices (see Figure 2).
parties
However, on their own they are not enough, two other
things need to follow; user training and, where
possible, enforcement through technology.
Training needs to happen at a number of levels. The
value of training new employees is obvious, but most
organisations are less rigorous when it comes to update
training for existing employees—with the rate of
change of both communications technology and data
protection law, repeat training needs to happen and its
delivery to users audited.
Making sure policy is clear, understandable and
accessible is essential and constant reminders are
needed. One way to do this is through real-time
notification of risk. Here employees are warned when In other words the vast majority of breaches could be
they are about to do something risky or inappropriate. avoided by simply encouraging and, where possible,
One vendor says than an insurance company—which enforcing better practice. HMRC and Nationwide are
deployed a data loss prevention product (see section both examples.
Having said that, an insider with malicious intent will resolved under differently laws entirely—remember
definitely cause problems and the starting place to that Switzerland is not part of the EU.
avoid that needs to be due diligence during the
Business processes, patents, formulas and manuscripts
recruitment process. It is also necessary to de-
all need to be shared at one level and protected at
provision users as soon as their need for access comes
another. If the publisher, Bloomsbury, leaked an early
to an end for whatever reason.
draft of a Harry Potter novel, the author would not be
Good content security may mean the malicious happy; if a patent office leaked a new drugs formula
activities of employees can be pre-empted. For the pharmaceutical company concerned would
example, in October 2005 Gary Min, a research probably sue. Such data needs to be protected and the
chemist at DuPont, downloaded 22,000 sensitive consequences of not doing so are uncertain but likely
documents before leaving to join a competitor. He was to be expensive and embarrassing.
later convicted of stealing secrets worth $400M.
PA Consulting found this out in Sept 2008 when it lost
Content security technology would have highlighted
a contract with the UK‘s Home Office after mislaying
such anomalous behaviour at an earlier stage.
a memory stick with the details of thousands of
Regulators get excited about the leakage of personal prisoners on it.
information; when they do so in Europe the main piece
Whether it is a clear breach of data protection, personal
of legislation they have at their disposal is the
privacy or a failure to protect another organisation‘s
European Human Rights Act that protects an
data, which may represent a breach of a contract or a
individual‘s rights to privacy. In addition, national data
non-disclosure agreement, the rights and wrongs of a
protection acts demand that good care is taken of data,
case may be decided before a judge. Here the decision
and they too are focussed primarily on data about
will be based upon whether appropriate measures were
individuals.
taken to protect data. In the Nationwide case clearly
There are all sort of others laws and regulations that
can be brought to bear when content is poorly handled
and, given that the communications network we use to Rules and regulations
share data is global, an organisation can find itself National data protection laws: these vary, but are
tangled in laws from almost anywhere (see box). generally focussed on the good handling of personal
Industry bodies take more interest in non-personal data data. In Europe most data protection laws do not
than data protection legislators—so, it is not just currently demand disclosure of data breaches, in the
people, information itself can represent a risk. US they do. The weaker European laws mean there is
likely to be under-reporting of leaks—expect this to
A good example is recent changes made by the change soon (see next point).
governing body for Formula 1 racing, the FIA. It
oversees a small incestuous industry where mechanics EU laws: European Human Rights law is the main
and engineers regularly move between teams from one driver for disclosure in Europe when a breach involves
season to the next. Success in Formula 1 is down to personally identifiable information. The EU Parliament
finely tuned engines and the aerodynamic design of recently voted in favour of mandatory breach
cars as much as the skills of the driver and the speed of notification for the e-communications sector.
the pit-stop team. US laws: given the importance of the US as a market
In the past it has been common practice for data to be and the fact that many of the global companies we all
taken by employees when moving from one team to deal with are quoted on the US stock exchanges and
another. Governments have no interest in this, but the regulated by the US Security and Exchange
FIA knows that such theft damages competiveness. Commission (SEC), US laws and regulations such as
Recent FIA regulations now deem that any team found Sarbanes Oxley and HIPAA can apply to certain
using another team‘s data faces penalties, including activities of European companies.
disqualification—an unacceptable cost. Only by Industry regulations: rules for specific industries
understanding the content on its systems and the abound, such as MiFID for the European finance
movement of data in and out can any given Formula 1 sector, HIPAA for US health, the FSA for banks in the
team be sure that it is not in breach. UK.
It is also worth saying at this point that if an Miscellaneous: software licences and non-disclosure
organisation makes use of a hosted data centre or agreements can fly around an organisation and are
software services it should be aware of the legal often never looked at—until something goes wrong. A
regime under which the service operates. For example, content security technology can identify these and
Google uses local jurisdiction for its Google Apps control their use (see section 7).
whereas salesforce.com operates under Swiss law for
European customers. In the latter case there is still a For more information see forthcoming book from
need to heed local data protection laws, but if the FFW on legal aspects of data protection and data
provider screws up then any legal dispute may be privacy3
this was not so, but other cases are more problematic, orders to the supplier‖, will make it easy for any
such as a series of data centre heists reported in 2006 investigators to prove poor practice.
and 2007. Such thefts obviously lead to data being
Policy must make it clear how data breaches should be
compromised but how far can you go to protect data?
reported and to whom. If the post-breach reporting
Most attempts by outsiders to steal data are more procedure is clearly laid out, legal privilege can mean
sophisticated than driving a bulldozer into a data that such post-breach communications remain private;
centre. Hackers can find their way into systems and if not, the disclosure of these communications may be
steal information; this may go undetected for a period required by a court.
of time, as was the theft from the retailer TJX of 45.7
This risk landscape is vast and changing, but a well
million sets of credit card details stolen over an 18
thought through central policy for content security can
month period that was exposed in 2006.
mitigate most risk or can demonstrate that a risk was
Consumers might be duped into giving away their necessary for the business to function.
personal details by fraudsters using phishing emails or
However, whatever points are enshrined in policy, just
other forms of social engineering. Such attacks are
having them is not enough. Whilst technology, or at
widespread and increasing, as data from MarkMonitor
least the way people use and abuse it, is a big part of
shows (Figure 3). Educating all users is a key part of
the problem, when it comes to enforcing policy it also
preventing such losses.
part of the solution.
One example is engineers testing new code. Wherever periodically connected. Furthermore, data can be
possible they should use anonymised test data rather created on the fly by users over which policy enforcers
than the real thing. Credit card companies will provide may have little immediate control. This has led to a
such data on request. If there is no alternative to using whole new area of IT security to be developed over the
real data then it needs to be done in a specially secured last few years, known as mobile end point security.
test environment with strict monitoring of the
The aim of end point security is firstly to control what
engineers involved.
can and can‘t be done on a mobile device, even when it
However, for those who are granted access, data stored is offline:
on fixed devices is only ever a mouse click away from
being data in use and on the move. At this point, policy Only allow certain white listed applications to run
needs to be applied depending on the nature of the data Monitor, and in some cases restrict, the use of
and the action or activity the user is planning to USB devices
perform and where it is headed. For instance it might Secondly, to check the end point‘s integrity when it
be accepted policy for someone in human resources to comes back on line:
email encrypted details of employee healthcare plans
to the company‘s health insurance provider for review, Is anti-virus software up to date?
but not to copy them to an open file share or What new content has been created?
unencrypted to a memory stick. Has there been a recent backup?
Assessing every document and database record The main way data on such devices is compromised is
individually and giving it a security classification is when these devices are lost or stolen. When such
impractical, so it helps to define broad classes of losses inevitably occur the actions to be taken need to
content and decide how they should be treated. These be clearly defined in the content security policy (see
should include: box). Legal defence will be much easier if the
management policy for end points is clear and can be
Public content which an organisation is happy to demonstrated to have been enforced.
have in the public domain. Although it should be
noted that some data, whilst OK to be public in its
basic format, may become confidential by
association with other data. For example a list of Ten tips for securing mobile end points
employees may be public information as might the 1. If there is any chance they are likely to be used to
rules a business has regarding employee carry or download sensitive data, encrypt them
behaviour, but details of an employee breaching a
2. Ensure anti-malware is installed and up to date
given rule would be confidential.
Sensitive corporate data: financials, product plans, 3. Enforce use of passwords and/or PINs for access
merger and acquisition documents etc. Losing 4. Restrict internet access to a proxy so that policy
such data is embarrassing and may be costly in can be enforced regardless of point of access
terms of lost competitive advantage, but the data
5. Use network access technology to ensure mobile
protection regulator won‘t care much, unless the
end points are safe to come back on to the
loss involves personal data about employees
corporate network
Intellectual property (IP): computer source code,
formulas, design documents. Such data may not be 6. Monitor and sometimes restrict use of USB
a given organisation‘s property to lose in the first devices. For example it may be OK to copy
place, as it often involves information shared by a marketing materials to memory sticks, but
partners or suppliers. Again, data protection laws allowing employees to spend all day updating
do not worry too much about this type of data, but iPods may be unproductive
industry regulators do (see the Formula 1 case in 7. Ensure end points are backed up regularly
section 6). Leakage of IP data may lead to
8. Pre-invest in technology that allows disks and
breaches of licence and non-disclosure
memory to be wiped remotely
agreements.
Personally identifiable information: most customer 9. Link to physical security and restrict access to
data will fall into this category; account numbers, certain applications for when an employee is on
contact details and health records are all covered the premises
by data protection law and leakage is considered 10. Make sure good practice in the use of mobile
serious. Data about employees should be regarded devices and how to handle their loss is clearly
in the same way. laid out in an organisation‘s content protection
Data stored on mobile devices policy
For example, the UK Data Commissioner withdrew an Monitoring and protecting a business from all this may
enforcement notice against the retailer Marks and sound daunting, but web security products allow the
Spencer for a laptop it lost with the unencrypted details HTTP channel to be locked down, its activity
of 26,000 employees on it April 2006. The retailer controlled and limited and all content to be censored
demonstrated that its current policies now meant all regardless of where it is travelling to or from. If it is
laptops were encrypted and such a breach could not not, users will find a backdoor access (see Figure 6,
occur again and that the original breach occurred from Superhighway at the Crossroads5).
before the commissioner provided its guidance on
laptop encryption.
Data in transmission over a network
Whether it is existing data that someone has decided to
do something with, such as a spreadsheet or a
presentation or a new piece of content created on the
fly, such as an email, instant message or blog entry, the
main worry about data in transmission is user error or
stupidity. There are a range of channels that needs to
be protected including corporate email (SMTP), file
transfer (FTP) and the web (HTTP).
The web, in particular, through HTTP, has opened up
no end of new possibilities for data loss; webmail,
instant messaging, blogs, wikis, social networks, an
almost endless list that keeps growing. The majority of There is also a wild frontier to worry about; users on
businesses now recognise the use of Web 2.0 mobile devices using the internet. If they send email
technologies, but few are currently controlling them via the corporate system, this can be monitored as it
(see Figures 4 and 5; from Why Application Security is passes through the email server. The web is different;
Crucial4). using a private broadband connection, any device can
be attached to the internet and any content on the
device, or created on the fly, can be transmitted with
abandon.
Fortunately, web security software can now force such
internet access via proxies. So wherever the user
happens to connect to the internet they are still subject
to centralised polices; free to work, but just like their
desk bound colleagues protected from their own errors
and stupidity. In addition, certain DLP (see section 8)
products extend to monitoring off-network events on
end points such as use of instant messaging or the
printing of documents.
How this is done will depend on the form-factor being
used for data security (see box on next page). If this is
an in-the-cloud service then the users can be routed
direct to that. If it is based on an appliance or software
installation back in the controlling organisation‘s data
centre then the user will need to be forced back there
using a VPN tunnel before being let back out, under
control, on to the internet.
Form factors for content filtering Good IT security should make a hacker‘s job hard but,
Software: the traditional way, install it where you like as anyone who has read the story of Gary McKinnon—
on the same hardware as your email server or a special the UK hacker who looks likely to be deported to the
gateway server bought from your favoured hardware USA in 2008 for hacking in to military and NASA
vendor (market share decreasing) servers—knows, the doors are often left wide open. In
the case of McKinnon he relied on system passwords
Appliances: self-contained hardware, configured for that were obvious or unchanged from the defaults. It
the task and delivering high performance, usually at should go without saying that implementing a secure
the network edge, scalability only through buying user ID and access control system should be part of
more appliances or replacing with bigger ones (market any rigorous IT security regime. How can you
share stable) implement policy about content if you do not know
Virtual appliances: combines the benefits of software who the people are?
and traditional appliances; security software, isolated McKinnon claims his intentions were benign (looking
from the operating system by virtual hypervisor, can for evidence of UFO sightings), but others are not. US
be installable on hardware of your choice, therefore stockbroker TD Ameritrade found this out when, in
more scalable (market share growing fast) October 2007, it admitted that someone had installed
Managed services: security in the cloud; the big unauthorised code on its systems to provide backdoor
advantage here is it keeps the nasty stuff at a distance access to credit card information, possibly dating back
and makes it easy to apply policy to mobile users— a number of years. This was probably down to an
scalability is unlimited depending on supplier, some external hacker, but could easily be set up by an
latency compared to appliances, which matter most to employee before leaving the company.
internal web users (market share growing fast) A note on encryption
It may seem strange to leave a discussion on
encryption to near the end of a report on content
Printed materials security. After all is not encryption the silver bullet for
data protection? Anything encrypted cannot be read
If a document is printed, then obviously this is another without a key and is therefore useless if stolen. These
way data can get into the wrong hands. Certain is all true, but remember back to the start of this report;
documents should only be sent to printers in secure at the end of the day good content security should be
areas, some documents should never be printed at all. about enabling the sharing of information not
Technology also allows users to reconfirm when they preventing it.
want to print something: ―are you aware you are about
to print payroll info on a printer in the open office?‖; That is not to say encryption does not have a big part
―do you really want to print this 200 page document?‖. to play, it does. Good policy may dictate that all stored
content should be encrypted, although the business
The latter example is more about saving resources than may wince at the cost of managing this. Maybe it is
security and to that end a good recycling and shredding just mobile end points that should be encrypted and
regime for paper should also be in place. From a regulators look like trying to demand this. However,
content security perspective this is not just about remember it is not just about the content; it is also
saving the environment but about ensuring confidential about the users. Users need to be able to decrypt
printed material is not available to any fraudsters content to use it and, once they have done that, without
sifting through the corporate waste. content security controls, they can do what they like.
Where there’s a will there’s a way Furthermore, an additional cost of encryption is the
Of course if someone really wants to steal something management of keys, making sure those who need
they will. Hardest to control is what people carry in them have them, inside or outside of the organisation,
their head, but unless a business employs an army of and making sure they do not get lost. One sure way to
savants with photographic memories the capacity of lose data, albeit with no danger of being compromised,
the human brain to do this is limited. is for it to be encrypted for ever with no key to unlock
it.
In highly secure environments it may be necessary to
search individuals as they enter and leave premises: Encryption needs to be used in the right place at the
some highly secure data centres weigh people in and right time and this should be laid down in the policies
out. Physical security and people‘s context relative to it for data handling and enforced through the policy
can also be linked to content security, for example only engine—so-called policy based encryption.
allowing the financial application to run on an
accountant‘s laptop when they are known to be on the
premises and not in a public place, or perhaps only
during certain working hours.
DLP technology can operate at surprising levels of The basis for IT security at Barclays is the ISO 27001/2
granularity, for example identifying paragraphs that are standard and the COBIT maturity model, which is the
part of sensitive internal documents, or preventing an basis for the policy on content security communicated
employee from posting sections of a disciplinary internally and externally.
hearing on a blog. Much filtering can be done at the Data loss prevention (DLP) is a key focus area for
file level and here it helps if the movement of whole Barclays and marks a move away from a focus on
documents can be white or black listed based on the network security.
content:
DLP technology means Barclays knows what data it has,
This is the current PDF of a marketing brochure its sensitivity, where it is located, who has access rights
and it is OK to send out in its entirety for the and what they are doing with it.
foreseeable future
This is the internal price list and should never be For more information see CIO Digest, October 2008 6
sent outside of the company
References
1
Managing 21st Century Networks – Quocirca, January 2007
http://www.quocirca.com/pages/analysis/reports/view/store250/item3609/?link_683=3609
2
The Distributed Business Index – Quocirca, March 2008
http://www.quocirca.com/pages/analysis/reports/view/store250/item20918/?link_683=20918
3
Quocirca recommends the forthcoming book from Stewart Room of Field Fisher Waterhouse LLP based on its
seminar series reviewing legal aspects of data protection and data privacy. For more information go to:
http://www.ffw.com/publications/all.aspx?Person=1282
4
Why Application Security is Crucial – Quocirca, March 2008
http://www.quocirca.com/pages/analysis/reports/view/store250/item21107/?link_683=21107
5
Superhighway at the Crossroads – Quocirca, September 2008
http://www.quocirca.com/pages/analysis/reports/view/store250/item21547/?link_683=21547
6
CIO Digest, October 2008 – copy available at
www.symantec.com/ciodigest
AEP Networks offers secure, optimised, end-to-end multi-bearer communication solutions that are assured to CAPS, DIPCOG,
CCTM and FIPS standards. AEP‘s integrated portfolio of products includes identity-based network and resource access control, SSL
VPNs, high assurance IPSec-based VPN encryptors, hardware security modules for key management and a range of products and
communication solutions that connect remote locations with centrally-based core services. AEP Networks support a wide range of
communications protocols, capable of integrating into a multitude of fixed and mobile network topologies and physical interfaces,
enabling access to core voice and data services from the most extreme remote locations, where conventional communications may
not be available, or where it is uneconomical to supply fixed telecom infrastructures.
Contact: Peter van de Geest, AEP Networks, Tel +44 1344 637 300, peter.vandegeest@aepnetworks.com
Clearswift helps organizations of all sizes conduct business safely over the Internet.
Our policy-based content filtering and security solutions block bad content such as spam, viruses, malware, spyware and
pornography; protect sensitive information by preventing leaks; and prevent time-wasting and abuse by controlling inappropriate use
of the Web and social media while eliminating exposure to offensive content.
Clearswift customers use the Internet with confidence.
Contact: Isabelle Duarte, Clearswift, Tel +44 118 903 8903, isabelle.duarte@clearswift.com
Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations
secure and manage their information-driven world. Our software and services protect against more risks at more points, more
completely and efficiently, enabling confidence wherever information is used or stored. More information is available at
www.symantec.com.
Contact: Symantec, DLPinfo@symantec.com
Trend Micro is a global leader with over two decades of expertise in endpoint, messaging and Web security.
Websense, Inc. (NASDAQ: WBSN) is the global leader in integrated Web, data and email security, providing Essential Information
Protection for more than 42 million employees at more than 50,000 organizations worldwide. Headquartered in San Diego,
California, Websense distributes its solutions through a global network of channel partners. Websense software and hosted security
solutions help organizations block malicious code, prevent the loss of confidential information, and enforce Internet use and security
policies.
Dave Meizlik, Websense, dmeizlik@websense.com, blog: http://ondlp.com
Content security for the next decade Page 15
About Quocirca
Quocirca is a primary research and analysis company specialising in the business impact of information technology and
communications (ITC). With world-wide, native language reach, Quocirca provides in-depth insights into the views of buyers and
influencers in large, mid-sized and small organisations. Its analyst team is made up of real-world practitioners with firsthand
experience of ITC delivery who continuously research and track the industry in the following key areas:
Business process evolution and enablement
Enterprise solutions and integration
Business intelligence and reporting
Communications, collaboration and mobility
Infrastructure and IT systems management
Systems security and end-point management
Utility computing and delivery of IT as a service
IT delivery channels and practices
IT investment activity, behaviour and planning
Public sector technology adoption and issues
Integrated print management
Through researching perceptions, Quocirca uncovers the real hurdles to technology adoption—the personal and political aspects of
an organisation‘s environment and the pressures of the need for demonstrable business value in any implementation. This capability
to uncover and report back on the end-user perceptions in the market enables Quocirca to advise on the realities of technology
adoption, not the promises.
Quocirca research is always pragmatic, business orientated and conducted in the context of the bigger picture. ITC has the ability to
transform businesses and the processes that drive them, but often fails to do so. Quocirca‘s mission is to help organisations improve
their success rate in process enablement through better levels of understanding and the adoption of the correct technologies at the
correct time.
Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC products and
services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of long term investment trends,
providing invaluable information for the whole of the ITC community.
Quocirca works with global and local providers of ITC products and services to help them deliver on the promise that ITC holds for
business. Quocirca‘s clients include Oracle, Microsoft, IBM, Dell, T-Mobile, Vodafone, EMC, Symantec and Cisco, along with
other large and medium sized vendors, service providers and more specialist firms.
Sponsorship of specific studies by such organisations allows much of Quocirca‘s research to be placed into the public domain at no
cost. Quocirca‘s reach is great—through a network of media partners, Quocirca publishes its research to a possible audience
measured in the millions.
Quocirca‘s independent culture and the real-world experience of Quocirca‘s analysts ensure that our research and analysis is always
objective, accurate, actionable and challenging.
Quocirca reports are freely available to everyone and may be requested via www.quocirca.com.
Contact:
Quocirca Ltd
Mountbatten House
Fairacres
Windsor
Berkshire
SL4 4LE
United Kingdom
Tel +44 1753 754 838