II. Risk of Data Leakage Prevention in Universities

/* The following article is extracted from the "Information Security Newsletter" published by the JUCC IS Task Force. */ 
Implementation of DLP solutions encompasses a variety of complex IT areas such as data classification, risk assessment, compilation of policies, standards and procedures. If not designed and managed adequately, DLP solutions can result in a number of risks to universities. Many of these risks can directly impact universities' normal operations or expose them to even greater threats. Examples of these risks are listed below.
1. Excessive Reporting and False Positives
Similar to an improperly configured Intrusion Detection System (IDS), DLP solutions may generate significant number of false positives that overwhelm universities' IT security resources and obscure valid hits. Trying to monitor too much data volume or too many keywords / data patterns can easily exhaust limited resources.
2. Conflicts with Software or System Performance
DLP solutions, especially those Endpoint DLP products, can cause compatibility issues when conflicting with other systems and software. For example, some application software cannot run properly on encrypted hard drive. Applications errors or performance degradation are two common results of such conflicts. In worst case, the compatibility issues may cause the abnormal termination of other security controls and expose universities' information system to even great risks.
3. Improperly Configured Network DLP Module
When a Network DLP is not able to handle the amount of network traffic, due to insufficient consideration of traffic volume during the design stage or increased network traffic over time, some network packets may be missed or dropped, allowing certain data to pass uninspected. It may render Network DLP ineffective when unauthorised transmission of sensitive data to external parties is ignored.
4. Improperly Tuned Network DLP Module
Universities must pay particular attention to strike a balance between permitted and prohibited disclosure of sensitive data. Otherwise, inadequate tuned Network DLP solutions may cause disruption of universities' operation, waste of staff or students' time, damage to relationship with external parties such as contractors and general public. E.g. Blocking employees sending sensitive data to authorised external parties; disrupting normal e-mail services used by universities.
5. Changes in Processes or IT Infrastructure
DLP solutions are complex in nature and must be carefully configured or customised to cope with universities information system and network environment. If DLP is not maintained regularly and timely, any changes to the set of application software used, network architectures or the operational procedures may weaken the DLP effectiveness or introduce other problems like compatibility issues, and disruption of operation.
6. Improper Definition of DLP Needs
DLP solutions can only be effective based on accurate and comprehensive DLP policies. If universities failed to address all potential vectors for data leakage (e.g. identification of sensitive data and required protection level, determination of acceptable use of information resources, relevant regulatory and legal requirements), the DLP tools are either ineffective or has incomplete coverage of all data leakage risks the universities face.

7. Undetected Failure of DLP Modules
Like other application software or systems, DLP solutions rely on technologies implemented over software and hardware infrastructure. Failures of software or hardware often draw less attention from universities IT personnel. Program bug, power failure, environmental hazards may strike the infrastructures that support DLP functions. If the failures go unattended, universities will be completely exposed to data leakage risks.

8. Legal
When universities adopt DLP solutions that monitor the activities performed by their employees, students and contractors, one of the issues they encounter is whether deploying DLP will conflict with legal or employee agreements that protect privacy. Without establishing appropriate policies, disclaimers and agreements to address the necessity and purpose of data monitoring, legal proceedings may be launched against the universities.

Recent Incident
HSBC fined over US$5 million for data security failings
In July 2009, HSBC has received an almost £3.2 million fine from UK's Financial Services Authority (FSA) after three of its firms lost computer discs and posted unencrypted customer details. The UK's biggest bank was fined for the "careless" handling and loss of confidential details of tens of thousands of its customers. In a series of security failings, the bank sent large amounts of "unencrypted" data via post or courier to third parties.
HSBC has taken remedial action to address the problems that FSA identified, including stronger processes to ensure all confidential data that is electronically transmitted or stored and transported on CDs and laptops is encrypted, better training for staff and restricting the ability to download data to portable devices.