About FishNet SecurityWe Focus on the Threat so You can Focus on the Opportunity.Committed to security excellence, FishNet Security is the #1 provider of information security solutions that combine technology, services, support, and training. FishNet Security solutions have enabled 3,000 clients to better manage risk, meet compliance requirements, and reduce cost while maximizing security effectiveness and operational efficiency. For more information on FishNet Security, Inc., visit www.fishnetsecurity.com.

Securely Enabling Business

Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406 © 2009 FishNet Security. All rights reserved.

ID# 10SS0001

Methodology Overview - Data Leakage ProtectionMethodology Background

FishNet Security’s Data Leakage Protection Methodology was driven by a need to bridge the gap between business and security procedures and the DLP technologies that are available today. Customers consistently purchase DLP solutions without properly preparing to implement them. The purpose of this offering is to provide customers with a vendor neutral approach aimed at helping them prepare for a DLP implementation. Companies that properly develop and understand their DLP projects gain implementation efficiencies and get more effective use out of the data yielded by the DLP solution.

DLP MethodologyFishNet Security performs DLP assessments utilizing a four (4) phased methodology. The methodology was developed utilizing industry regarded security best practices, past experience, and by observing the needs FishNet Security’s customer base.

Optional ServicesCustomers may require help in narrowing or selecting a DLP solution. Through analysis of the DLP assessment results, the customer’s current IT environment, and the goals of the implementation, FishNet Security can help customers reduce (or possibly eliminate) the effort needed to evaluate various DLP solutions. In addition, FishNet Security can help obtain, install, and test similar DLP products to verify which product is more effective within a company’s environment.

Identify Data Management and Security Policies and ProceduresFishNet Security will obtain any policies or procedures that are used to drive data security; including data classification policies, compliance related documentation, encryption standards, and incident response procedures. Through interviews with policy owners and enforcers, FishNet Security will gain an understanding of how requirements are communicated, enforced, and audited. This information will be used as a baseline in the following phases to help identify if data control gaps exist and to help define and build DLP rules.

Identify Data TypesTo properly prepare for a DLP implementation, companies need to first determine which data is in scope, where the data resides, and how it migrates throughout their environment. Through a series of interviews, FishNet Security will identify and document all critical or in scope business processes and supporting IT systems (servers, applications, databases, storage farms, etc.).

DLP Rules CreationFishNet Security will correlate the results from the previous phase to determine which data types need to be monitored and how. Consultants will give consideration to the data’s egress and ingress points, classification level, and the makeup (structured and unstructured). In addition, FishNet Security can work with customers to ensure proper access controls are in place for data at rest (this is an optional phase); this includes encryption controls and ACL configurations at the application, operating system, and database levels.

Report CreationUpon completion of all assessment phases, FishNet Security will prepare a formal report that will help the customer drive and properly implement their DLP solution. The report will provided an overview of the various types of data and how data should be monitored, technical DLP deployment considerations, and how to bake DLP into the existing security program.