Symantec White Paper - Practitioner Insights and Good Practices …vox.veritas.com/legacyfs/online/veritasdata/21230240... · 2016-07-04 · Who should read this paper ... Risk assessment

Use-Case Example - EU Data Protection and E-Privacy Requirements

Practitioner Insights and GoodPractices of IT Risk ManagementWho should read this paperWho should read this paper

The information in this whitepaper is relevant to Chief InformationOfficer, Chief Information Security Officer, Audit Practitioner, ITDirector, IT Security Practitioner, Risk Officer

WH

ITE PAPER

:PR

ACTITIO

NER

INSIG

HTS A

ND

GO

OD

PRAC

TICES O

F IT RISK

MA

NAG

EMEN

T. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Content

Executive Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Information-Centric IT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Key Strategies for Simple and Secure Access to Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Reduce the Risk of Data Breaches and Data Loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Guidance for Practical Implementation of Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Use-Case: Good Practices and Solution Mapping to Meet EU Data Protection and E-Privacy Principles. . . . . . . . . . . . . . . . . . . . . . . . 8

Appendix A - ISO 27001/27002 Implementation Best Practices, Benefits and Control Clauses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Appendix B - Best Practices Map to IT Projects and Symantec Enterprise Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Practitioner Insights and Good Practices of IT Risk ManagementUse-Case Example - EU Data Protection and E-Privacy Requirements

Executive Overview

Risk assessment and risk management are core components of any information security management standard and framework like

ISO/IEC 27001:20051, PCI-DSS2 or CobiT®3. Developing a complete IT risk management strategy helps organisations to recognize the

significance of IT risk, and gives a basis for developing awareness of IT risks, and the analysis of business risk impact. A proper risk

assessment and risk management methodology helps organisations to build a solid "community of purpose" to break down the silos

and to build proper communication between the IT organisation and the strategic business by acquiring and sharing usable information

using a common language. With other words, it helps to consistently report and communicate on the business impact - value and risk -

of using IT4. For IT governance, risk, and compliance decision-makers, increased visibility with the organisation means better preparation

to talk about IT risks within the context of financial, operational, regulatory, and reputational impact5.

Information security management standards and frameworks suggest good practices for risk management, or refer to complementary

risk management standards and frameworks like ISO 27005, ISO 31000, or Risk IT. However, they do not provide clear guidance on the

practical implementation of these, nor do they suggest any priority for their achievement.

This whitepaper outlines key strategies for simple and secure access to information - within the context of an information-centric IT

function. It also shows how to reduce the risk of data breaches and data loss. Finally it gives clear guidance for practical implementation

of risk management using ISO 27002- and ITIL®6-based good practices by looking into the use-case of mapping solutions to meet EU data

protection and e-privacy requirements and principles.

Information-Centric IT

The IT function has traditionally focused on systems and physical infrastructure. In a system-centric world, data has been highly

centralised and used for backward-looking historical reporting.

Going forward, the IT function is evolving to provide even greater business value by focusing on information. Data is increasingly

distributed to a wide range of endpoints and devices – decentralised so to speak. Also, data is easily accessible to users throughout an

organisation. Last but not least, data is used for predictive analytics; not just to analyze the past.

With the transformation of system-

centric IT to information-centric IT,

information security management

system standards like ISO 27001

become more important than ever,

and more complex than ever.

Information - which consists of processed, organized, structured or presented data in a given

context so as to make it useful - provides organisations and individuals greater productivity,

agility and collaboration. On the flip side, moving to a more information-centric world

requires determining what data assets are critical. It also requires determining how data is

captured, catalogued, analyzed, stored, retained, and purged. Structured information - in

contrast to unstructured data - requires very different priorities and skills than just

managing the physical infrastructure in a system-centric manner.

With the transformation of system-centric IT to information-centric IT, information security management system standards like

ISO 27001 become more important than ever, and more complex than ever, not just due to the transition to internet-wide collaboration,

social networking, cloud computing and data volume explosions, but also due to more and stronger data protection and e-privacy

requirements of internal and external mandates and legislations.

1-See International Standards Organization (ISO): www.iso.org2-See Payment Card Industry (PCI) Security Standards Council: www.pcisecuritystandards.org3-See Information Systems Audit and Control Association (ISACA): www.isaca.org4-For further information about best performers data driven reporting and communication techniques, and what to do to make IT integral to the business of an organisation, see IT Policy Compliance Group research paper

"Data Driven Reporting and Communications about IT" – February 2012 - www.itpolicycompliance.com/research-reports/data-driven-reporting-and-communications-about-it/5-See whitepaper by Forrester: www.symantec.com/content/en/us/enterprise/white_papers/b-strengthening_ties_between_it_security_and_the_business_WP.en-us.pdf6-See official ITIL website: www.itil-officialsite.com


1

To provide the right balance of information

confidentiality, availability, and

integrity, organisations should adopt at least

5 key strategies to cover the implications

outlined above. These 5 key strategies are

identity security, device security, information

protection, context and relevance (getting the

right information to the right person at the

right time), and public/private cloud

computing.

These are key areas to provide organisations

with simple and secure access to

information, assuring that their information

is properly managed and secure from

anywhere.

Key Strategies for Simple and Secure Access to Information

Information access is becoming mobile and device-agnostic. This results into new risk implications.

First, everything is revolving around people and information. Devices like desktops, laptops, tablets or smartphones are irrelevant. The

most popular devices today won't likely have the same popularity three years from now. Also the applications don't matter that much,

because it is not important if organisations use on-premise mail server today and tomorrow they use a cloud-based email service. It is

just about getting the information from one place to another. What matters is the people and the intellectual property, the formula to the

new chemical compound for example, or credit card details. It is about the data, and the information.

Secondly, personal and business lives are coming together. People post private- and business-related news from the same social network

accounts. In recent surveys many people admitted that they check their email within 30 minutes of getting up in the morning. Personal

lives and business lives have crossed over.

Third, there is the need for simple and secure access to information from anywhere, at home, at work, in the park, on the ski slopes, etc...

Lastly, organisations have to be more scalable and more cost effective. CIOs often say their budgets don't get bigger and they have got to

get more done. They are always trying (and being pushed by the strategic business organisation) to become more cost effective, more

scalable, and more efficient.

These implications are driving the transformation towards information-centric IT function, and having a profound impact on

both individuals and organisations. Strategic technology trends like cloud computing, virtualisation and mobility help to simplify

information access, and organisations are already aware of the benefits associated with it. However, due to information explosion and

significant increases of the threat landscape, information security and data governance remains a strong concern. Organisations want

highly available information, but also have to ensure that data is secure, and processed in compliance with mandates and legislations.


2

Reduce the Risk of Data Breaches and Data Loss

The transposition of mandatory security breach notification requirements (i.e. EU Directive 2009/136/EC which amends E-Privacy

Directive 2002/58/EC) into certain country legislations7 drives security investments of organisations to implement stronger security

standards that protect personal information, and prevent data breaches and data loss.

In order to prevent data breaches and data loss, it is essential to understand why they occur. Third-party research into the root causes of

data breaches, including data from the Open Security Foundation8, reveals three main types:

• Well-meaning insiders, i.e. by data exposed on servers and desktops, a lost or stolen laptop, email, web mail, removable devices,

third-party data loss incidents by i.e. contractors or outsourcing partners, or by the spread of sensitive data from automated business

processes.

• Targeted attacks, i.e. caused by improper credentials from factory default settings, SQL injection attacks on websites or targeted

malware such as root kits and hidden remote access tools.

• Malicious insiders, i.e. by employees who knowingly steal data as part of an identity theft ring, terminated or disgruntled former

employees, people that store company data on a home system in order to build a library of work samples for future career

opportunities or just traditional industrial espionage.

In many cases, breaches are caused by a combination of these factors. For example, targeted attacks are often enabled inadvertently by

well-meaning insiders who fail to comply with security policies, which can lead to a breach.

Successful prevention and protection strategies9 are both risk-based and content-aware. Preventing data breaches is all about risk

reduction. To reduce risk, organisations must know where the data is stored, where it is going, and how it is used. Organisations should

select solutions based on an operational security model that is risk-based, content-aware, responsive to threats in real time, and

workflow-driven to automate data security processes. This helps to monitor systems and protect information from both internal and

external threats across every tier of the IT infrastructure.

Guidance for Practical Implementation of Risk Management

The following compilation of ISO 27002- and ITIL®-based good practices provides clear guidance on the practical implementation for

organisation seeking to improve its risk management effectiveness.

It involves both information security and operational efficiency. Each of these may be considered as constituting different aspects of the

IT risks faced by an organisation. Operational efficiency addresses the risk that an organisation's IT systems may fail to achieve the

availability, performance, and agility needed to meet business challenges. Information security, on the other hand, addresses the risk

that an organisation's IT systems may fail to protect it from regulatory and IT failure, and from the loss of information confidentiality,

integrity, and availability.

In either case, risks can be addressed through the same set of generic solutions. To achieve the management of both operational

efficiency and information security risks, the following 18 generic solutions have been identified. These are grouped into the four

categories Strategy, Service Support, Service Delivery, and Security.

7-European Network and Information Security Agency (ENISA) reviewed the current situation of data breach notification in the EU - www.enisa.europa.eu/act/it/library/deliverables/dbn8-http://datalossdb.org9-http://www.symantec.com/business/solutions/projects/projectdetail.jsp?solid=sol_info_risk_comp&solfid=sol_data_loss_prevention&projectid=data_breach_prevention


3

STRATEGY

IT and Security Policy,

Strategic Management and

Architecture

• Strategic alignment of IT to business objectives

• IT compliance with governance, legal and regulatory requirements

• Optimal use of IT KPIs such as Balanced Score Cards, SLAs, policies, standards and procedures

to meet changing business needs and effectively manage information risk

Organizational Structure,

Roles and Responsibility

• Assignment of appropriate responsibilities and accountability for IT service delivery, service

support and risk management

• Allocation of resources necessary to meet requirements for these items

• Effective management of these items

Governance, Compliance and

Continuous Improvement

• Continuous, secure improvement in IT strategy

• Effective use of IT KPIs such as Balanced Score Cards, SLAs, policies, standards and procedures

• Efficient monitoring of these items

• Effective maintenance and auditing of monitoring records

• Appropriate, timely action taken as a result of audits

Data Lifecycle Management

• Strategic management of data creation, processing, storage, transmission and destruction

• Information access and storage appropriate to business needs

• Information access and storage compliant with governance, legal and regulatory requirements

Strategic solutions, which address compliance risk, cover the following major functions:

• Alignment to business objectives and compliance with governance, legal and regulatory requirements

• Optimizing Key Performance Indicators (KPIs), Service Level Agreements (SLAs), policies, standards and procedures

• Management communication, monitoring, auditing and ongoing improvement

• Management and compliance for data and information access and storage


4

SERVICE SUPPORT

Asset Inventory

Classification and

Management

• Creation and maintenance of dynamic inventory of all significant IT assets

• Classification of assets by ability to support critical business tasks

• Management of assets to support and enhance business functionality, meet governance and

legal and regulatory requirements and minimise risk impact

Physical and Environmental

Management

• Management of physical environment to minimise compromise of information confidentiality,

integrity and availability

• Physical efficiency and effectiveness of IT systems

• Compliance with appropriate health and safety and environmental regulation and legislation

Configuration, Change and

Release Management

• Full description of IT systems configuration using logical data model

• Controlled and secure changes to IT systems

• Changes support overall business strategy

• Changes conform with SLAs

Incident, Response and

Problem Management

• Effective IT incident response and problem management processes

• Effective escalations procedures

• Effective management of incident impact

• Effective management of day-to-day problems and issues

• Continuous improvement in incident management and problem handling

Service Support solutions, which address performance risk, cover the following major functions:

• Assets understood and managed to support critical business tasks, enhance business functionality and minimize risk impact

• Physical environment managed to ensure physical efficiency and effectiveness of IT systems

• IT systems optimally configured and changed to support business strategy and to conform with Service Level Agreements (SLAs)

• Response to problems and incidents effective and efficient

• Continuous improvement in incident management and problem handling


5

SERVICE DELIVERY

Service-Level

Management

• Ability to define appropriate, business-aligned SLA's, and to measure IT performance against defined

SLA's

• Maintenance and improvement of IT service quality, security, availability, performance and capacity

• Alignment of IT to overall business

Application Design,

Development and

Testing

• Good practice in choosing new applications

• Good standards, processes and procedures for testing new applications

• Usability, functionality and security of new applications

• Secure and controlled transfer of new applications from development to production environments

Operational Design,

Workflows and

Automation

• Effective design and integration of application and infrastructure management

• Appropriate deployment of resources to meet application SLA's

• Implementation of a highly adaptive and flexible service infrastructure

Capacity Management

• Cost-effective fulfilment of capacity and performance requirements

• Effective capture of IT service and infrastructure requirements to meet upcoming business needs

• Implementation of proactive Application Performance Management

Systems Build and

Deployment

• Optimized deployment of new and updated IT infrastructure components through use of effective

configuration management

• Effective management and approval processes for new IT systems, related to IT and business needs,

timely and secure deployment of new and updated systems

Service Continuity

Management

• IT systems and infrastructure minimize business impact from disruptive and damaging incidents

• Effective, business-aligned IT recovery plans built and maintained

• IT recovery plans continuously tested and improved

Availability

Management

• Cost-effective maximization of IT availability

• Successful protection of asset availability against internal and external events and threats

• Maintenance and improvement of resilient structures, processes and organisations to maintain

business-oriented service quality

Service Delivery solutions, which address availability risk, cover the following major functions:

• Service Level Agreements (SLAs) aligned to business and continuously measured, maintained and improved

• New applications appropriately chosen, tested and installed so as to minimize business disruption, delivered in accordance with SLAs

• Capacity and performance meet upcoming business needs

• Business impact from incidents minimized

• IT availability maximized to maintain business-oriented service quality


6

SECURITY

Authentication,

Authorization and Access

Management

• Appropriate and secure use of the organization's business-critical data and IT systems

• Access to applications, systems and data only by authorized users

• Effective and efficient maintenance and updating of user access authorization

Network, Protocol and Host

Security

• Effective management of risk from threats to networked IT systems

• Effective detection and prevention of threats and fixing network vulnerabilities

• Effective identification of permitted network protocols and services and control of network data-

flow

Training and Awareness

• Full understanding of roles and responsibilities for IT service support and risk management

• Enhanced awareness and understanding of results of incorrect, inappropriate and insecure

behaviour and a reduction in such behaviour

• Enhanced awareness and understanding of governance, legal and regulatory requirements

• Reduction of errors and omissions

Security solutions, which address security risk, cover the following major functions:

• Business-critical IT systems used and information accessed only by authorized persons at all times

• Effective management of internal and external threats to, and vulnerabilities of IT systems

• Incorrect, inappropriate and insecure behaviour by IT users minimized

• Governance, legal and regulatory requirements fully recognized and understood by all users of IT systems

• Errors and omissions by all users of IT systems minimized


7

PrinciplesPrinciples ISO 27002 and ITILISO 27002 and ITIL® Good Practices® Good Practices TTechnologechnology Solutiony Solution

Good practices to meet the governance principles of all following articles:

• Assignment, resource allocation and effective management of appropriate responsibilities and accountability for IT services

• Effective and continuous monitoring, maintenance, auditing and improvements of IT- and security policies and procedures

• Strategic alignment of information access and storage with governance, legal and regulatory requirements


• Service continuity management to minimise impact from disruptive and damaging incidents

• Effective maintenance and updating of access to applications, systems, and data only by authorized users

Article 6

• Data controllers to process personal data

for purposes compatible with those for

which it was initially collected

• Personal data shall not be kept for longer

than necessary

• Data shall be accurate and updated where

necessary

• Lawful and purpose-compatible data

availability, accuracy (including

minimisation), portability, and deletion

• Classification and management of IT- and

information assets to meet governance, legal

and regulatory requirements, and to minimise

the risk impact

• Archiving

• Backup and Recovery

• Data Loss Prevention

• Discovery and Retention

Management

• Identity and Authentication

• IT Governance

• Storage Management

Article 16

• Confidentiality of personal data

processing

• Any person acting under the authority of

the controller or of the processor,

including the processor himself, who has

access to personal data must not process

them except on instructions from the

controller, unless he is required to do so

by law

• Management of physical environment to

minimise compromise of information

confidentiality, integrity and availability

• Continuous awareness training and

understanding of roles and responsibilities,

personal and organisational consequences of

incorrect and insecure behaviour, to reduce

errors and omissions



• IT Governance

• Security Management

Use-Case: Good Practices and Solution Mapping to Meet EU Data Protection and E-Privacy Principles

The EU Data Protection Directive and E-Privacy Directive principles have been adopted into local country law of all EU member states,

like UK Data Protection Act 1998. Many non-EU countries did implement similar principles as part of their Bill of Rights and/or their

electronic communication and electronic transaction legislations. The following maps outline how the previously defined ISO 27002- and

ITIL®-based good practices on information security and operational efficiency can help to meet those principles (in this use-case,

principles from articles of the EU Data Protection Directive 95/46/EC), and what technology solutions can help to support these good

practices.


8

PrinciplesPrinciples ISO 27002 and ITILISO 27002 and ITIL® Good Practices® Good Practices TTechnologechnology Solutiony Solution

Good practices to meet the governance principles of all following articles:

• Assignment, resource allocation and effective management of appropriate responsibilities and accountability for IT services

• Effective and continuous monitoring, maintenance, auditing and improvements of IT- and security policies and procedures

• Strategic alignment of information access and storage with governance, legal and regulatory requirements


• Service continuity management to minimise impact from disruptive and damaging incidents

• Effective maintenance and updating of access to applications, systems, and data only by authorized users

Article 17

• Obligation upon data controllers and

processors to apply technical and

organizational measures

• Protect data against accidental or

unlawful destruction loss, disclosure, and

other forms of unlawful processing

• Access control and authentication against

unauthorised disclosure

• Effective management and continuous

improvements of incident response and problem

management processes, incident impact and

problem handling

• Effective risk management, detection and

prevention of threats and

vulnerabilities, limitation of access to IT services

on "need to know" and "need to do" basis

• Continuous awareness training and

understanding of roles and responsibilities,

personal and organisational consequences of

incorrect and insecure behaviour, to reduce

errors and omissions


• Encryption

• Endpoint Security


• IT Governance

• Messaging & Web Security

• Security Management

Article 25

• Personal data shall not be transferred to a

country or territory outside the European

economic area, unless adequate level of

protection for personal data is ensured

• Classification and management of IT- and

information assets to meet governance, legal

and regulatory requirements, and to minimise

the risk impact

• Effective communications and operations

management to ensure correct, secure and

lawful operation of information processing and

transmission facilities

• Archiving


• Discovery and Retention

Management


• IT Governance

• Messaging Management

Now and in the future we are faced with more and stronger data-protection and e-privacy requirements of internal and external

mandates and legislations. The EU and non-EU countries already introduced new legislations like mandatory breach notification

requirements, and the EU is also working on a revision of the EU Data Protection Directive 95/46/EC, to enact new rules changing the

existing data protection regime, that will have a significant impact on individuals and organisations in a number of areas. More and

stronger legislations - in addition to trends like internet-wide collaboration, social networking, cloud computing and data volume

explosions - mean that risk management and information security management system standards and frameworks become more

important than ever, and more complex than ever.


9

Appendix A - ISO 27001/27002 Implementation Best Practices, Benefits and Control Clauses

ISO/IEC 27001:2005 standard provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and

improving an Information Security Management System (ISMS).

• Confidentiality - ensuring that

information is accessible only to those

authorised to have access

• Integrity - safeguarding the accuracy and

completeness of information and

processing methods

• Availability - ensuring that authorised

users have access to information and

associated assets when required

ISO 27002 is the "Code of Practice" for information security management and provides best

practice recommendations for use by those responsible for initiating, implementing or

maintaining an ISMS. Information security is defined within the standard in the context of

the Confidentiality-Integrity-Availability triad.

ISO 27002 contains the following twelve control clauses:

• Risk Assessment and Treatment - IT risk management recognize the significance of IT

risk, and gives a basis for developing awareness of IT risks, and the analysis of business

risk impact

• Information Security Policy - To provide management direction and support for Information security

• Organisation of Information Security - Management framework for implementation

• Asset Management - To ensure the security of valuable organisational IT and its related assets

• Human Resources Security - To reduce the risks of human error, theft, fraud or misuse of facilities

• Physical & Environmental Security - To prevent unauthorised access, theft, compromise, damage, information and information

processing facilities

• Communications & Operations Management - To ensure the correct and secure operation of information processing facilities

• Access Control - To control access to information and information processing facilities on "need to know" and "need to do" basis

• Systems Development & Maintenance - To ensure security built into information systems

• Information Security Incident Management - To ensure information security events and weaknesses associated with information

systems are communicated

• Business Continuity Management - To reduce disruption caused by disasters and security failures to an acceptable level

• Compliance - To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security

requirements

Within each section, information security controls and their objectives are specified and outlined. The information security controls are

generally regarded as best practice means of achieving those objectives. For each of the controls, implementation guidance is provided.

The implementation of information security management systems spans across the strategic business and the IT operation departments.

Without the buy-in from strategic business, IT would operate in silos without aligning the information security objectives to the business

objectives. On the other side, strategic business has to include IT operations from the beginning in planning and execution of new

business strategies and objectives such as online store or external customer portals. Establishing an information assurance dialogue

between the IT department and the rest of the business organisation requires that a common language is spoken, that risk assessment is

treated in a mutually agreed way, and that a clear standard is used to explore the management of risk.


10

Plan (establish the ISMS) - Establish ISMS policy, objectives,

processes and procedures relevant to managing risk and

improving information security to deliver results in accordance

with an organization's overall policies and objectives.

Do (implement and operate the ISMS) - Implement and

operate the ISMS policy, controls, processes and procedures.

Check (monitor and review the ISMS) - Assess and, where

applicable, measure process performance against ISMS policy,

objectives and practical experience and report the results to

management for review.

Act (maintain and improve the ISMS) - Take corrective and

preventive actions, based on the results of the internal ISMS

audit and management review or other relevant information, to

achieve continual improvement of the ISMS.

Unfortunately, "geeks speak" doesn't always translate well into "businesses speak", and vice versa. Therefore standards like ISO 27001

help to build this "community of purpose" between strategic business and IT operation departments using a common spoken language,

and will result into various benefits on each community level:

• Commitment on organisational level

• Compliance on legal level

• Risk Management on operational level

• Credibility and Confidence on commercial level

• Reduced Costs on financial level

• Improved Employee Awareness on human level

In ISO 27001 and ISO 27002 standard as well as in other ISMS standards and frameworks, the "Plan-Do-Check-Act" (PDCA) model is

applied to structure all ISMS processes.

The following diagram illustrates how an ISMS takes as input the information security requirements and expectations of the interested

parties and through the necessary actions and processes produces managed information security outcomes that meets those

requirements and expectations.

The outer circle outlines a usual implementation process of ISO 27001 and 27002 from the initial written policy to the scope definitions

and asset classifications, selection and implementation of controls, down to the actual operation of the ISMS with continuous

monitoring, corrective and preventive actions, as well as frequent management reviews to constantly improve the established ISMS.


11

Appendix B - Best Practices Map to IT Projects and Symantec Enterprise Solutions

The following map illustrates how the previously defined ISO 27002- and ITIL®-based good practices map to IT projects and Symantec

enterprise solutions.


12

About Symantec

Symantec is a global leader in providing security,

storage, and systems management solutions to

help consumers and organizations secure and

manage their information-driven world. Our

software and services protect against more risks

at more points, more completely and efficiently,

enabling confidence wherever information is used

or stored. Headquartered in Mountain View, Calif.,

Symantec has operations in 40 countries. More

information is available at www.symantec.com.

For specific country offices

and contact numbers,

please visit our website.

Symantec World Headquarters

350 Ellis St.

Mountain View, CA 94043 USA

+1 (650) 527 8000

1 (800) 721 3934

www.symantec.com

Symantec helps organizations secure and managetheir information-driven world with IT Compliance,discovery and retention management, data lossprevention, and messaging security solutions.

Copyright © 2012 Symantec Corporation. All rightsreserved. Symantec, the Symantec Logo, and theCheckmark Logo are trademarks or registeredtrademarks of Symantec Corporation or its affiliates inthe U.S. and other countries. Other names may betrademarks of their respective owners.All information or part thereof available here is meantfor public awareness only. Views expressed herein areviews of the respective authors and should not beconstrued as legal advice or legal opinion. Further, thegeneral availability of information or part thereof doesnot intend to constitute legal advice in any mannerwhatsoever.3/2012 21230240


http://www.symantec.com/business/solutions/solutiondetail.jsp?solid=sol_info_risk_comp&solfid=sol_it_compliance

http://www.symantec.com/business/solutions/solutiondetail.jsp?solid=sol_info_risk_comp&solfid=sol_discovery_retention_management

http://www.symantec.com/business/solutions/solutiondetail.jsp?solid=sol_info_risk_comp&solfid=sol_data_loss_prevention

http://www.symantec.com/business/solutions/solutiondetail.jsp?solid=sol_info_risk_comp&solfid=sol_data_loss_prevention

http://www.symantec.com/business/solutions/solutiondetail.jsp?solid=sol_security&solfid=sol_messaging_security

Documents

Symantec White Paper - Practitioner Insights and Good Practices …vox.veritas.com/legacyfs/online/veritasdata/21230240... · 2016-07-04 · Who should read this paper ... Risk assessment