Corporate entities of all sizes and industry sectors generally have a keen interest in protecting internal or proprietary data against unauthorized release. A breach in data security may result in the loss of critical market advantages for an organization or company, as well as lead to the violation of privacy rights and interests of employees, customers, clients, partners, members or other stakeholders.
Data security is also of keen interest to both government and private standard-setting bodies. The U.S. government, for example, has enacted several statutes that address, at least in part, data security for corporate entities. These include the Gramm-Leach-Bliley Act of 1999 (GLBA) and the Sarbanes-Oxley Act of 2002 (SOXA).
GLBA, which is also known as the Financial Services Modernization Act of 1999, requires banks, brokerage companies, and insurance companies to: 1) store personal financial information securely, 2) advise customers, clients or members of company policies on sharing of personal financial information, and 3) provide consumers the option to opt out of some sharing of personal financial information.
SOXA mandates that all public organizations demonstrate due diligence in the disclosure of financial information, and it requires that public organizations implement a series of internal controls and procedures to communicate, store and protect financial data. Public organizations are also required under SOXA to protect these controls from threats (internal and external) and unauthorized access, including those that could occur through online systems and networks. This level of security is necessary to ensure that organizations or companies maintain data integrity for employees, customers, clients, partners, members and other stakeholders.
Among private standard-setting bodies, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have promulgated the ISO/IEC 17799:2005 standard. The ISO/IEC 17799:2005 standard establishes guidelines and general principles for initiating, implementing, maintaining and improving information security management in an organization.
The objectives outlined in the ISO/IEC 17799:2005 standard provide general guidance on the commonly accepted goals of information security management. The standard contains best practices of control objectives and controls in several areas of information security management, including: security policy; organization of information security; asset management; human resources security; physical and environmental security; communications and operations management; access control; information systems acquisition, development and maintenance; information security incident management; business continuity management; and compliance.
Laws and standards on data security motivate human vigilance in this area. Though laws and standards on data security may accordingly reduce unauthorized releases of data intended by companies to remain internal or proprietary, they do not eliminate these releases. Innovations to help identify the source of an unauthorized release would help company managers both to assess the severity of an unauthorized release and to implement procedures to prevent or minimize future unauthorized releases. Various embodiments are particularly useful in helping to identify the source of an unauthorized release of sensitive data.