What is information security about? Many think about firewalls and fighting hackers and malware. Snowden is a good example for another class of information security threats. He represents the risk that an employee gets data – by mistake or on purpose – out of an organization using normal access rights, thereby harming a company’s position on the market or violating compliance needs.
Today, the business has more IT know-how than ever. As a consequence, much innovation and much investment in applications today circumvents the IT department. Shadow IT is the term used for this trend. My article How To Deal With Shadow-IT Applications discusses this trends and its implications from a governance perspective.
The article Business Applications: On the Tension between Efficient Testing and Compliance, based on a keynote I gave at a workshop of the special group TAV of German Informatics Society, discusses the relationship between effectiveness, especially in testing, and compliance needs.
The ISO27001 norm does not only impact an IT security Organization, but the software development and testing as well. Read the article What Developers and Testers have to know about the ISO 27001 Information Security Standard for more details.
The article Data-Privacy Assessments for Application Landscapes: A Methodolog addresses how to test whether an application exposes sensitive data. So the focus is on identifying potential leaks which might be exploited later on.
The article Testdaten als Risikofaktor (in German) explains the for losing sensitive data (or violating regulatory needs) in development and test environments .
In Data-Loss-Prevention-Tools minimieren Sicherheitslücken in Testumgebungen (in German), we discuss how data loss prevention tools can help managing compliance and data loss related risks of test environments.
Besides the articles, the following two videos provide detailed information on when investing into data loss prevention tools makes sense plus how they identify sensitive data and information.