The Credit Information Bureau (India) Limited (CIBIL) has recently added a data loss prevention (DLP) module to its existing Unified Threat Management (UTM) implementation. Since the credit bureau has to handle comprehensive credit information collated from different banks, information security is very critical for CIBIL.
"Since we are in the information business, we provide Internet access to our employees. However, the introduction of Internet usage has brought in newer data theft and data leakage issues," says Sudesh Puthran, the chief information officer of CIBIL. "So the challenge for our IT team is to create a scenario which will discourage employees from sharing the company's confidential data. We have to give Internet to our employees since they need to access information. But how do you regulate and monitor that usage? Content filtering on official mail is a very obvious measure, which is already in place," says Puthran.
With the DLP module in place, CIBIL's IT team can perform random checks on employee chats. The objective is to search for confidential data being shared — intentional or unintentional. The team also goes through social networking sites browsed by employees to evaluate patterns and conversations for possible data leaks. It also provides a mechanism to restrict employees from downloading and uploading attachments.
After evaluating the DLP technology for a month, the project went live in October 2009. The company uses a UTM from Gajshield, which was deployed four years ago.
CIBIL has been ISO 27001 compliant for the last four years. It started off with being BS 7799 compliant, and then upgraded to ISO 27001. "As an ISO 27001 certified company, we have a clear-cut security policy and user guidelines which necessitate Internet usage only for official purposes. So it's an open fact that it's a sensitive corporate issue, which will be monitored. Hence we did not have any post-deployment challenges," Puthran says.
CIBIL is evaluating various technologies to help identify inappropriate database usage. "We have massive amounts data which need to be protected. We plan to deploy another UTM to monitor the database. Evaluations are currently underway," says Puthran.