US 20120084868A1
(19) United States (12) Patent Application Publication (10) Pub. No.: US 2012/0084868 A1 Julisch (54)
(43) Pub. Date:
LOCATING DOCUMENTS FOR PROVIDING DATA LEAKAGE PREVENTION WITHIN AN
Apr. 5, 2012
Publication Classi?cation (51)
Int Cl
(52)
US. Cl. ........................................................ .. 726/26
gNglggERllzll/IATlON SECURITY MANAGEMENT
G06F 21/00
(200601)
(75) Inventor:
Klaus Julisch, Rueschlikon (CH)
(57)
(73) AssigneeZ
INTERNATIONAL BUSINESS MACHINES CORPORATION Armonk NY (Us) ’
A method for locating documents has a step of, on each entity of the plurality of document-storing entities, calculating a respective ?ngerprint for each document of the documents
(21)
App1_ NO;
13/234,703
gerprints by the entities to a data localization server having a
(22)
Filed;
sep_ 16, 2011
and a step of, at the data localization server, locating copies of a specimen document by calculating a ?ngerprint of the
’
ABSTRACT
stored on the entity, a step of transferring the calculated ?n
?ngerprint database for storing the transferred ?ngerprints,
(30)
Foreign Application Priority Data
specimen document and comparing the calculated ?ngerprint of the specimen document With the ?ngerprints stored in the
Sep. 30, 2010
(EP) ................................ .. 101843506
?ngerprint database.
Security Policy 502
503 /
504
505 /
506
Patent Application Publication
Apr. 5, 2012 Sheet 1 0f 6
US 2012/0084868 A1
100
Fig. 1
Patent Application Publication
Apr. 5, 2012 Sheet 2 0f 6
US 2012/0084868 A1
“"201
“#202
~23
Fig. 2
Patent Application Publication
Apr. 5, 2012 Sheet 3 0f 6
US 2012/0084868 A1
“"301
“"302
“"303
“'304
Fig. 3
Patent Application Publication
Apr. 5, 2012 Sheet 4 0f 6
US 2012/0084868 A1
“"401
“"402
“"403
Fig. 4
Patent Application Publication
Apr. 5, 2012 Sheet 5 0f 6
US 2012/0084868 A1
500
509
/
502
506
505
Fig. 5A
Patent Application Publication
Apr. 5, 2012 Sheet 6 0f 6
US 2012/0084868 A1
Security Policy
?
/
506
505 /
Fig. 5B
Apr. 5, 2012
US 2012/0084868 A1
LOCATING DOCUMENTS FOR PROVIDING DATA LEAKAGE PREVENTION WITHIN AN INFORMATION SECURITY MANAGEMENT SYSTEM
and copying to CD. Particularly, conventional DLP places its agents Where data is used, i.e., on the end-user PCs, servers or
gateWays. [0012]
The user of conventional DLPs is burdened With the
need to develop, update and maintain patterns that identify PRIORITY
sensitive documents. Alternatively, the DLP vendor has to do this Work.
[0001] This application claims priority to European Patent Application No. 101843506, ?led 30 Sep. 2010, and all the
SUMMARY
bene?ts accruing therefrom under 35 U.S.C. §1 19, the con tents of Which in its entirety are herein incorporated by ref erence.
[0002]
The invention relates to a method and to a system for
locating documents for providing Data Leakage Prevention (DLP) Within an Information Security Management System
(ISMS). BACKGROUND
[0003] An example for illustrating data proliferation in a system 100 is depicted in FIG. 1. In the system 100, the original document 101 is oWned by an executive. But, in the system 100, there are further copies of the original document 101 proliferated in the system 100. For example, there are earlier drafts 102 from the executive’s subordinates. Further, there may be backup and temporary copies 103 of the earlier drafts 102. [0004] Moreover, there may be a copy 104 on the execu
[0013]
According to an embodiment of a ?rst aspect of the
invention, a method for locating documents for providing Data Leakage Prevention (DLP) Within an Information Secu
rity Management System (ISMS) is suggested. The method has a step of, on each entity of the plurality of entities, calcu lating a respective ?ngerprint for each document of the docu ments stored on the entity, a step of transferring the calculated ?ngerprints by the entities to a data localiZation server having a ?ngerprint database for storing the transferred ?ngerprints, and a step of, at the data localiZation server, locating copies of a specimen document by calculating a ?ngerprint of the
specimen document and comparing the calculated ?ngerprint of the specimen document With the ?ngerprints stored in the
?ngerprint database. [0014] Embodiments of the invention may prevent data leakage in an Information System (IS) Which has a plurality of
entities capable of storing documents. [0015] According to an embodiment of a second aspect of the invention, the invention relates to a computer program
tive’s memory stick. Moreover, there may be temporary cop
comprising a program code for executing the method for
ies 105 on the executive’s hard drive.
locating documents for providing Data Leakage Prevention (DLP) Within an Information Security Management System
[0005] Also, copies 106 may be sent out by the executive. Further, there may be backup copies 107 of said sent-out copies 106. In sum, FIG. 1 shoWs an example of data leakage.
[0006] Conceptionally, DLP prevents documents, in par ticular sensitive documents, from leaking into unauthoriZed hands. In practice, the term DLP is used synonymously With concrete implementations. At least three implementations are knoWn that have been equated With a DLP: Host-based DLP, server-based DLP and netWork-based DLP. [0007] In host-based DLP, a DLP agent is installed on each end user computer of an enterprise’s system. The DLP agent may prevent sensitive documents from leaking into unautho riZed destinations Within or outside the enterprise’s system. In many Ways, the host-based DLP may be compared to a virus scanner as it also runs on end user computers to protect them
from threats. [0008] In server-based DLP, a DLP agent is installed on selected servers of the enterprise’s system, e. g., on an e-mail
server, that prevents sensitive documents from being passed on to unauthoriZed destinations.
[0009]
In netWork-based DLP, a DLP agent is placed at the
gateWay of the enterprise’s system to the Internet so as to
block all sensitive documents from leaving the enterprise’s
system. [0010]
(ISMS) When run on at least one computer.
[0016]
According to some embodiments the Work for
developing, updating and maintaining patterns for identifying sensitive documents is eliminated as the user merely may have to point to the documents that may be sensitive. This may be bene?cial, because it is dif?cult to Write patterns that de?ne What a sensitive document looks like. In the case of
Writing patterns, there are the risks of true positives and false
negatives. [0017]
According to some implementations, data spraWl is
controlled by controlling Where the documents or data are
stored. In this regard, according to embodiments of the
present invention, agents for calculating the ?ngerprints may be stored Where the documents are stored.
[0018] In an embodiment, the method has the step of deter mining documents of at least one de?ned document class, at
the data localiZation server, locating all copies of a specimen
document of said document class by calculating the ?nger print of the specimen document, and comparing the calcu lated ?ngerprint of the specimen document With the ?nger prints stored in the ?ngerprint database. [0019] In an embodiment, the method has the steps of deter mining documents of at least one de?ned document class,
and, at the data localiZation server, locating all copies of DLP technology is de?ned as those that, as a core
guistic analysis to detect, block or control the usage of spe
specimen documents of said document class by calculating the ?ngerprints of the specimen documents and comparing the calculated ?ngerprints of the specimen documents With the ?ngerprints stored in the ?ngerprint database. The docu
ci?c content based on established rules or policies. The
ments of one de?ned document class may be characterized by
function, perform deep packet inspection on outbound net Work communications tra?ic, track sessions and perform lin channels to be monitored may include e-mail traf?c, Instant
having similar or equal sensitivity, regulatory requirements or
Messaging (IM), FTP, HTTP and other TCP/IP protocols.
the like. [0020] In a further embodiment, the method has the steps of determining documents of a de?ned document class indicat
[0011]
In sum, conventional DLP uses agents to control
real-time usage of documents, such as printing, e-mailing,
Apr. 5, 2012
US 2012/0084868 A1
ing sensitive documents Within the IS, and at the data local iZation server, locating all copies of a certain sensitive docu ment by calculating a ?ngerprint of the specimen document
and comparing the calculated ?ngerprint of the specimen document With the ?ngerprints stored in the ?ngerprint data
[0030]
In a further embodiment, the step of applying the
respective provided security policy to the located documents associated to the respective document class includes transfer
ring the respective provided security policy to all entities storing at least one document of the respective document class and enforcing the transferred security policy to the at
base. [0021] In a further embodiment, a respective agent is installed on each entity of the plurality of entities, Wherein the
respective entity.
?ngerprints of the documents stored on the respective entity are calculated by the respective agent. The respective agent
storing a neW document on an entity of the plurality of the
may calculate the ?ngerprints of the documents stored on the
corresponding entity in spare cycles of said corresponding
entity. [0022]
In a further embodiment, the calculated ?ngerprints
least one document of the respective document class on the
[0031]
In a further embodiment, the method has the steps of
entities, calculating a ?ngerprint of the stored neW document, determining the document class of the stored neW document in dependence on the calculated ?ngerprint, and applying the
respective security policy associated to the determined docu
are transferred to the data localiZation server by the agents,
ment class to the stored neW document.
Wherein the transferred ?ngerprints are stored in the ?nger
print database.
[0032] According to an embodiment of a fourth aspect of the invention, the invention relates to a system for locating
[0023] In a further embodiment, the location descriptors are provided in dependence on comparing the calculated ?n
documents for providing Data Leakage Prevention (DLP) Within an Information Security Management System (ISMS).
gerprint of the specimen document With the ?ngerprints stored in the ?ngerprint database, the provided location descriptors being con?gured to indicate the locations of the copies of the specimen document Within the IS.
The system has a plurality of entities for storing the docu ments, each entity of the plurality of entities having a respec
[0024]
In a further embodiment, a de?nite location descrip
tive agent, said respective agent being con?gured to calculate a respective ?ngerprint for each document of the documents stored on the entity and to transfer the calculated ?ngerprints
tor indicating a location of a de?nite document stored on one
to a data localiZation server having a ?ngerprint database for
entity of the IS is provided if the ?ngerprint associated to that de?nite document stored in the ?ngerprint database is equal or similar to the calculated ?ngerprint of the specimen docu
storing the transferred ?ngerprints, and the data localiZation server being con?gured to locate copies of a specimen docu ment by calculating a ?ngerprint of the specimen document
ment.
and comparing the calculated ?ngerprint of the specimen
[0025]
In a further embodiment, a de?nite location descrip
tor indicating a location of a de?nite document stored on one
entity of the IS is provided, if the ?ngerprint associated to that de?nite document stored in the ?ngerprint database is equal or similar to the calculated ?ngerprint of the specimen docu ment, and if the de?nite document stored on one entity is
equal or similar to the specimen document, Wherein similarity of documents is determined by a separate algorithm. [0026] In a further embodiment, the provided location descriptors are transferred to an ISMS control entity, the
ISMS control entity being con?gured to query the ?ngerprint database of the data localiZation server. [0027] According to an embodiment of a third aspect of the
invention, the invention relates to a method for providing Data Leakage Prevention (DLP) of documents Within an
document With the ?ngerprints stored in the ?ngerprint data base [0033] According to an embodiment of a ?fth aspect of the invention, the invention relates to an arrangement for provid
ing Data Leakage Prevention (DLP) of documents Within or as part of an Information Security Management System (ISMS). The arrangement has a system for locating docu ments according to the above mentioned embodiment of the fourth aspect of the invention, and an ISMS control entity for
receiving a respective security policy for each de?ned docu ment class and for applying the respective provided security policy to the located documents associated to the respective document class. [0034] The agent may be any calculating means. Moreover, the ISMS control entity may be any controlling means.
Information Security Management System (ISMS), the ISMS
[0035]
having a plurality of entities capable of storing the docu
ISMS control entity, may be implemented in hardWare or in softWare. If said means are implemented in hardWare, it may
ments. The method has a step of locating the documents stored on the entities as described above With respect to the
?rst aspect of the invention, a step of providing a respective security policy for each de?ned document class, and a step of
applying the respective provided security policy to the located documents associated to the respective document class, for each de?ned document class.
[0028]
The present security policies may de?ne Where and
hoW data may be stored. This is in contrast to security policies in conventional DLPs, Which de?ne hoW data may be used.
[0029]
be embodied as a device, eg as a computer or as a processor or as a part of a system, e. g. a computer system. If said means
are implemented in softWare it may be embodied as a com puter program product, as a function, as a routine, as a pro gram code or as an executable object.
[0036]
In the folloWing, exemplary embodiments of the
present invention are described With reference to the enclosed
?gures.
In an embodiment, the respective security policy
indicates a storage policy indicating Which type or types of the entities have the right to store documents of the de?ned document class, and an action policy indicating at least one
The respective means, in particular the agent and the
BRIEF DESCRIPTION OF THE FIGURES
[0037] FIG. 1 shoWs a schematic block diagram illustrating data proliferation in a system;
action to take When an entity tries to store a document of the
[0038]
de?ned document class Without having the right to store documents of the de?ned document class according to the
method steps for locating documents for providing Data Leakage Prevention Within an Information Security Manage ment System;
security policy.
FIG. 2 shoWs a ?rst embodiment of a sequence of
Apr. 5, 2012
US 2012/0084868 A1
FIG. 3 shows a second embodiment of a sequence of
document class Without having the right to store documents of
method steps for locating documents for providing Data Leakage Prevention Within an Information Security Manage ment System;
the de?ned document class according to the security policy. [0056] In step 403, for each de?ned document class, the
[0040]
documents associated to the respective document class.
[0039]
FIG. 4 shoWs an embodiment of a sequence of
method steps for providing Data Leakage Prevention of docu ments Within an Information Security Management System, and [0041] FIGS. 5A and B shoW a schematic block diagram of an embodiment of an arrangement for providing Data Leak age Prevention of documents Within an Information Security
respective provided security policy is applied to the located [0057] Particularly, the step 403 of applying the respective provided security policy to the located documents associated to the respective document class includes transferring the respective provided security policy to all entities storing at
Management System.
least one document of the respective document class and enforcing the transferred security policy on the at least one document of the respective document class on the respective
[0042]
entity.
Similar or functionally similar elements in the ?g
ures have been allocated the same reference signs if not oth
[0058]
erWise indicated.
said plurality of entities, a ?ngerprint of the stored neW docu ment may be calculated and the document class of the stored
DETAILED DESCRIPTION
Further, if a neW document is stored on an entity of
neW document may be determined in dependence on the
FIG. 2 shoWs a ?rst embodiment of a sequence of
calculated ?ngerprint. Subsequently, the respective security
method steps for locating documents for providing DLP Within ISMS, the ISMS having a plurality of entities capable of storing documents. [0044] In step 201, a respective ?ngerprint for each docu
policy associated to the determined document class may be applied to said stored neW document. [0059] All above-mentioned embodiments of the methods
ment of the documents stored on the respective entity is calculated. Step 201 may be performed on each entity of the plurality of entities of the ISMS. [0045] In step 202, the calculated ?ngerprints are trans
means to be a respective embodiment of the system or
[0043]
ferred by the entities to a data localiZation server having a
of the present invention may be embodied by respective arrangement of the present invention. [0060] FIGS. 5A and 5B shoW a schematic block diagram of an embodiment of an arrangement 500 for providing DLP of documents Within an ISMS 501. The ISMS 501 has a
?ngerprint database for storing the transferred ?ngerprints. [0046] In step 203, at the data localization server, all copies
plurality of entities 502-505 Which are capable of storing said
of a specimen document are located by calculating a ?nger
laptop 504 and storage devices 505. Without loss of general ity, the ISMS 501 FIGS. 5A and 5B has only four entities
print of the specimen document and comparing the calculated ?ngerprint of the specimen document With the ?ngerprints stored in the ?ngerprint database. [0047]
FIG. 3 depicts a second embodiment of sequence
method steps for locating documents for providing DLP
documents. For example, there is a server 502, a PC 503, a
502-505. [0061] Further, said ISMS 501 has a data localiZation server
506 and an ISMS control entity 507 controlling or interrogat ing said data localiZation server 506.
Within ISMS.
[0062] An example of the functionality of said arrangement
[0048]
500 is described in the folloWing With reference to the steps 1-8 of FIGS. 5A and 5B. In particular, FIG. 5A shoWs the steps 1-4 for locating the documents in the ISMS 501, and FIG. 5B shoWs the steps 5-8 upon localiZing all copies of a
In step 301, a respective ?ngerprint for each docu
ment of the documents stored on the respective entity is calculated. Said step 301 may be performed on each entity of the plurality of entities of the ISMS. [0049] In step 302, the calculated ?ngerprints are trans ferred by the entities to a data localiZation server having a
?ngerprint database for storing the transferred ?ngerprints. [0050] In step 303, documents of at least one de?ned docu ment class are determined. In particular, said de?ned docu ment class may indicate sensitive documents Within the ISMS. [0051] In step 304, at a data localiZation server, all copies of a specimen document of said document class are located by
calculating the ?ngerprint of the specimen document and comparing the calculated ?ngerprint of the specimen docu
specimen document “Doc”. [0063] In step 1, a respective agent is installed on each entity 502-505 of the ISMS 501. The respective agent calcu lates a respective ?ngerprint of the documents stored in the
respective entity 502-505. [0064] The purpose in step 1 is to craWl the memories, in particular the hard discs, of the entities 502-505 and to cal culate said ?ngerprints for all documents found. A ?ngerprint may be a short, but characteristic summary of a document, e. g., the ten mo st frequent Words other than utility Words like “are”, “the” or the like.
ment With the ?ngerprints stored in their ?ngerprint database.
[0065]
[0052]
from the entities 502-505 to the data localiZation server 506.
In FIG. 4, an embodiment of a sequence of method
steps for providing DLP of documents Within ISMS is shoWn. [0053] In step 401, the documents stored on the entities are located. For applying step 401, the method of FIG. 2 or the method of FIG. 3 may be used.
[0054] In step 402, a respective security policy for each de?ned document class is provided.
[0055] Particularly, the respective security policy includes a storage policy indicating Which type or types of the entities have the right to store documents of the de?ned document class, and an action policy indicating at least one action to take When an entity tries to store a document of the de?ned
In step 2, the calculated ?ngerprints are transferred
The transferred ?ngerprints are stored in a ?ngerprint data base 508 of said data localiZation server 506.
[0066] In particular, as documents change on the entities 502-505, the ?ngerprints may be updated on the data local iZation server 506. Alternatively, the agents may send entire documents to the ?ngerprint database 508, and ?ngerprints may be calculated centrally by the data localiZation server 506.
[0067]
In step 3, the ISMS control entity 507 queries the
?ngerprint database 508 of the data localiZation server 506 by a specimen document Doc. By the inquiry, the ISMS control
Apr. 5, 2012
US 2012/0084868 A1
entity 507 asks data localization server 506 to locate all copies of the specimen document Doc. To ansWer this query, the data localiZation server 506 calculates the ?ngerprint of the speci men document Doc and searches the ?ngerprint database 508
With the calculated ?ngerprint for equal or similar ?nger
prints. [0068]
In this regard, tWo options may arise. First, the loca
tion of documents With similar or equal ?ngerprints may be returned directly. Second, it may be veri?ed if in addition to having similar ?ngerprints, the full documents are either identical or highly similar, e.g. overlapping in large or parts.
[0069] In step 4, the locations descriptors 509 are provided in dependence on comparing the calculated ?ngerprint of the specimen document Doc With the ?ngerprint stored in the
to all the documents that come in With the same ?ngerprint
like said specimen document Doc. [0080] What has been described herein is merely illustra tive of the application of the principles of the present inven tion. Other arrangements and systems may be implemented by those skilled in the art Without departing from the scope and spirit of this invention. What is claimed is:
1. A method for locating documents for providing Data Leakage Prevention (DLP) Within an Information Security Management System (ISMS), the ISMS having a plurality of
entities capable of storing documents, the method compris ing:
?ngerprint database 508. The provided location descriptors
on each entity of the plurality of entities, calculating a respective ?ngerprint for each document of the docu
509 may be con?gured to indicate the locations of the copies of the specimen document Doc Within the ISMS 501. [0070] For example, a de?nite location descriptor indicat
transferring the calculated ?ngerprints by the entities to a
ing a location of the specimen document Doc stored on one
entity 502-505 of the ISMS 501 is provided, ifi(as indicated above) the ?ngerprint associated to said specimen document stored in the ?ngerprint database 508 is equal or similar to the
ments stored on the entity;
data localiZation server having a ?ngerprint database for
storing the transferred ?ngerprints; and at the data localiZation server, locating copies of a speci men document by calculating a ?ngerprint of the speci men document and comparing the calculated ?ngerprint of the specimen document With the ?ngerprints stored in
calculated ?ngerprint of the specimen document Doc. [0071] Referring noW to FIG. 5B, in step 5, a respective security policy is retrieved for each de?ned document class.
the ?ngerprint database. 2. The method of claim 1, further comprising:
[0072] For example, the respective security policy may
determining documents of at least one de?ned document
include a storage policy and an action policy. The storage policy may indicate Which type or types of the entities 502 505 have the right to store documents of the de?ned document
at the data localiZation server, locating all copies of a
class. The action policy may indicate at least one action to take When an entity tries to store a document of the de?ned
document class Without having the right to store documents of
the de?ned document class according to the security policy. [0073] For example, if the specimen document Doc has been classi?ed, then a database (not shoWn) may return the security policy 510 applicable to its document class. Other Wise, a human operator may have to provide the applicable
security policy.
class, and specimen document of said document class by calculat ing the ?ngerprint of the specimen document and com paring the calculated ?ngerprint of the specimen docu ment With the ?ngerprints stored in the ?ngerprint database.
3. The method of claim 2, further comprising: determining documents of a de?ned document class indi
cating sensitive documents Within the ISMS; and at the data localiZation server, locating all copies of a
ence to a master copy, encrypt document, possibly tempo
certain sensitive document by calculating a ?ngerprint of the specimen document and comparing the calculated ?ngerprint of the specimen document With the ?nger prints stored in the ?ngerprint database. 4. The method of claim 3, Wherein a respective agent is installed on each entity of the plurality of entities, Wherein the ?ngerprints of the document stored on the respective entity are calculated by the respective agent. 5. The method of claim 4, Wherein the calculated ?nger
rarily or upgrade machine type to provide suitable controls. [0076] The machine types may be de?ned by security of?
prints are transferred to the data localiZation server by the agents, Wherein the transferred ?ngerprints are stored in the
cials and may distinguish machines based on the purpose,
?ngerprint database.
[0074]
Further, the storage policy may de?ne the machine
types that may store documents of the respective document class.
[0075]
Furthermore, the action policy may de?ne that
actions to be taken in a de?nite case, for example delete a
document, either automated, administrator-assisted, immedi ately or delayed. Further actions may be to replace by refer
e.g., PC vs. server, on their administration, e.g. user-admin
istered vs. professionally administered, on their localiZation, e.g. DMZ, Internet-facing or Intranet, on the controls they
implement and their clearance, e.g. processing of public vs. sensitive vs. highly sensitive data or documents.
[0077] In step 6, for all entities or machines 502-505 that Were found to store copies of the specimen document Doc, the actions that the security policy imposes are sent to the respec tive on-machine agents.
[0078]
In step 7, the on-machine agents perform the actions
imposed by the security policy. [0079] Further, step 8 may shoW an alternative. After step 5, the ISMS 501 knoWs the security policy that applies to docu ments that have the same ?ngerprint like document Doc.
Thus, this policy may henceforth be automatically be applied
6. The method of claim 5, Wherein location descriptors are
provided in dependence on comparing the calculated ?nger print of the specimen document With the ?ngerprints stored in the ?ngerprint database, the provided location descriptors being con?gured to indicate the locations of the copies of the specimen document Within the ISMS. 7. The method of claim 6, Wherein a de?nite location descriptor indicating a location of a de?nite document stored on one entity of the ISMS is provided if the ?ngerprint asso ciated to that de?nite document stored in the ?ngerprint data base is equal or similar to the calculated ?ngerprint of the
specimen document. 8. The method of claim 7, Wherein a de?nite location descriptor indicating a location of a de?nite document stored on one entity of the ISMS is provided, if the ?ngerprint
Apr. 5, 2012
US 2012/0084868 A1
associated to that de?nite document stored in the ?ngerprint database is equal or similar to the calculated ?ngerprint of the specimen document, and if the de?nite document stored on one entity is equal or similar to the specimen document, Wherein a similarity of documents is determined by a separate
algorithm. 9. The method of claim 8, Wherein the provided location descriptors are transferred to an ISMS control entity, the
ISMS control entity being con?gured to query the ?ngerprint database of the data localiZation server.
10. A method for providing Data Leakage Prevention (DLP) of documents Within an Information Security Manage ment System (ISMS), the ISMS having a plurality of entities
capable of storing the documents, the method comprising: locating the documents stored on the entities according to
claim 2; providing a respective security policy for each de?ned document class; and for each de?ned document class, applying the respective provided security policy to the located documents asso ciated to the respective document class. 11. The method of claim 10, Wherein the respective secu rity policy includes a storage policy indicating Which type or types of the entities have the right to store documents of the de?ned document class, and an action policy indicating at least one action to take When an entity tries to store a docu
ment of the de?ned document class Without having the right to store documents of the de?ned document class according
to the security policy. 12. The method of claim 11, Wherein the applying the
respective provided security policy to the located documents associated to the respective document class includes transfer
ring the respective provided security policy to all entities storing at least one document of the respective document class and enforcing the transferred security policy to the at least one document of the respective document class on the
respective entity. 13. The method of claim 12, further comprising: storing a neW document on an entity of the plurality of the
entities; calculating a ?ngerprint of the stored neW document; determining the document class of the stored neW docu ment in dependence on the calculated ?ngerprint; and
14. A system for locating documents for providing Data Leakage Prevention (DLP) Within an Information Security
Management System (ISMS), the system comprising: a plurality of entities for storing the documents, each entity of the plurality of entities having a respective agent, said respective agent being con?gured to calculate a respec tive ?ngerprint for each document of the documents stored on the entity and to transfer the calculated ?nger prints to a data localiZation server having a ?ngerprint
database for storing the transferred ?ngerprints; and the data localiZation server being con?gured to locate cop ies of a specimen document (Doc) by calculating a ?n
gerprint of the specimen document (Doc) and compar ing the calculated ?ngerprint of the specimen document (Doc) With the ?ngerprints stored in the ?ngerprint data base.
15. An arrangement for providing Data Leakage Preven tion (DLP) of documents Within an Information Security
Management System (ISMS), the arrangement comprising: a system for locating documents according to claim 14, and an ISMS control entity for receiving a respective security policy for each de?ned document class and for applying
the respective provided security policy to the located documents associated to the respective document class.
16. A non-transitory, computer readable storage medium having instructions stored thereon that, When executed by a computer implement a method for locating documents for providing Data Leakage Prevention (DLP) Within an Infor
mation Security Management System (ISMS), the ISMS hav ing a plurality of entities capable of storing documents, the method comprising: on each entity of the plurality of entities, calculating a respective ?ngerprint for each document of the docu ments stored on the entity;
transferring the calculated ?ngerprints by the entities to a data localiZation server having a ?ngerprint database for
storing the transferred ?ngerprints; and at the data localiZation server, locating copies of a speci men document by calculating a ?ngerprint of the speci men document and comparing the calculated ?ngerprint of the specimen document With the ?ngerprints stored in
the ?ngerprint database.
applying the respective security policy associated to the determined document class to the stored neW document.
*
*
*
*
*