(19) United States Policy

Download PDF
Comment
Report 1 Downloads 93 Views
US 20120084868A1

(19) United States (12) Patent Application Publication (10) Pub. No.: US 2012/0084868 A1 Julisch (54)

(43) Pub. Date:

LOCATING DOCUMENTS FOR PROVIDING DATA LEAKAGE PREVENTION WITHIN AN

Apr. 5, 2012

Publication Classi?cation (51)

Int Cl

(52)

US. Cl. ........................................................ .. 726/26

gNglggERllzll/IATlON SECURITY MANAGEMENT

G06F 21/00

(200601)

(75) Inventor:

Klaus Julisch, Rueschlikon (CH)

(57)

(73) AssigneeZ

INTERNATIONAL BUSINESS MACHINES CORPORATION Armonk NY (Us) ’

A method for locating documents has a step of, on each entity of the plurality of document-storing entities, calculating a respective ?ngerprint for each document of the documents

(21)

App1_ NO;

13/234,703

gerprints by the entities to a data localization server having a

(22)

Filed;

sep_ 16, 2011

and a step of, at the data localization server, locating copies of a specimen document by calculating a ?ngerprint of the



ABSTRACT

stored on the entity, a step of transferring the calculated ?n

?ngerprint database for storing the transferred ?ngerprints,

(30)

Foreign Application Priority Data

specimen document and comparing the calculated ?ngerprint of the specimen document With the ?ngerprints stored in the

Sep. 30, 2010

(EP) ................................ .. 101843506

?ngerprint database.

Security Policy 502

503 /

504

505 /

506

Patent Application Publication

Apr. 5, 2012 Sheet 1 0f 6

US 2012/0084868 A1

100

Fig. 1

Patent Application Publication

Apr. 5, 2012 Sheet 2 0f 6

US 2012/0084868 A1

“"201

“#202

~23

Fig. 2

Patent Application Publication

Apr. 5, 2012 Sheet 3 0f 6

US 2012/0084868 A1

“"301

“"302

“"303

“'304

Fig. 3

Patent Application Publication

Apr. 5, 2012 Sheet 4 0f 6

US 2012/0084868 A1

“"401

“"402

“"403

Fig. 4

Patent Application Publication

Apr. 5, 2012 Sheet 5 0f 6

US 2012/0084868 A1

500

509

/

502

506

505

Fig. 5A

Patent Application Publication

Apr. 5, 2012 Sheet 6 0f 6

US 2012/0084868 A1

Security Policy

?

/

506

505 /

Fig. 5B

Apr. 5, 2012

US 2012/0084868 A1

LOCATING DOCUMENTS FOR PROVIDING DATA LEAKAGE PREVENTION WITHIN AN INFORMATION SECURITY MANAGEMENT SYSTEM

and copying to CD. Particularly, conventional DLP places its agents Where data is used, i.e., on the end-user PCs, servers or

gateWays. [0012]

The user of conventional DLPs is burdened With the

need to develop, update and maintain patterns that identify PRIORITY

sensitive documents. Alternatively, the DLP vendor has to do this Work.

[0001] This application claims priority to European Patent Application No. 101843506, ?led 30 Sep. 2010, and all the

SUMMARY

bene?ts accruing therefrom under 35 U.S.C. §1 19, the con tents of Which in its entirety are herein incorporated by ref erence.

[0002]

The invention relates to a method and to a system for

locating documents for providing Data Leakage Prevention (DLP) Within an Information Security Management System

(ISMS). BACKGROUND

[0003] An example for illustrating data proliferation in a system 100 is depicted in FIG. 1. In the system 100, the original document 101 is oWned by an executive. But, in the system 100, there are further copies of the original document 101 proliferated in the system 100. For example, there are earlier drafts 102 from the executive’s subordinates. Further, there may be backup and temporary copies 103 of the earlier drafts 102. [0004] Moreover, there may be a copy 104 on the execu

[0013]

According to an embodiment of a ?rst aspect of the

invention, a method for locating documents for providing Data Leakage Prevention (DLP) Within an Information Secu

rity Management System (ISMS) is suggested. The method has a step of, on each entity of the plurality of entities, calcu lating a respective ?ngerprint for each document of the docu ments stored on the entity, a step of transferring the calculated ?ngerprints by the entities to a data localiZation server having a ?ngerprint database for storing the transferred ?ngerprints, and a step of, at the data localiZation server, locating copies of a specimen document by calculating a ?ngerprint of the

specimen document and comparing the calculated ?ngerprint of the specimen document With the ?ngerprints stored in the

?ngerprint database. [0014] Embodiments of the invention may prevent data leakage in an Information System (IS) Which has a plurality of

entities capable of storing documents. [0015] According to an embodiment of a second aspect of the invention, the invention relates to a computer program

tive’s memory stick. Moreover, there may be temporary cop

comprising a program code for executing the method for

ies 105 on the executive’s hard drive.

locating documents for providing Data Leakage Prevention (DLP) Within an Information Security Management System

[0005] Also, copies 106 may be sent out by the executive. Further, there may be backup copies 107 of said sent-out copies 106. In sum, FIG. 1 shoWs an example of data leakage.

[0006] Conceptionally, DLP prevents documents, in par ticular sensitive documents, from leaking into unauthoriZed hands. In practice, the term DLP is used synonymously With concrete implementations. At least three implementations are knoWn that have been equated With a DLP: Host-based DLP, server-based DLP and netWork-based DLP. [0007] In host-based DLP, a DLP agent is installed on each end user computer of an enterprise’s system. The DLP agent may prevent sensitive documents from leaking into unautho riZed destinations Within or outside the enterprise’s system. In many Ways, the host-based DLP may be compared to a virus scanner as it also runs on end user computers to protect them

from threats. [0008] In server-based DLP, a DLP agent is installed on selected servers of the enterprise’s system, e. g., on an e-mail

server, that prevents sensitive documents from being passed on to unauthoriZed destinations.

[0009]

In netWork-based DLP, a DLP agent is placed at the

gateWay of the enterprise’s system to the Internet so as to

block all sensitive documents from leaving the enterprise’s

system. [0010]

(ISMS) When run on at least one computer.

[0016]

According to some embodiments the Work for

developing, updating and maintaining patterns for identifying sensitive documents is eliminated as the user merely may have to point to the documents that may be sensitive. This may be bene?cial, because it is dif?cult to Write patterns that de?ne What a sensitive document looks like. In the case of

Writing patterns, there are the risks of true positives and false

negatives. [0017]

According to some implementations, data spraWl is

controlled by controlling Where the documents or data are

stored. In this regard, according to embodiments of the

present invention, agents for calculating the ?ngerprints may be stored Where the documents are stored.

[0018] In an embodiment, the method has the step of deter mining documents of at least one de?ned document class, at

the data localiZation server, locating all copies of a specimen

document of said document class by calculating the ?nger print of the specimen document, and comparing the calcu lated ?ngerprint of the specimen document With the ?nger prints stored in the ?ngerprint database. [0019] In an embodiment, the method has the steps of deter mining documents of at least one de?ned document class,

and, at the data localiZation server, locating all copies of DLP technology is de?ned as those that, as a core

guistic analysis to detect, block or control the usage of spe

specimen documents of said document class by calculating the ?ngerprints of the specimen documents and comparing the calculated ?ngerprints of the specimen documents With the ?ngerprints stored in the ?ngerprint database. The docu

ci?c content based on established rules or policies. The

ments of one de?ned document class may be characterized by

function, perform deep packet inspection on outbound net Work communications tra?ic, track sessions and perform lin channels to be monitored may include e-mail traf?c, Instant

having similar or equal sensitivity, regulatory requirements or

Messaging (IM), FTP, HTTP and other TCP/IP protocols.

the like. [0020] In a further embodiment, the method has the steps of determining documents of a de?ned document class indicat

[0011]

In sum, conventional DLP uses agents to control

real-time usage of documents, such as printing, e-mailing,

Apr. 5, 2012

US 2012/0084868 A1

ing sensitive documents Within the IS, and at the data local iZation server, locating all copies of a certain sensitive docu ment by calculating a ?ngerprint of the specimen document

and comparing the calculated ?ngerprint of the specimen document With the ?ngerprints stored in the ?ngerprint data

[0030]

In a further embodiment, the step of applying the

respective provided security policy to the located documents associated to the respective document class includes transfer

ring the respective provided security policy to all entities storing at least one document of the respective document class and enforcing the transferred security policy to the at

base. [0021] In a further embodiment, a respective agent is installed on each entity of the plurality of entities, Wherein the

respective entity.

?ngerprints of the documents stored on the respective entity are calculated by the respective agent. The respective agent

storing a neW document on an entity of the plurality of the

may calculate the ?ngerprints of the documents stored on the

corresponding entity in spare cycles of said corresponding

entity. [0022]

In a further embodiment, the calculated ?ngerprints

least one document of the respective document class on the

[0031]

In a further embodiment, the method has the steps of

entities, calculating a ?ngerprint of the stored neW document, determining the document class of the stored neW document in dependence on the calculated ?ngerprint, and applying the

respective security policy associated to the determined docu

are transferred to the data localiZation server by the agents,

ment class to the stored neW document.

Wherein the transferred ?ngerprints are stored in the ?nger

print database.

[0032] According to an embodiment of a fourth aspect of the invention, the invention relates to a system for locating

[0023] In a further embodiment, the location descriptors are provided in dependence on comparing the calculated ?n

documents for providing Data Leakage Prevention (DLP) Within an Information Security Management System (ISMS).

gerprint of the specimen document With the ?ngerprints stored in the ?ngerprint database, the provided location descriptors being con?gured to indicate the locations of the copies of the specimen document Within the IS.

The system has a plurality of entities for storing the docu ments, each entity of the plurality of entities having a respec

[0024]

In a further embodiment, a de?nite location descrip

tive agent, said respective agent being con?gured to calculate a respective ?ngerprint for each document of the documents stored on the entity and to transfer the calculated ?ngerprints

tor indicating a location of a de?nite document stored on one

to a data localiZation server having a ?ngerprint database for

entity of the IS is provided if the ?ngerprint associated to that de?nite document stored in the ?ngerprint database is equal or similar to the calculated ?ngerprint of the specimen docu

storing the transferred ?ngerprints, and the data localiZation server being con?gured to locate copies of a specimen docu ment by calculating a ?ngerprint of the specimen document

ment.

and comparing the calculated ?ngerprint of the specimen

[0025]

In a further embodiment, a de?nite location descrip

tor indicating a location of a de?nite document stored on one

entity of the IS is provided, if the ?ngerprint associated to that de?nite document stored in the ?ngerprint database is equal or similar to the calculated ?ngerprint of the specimen docu ment, and if the de?nite document stored on one entity is

equal or similar to the specimen document, Wherein similarity of documents is determined by a separate algorithm. [0026] In a further embodiment, the provided location descriptors are transferred to an ISMS control entity, the

ISMS control entity being con?gured to query the ?ngerprint database of the data localiZation server. [0027] According to an embodiment of a third aspect of the

invention, the invention relates to a method for providing Data Leakage Prevention (DLP) of documents Within an

document With the ?ngerprints stored in the ?ngerprint data base [0033] According to an embodiment of a ?fth aspect of the invention, the invention relates to an arrangement for provid

ing Data Leakage Prevention (DLP) of documents Within or as part of an Information Security Management System (ISMS). The arrangement has a system for locating docu ments according to the above mentioned embodiment of the fourth aspect of the invention, and an ISMS control entity for

receiving a respective security policy for each de?ned docu ment class and for applying the respective provided security policy to the located documents associated to the respective document class. [0034] The agent may be any calculating means. Moreover, the ISMS control entity may be any controlling means.

Information Security Management System (ISMS), the ISMS

[0035]

having a plurality of entities capable of storing the docu

ISMS control entity, may be implemented in hardWare or in softWare. If said means are implemented in hardWare, it may

ments. The method has a step of locating the documents stored on the entities as described above With respect to the

?rst aspect of the invention, a step of providing a respective security policy for each de?ned document class, and a step of

applying the respective provided security policy to the located documents associated to the respective document class, for each de?ned document class.

[0028]

The present security policies may de?ne Where and

hoW data may be stored. This is in contrast to security policies in conventional DLPs, Which de?ne hoW data may be used.

[0029]

be embodied as a device, eg as a computer or as a processor or as a part of a system, e. g. a computer system. If said means

are implemented in softWare it may be embodied as a com puter program product, as a function, as a routine, as a pro gram code or as an executable object.

[0036]

In the folloWing, exemplary embodiments of the

present invention are described With reference to the enclosed

?gures.

In an embodiment, the respective security policy

indicates a storage policy indicating Which type or types of the entities have the right to store documents of the de?ned document class, and an action policy indicating at least one

The respective means, in particular the agent and the

BRIEF DESCRIPTION OF THE FIGURES

[0037] FIG. 1 shoWs a schematic block diagram illustrating data proliferation in a system;

action to take When an entity tries to store a document of the

[0038]

de?ned document class Without having the right to store documents of the de?ned document class according to the

method steps for locating documents for providing Data Leakage Prevention Within an Information Security Manage ment System;

security policy.

FIG. 2 shoWs a ?rst embodiment of a sequence of

Apr. 5, 2012

US 2012/0084868 A1

FIG. 3 shows a second embodiment of a sequence of

document class Without having the right to store documents of

method steps for locating documents for providing Data Leakage Prevention Within an Information Security Manage ment System;

the de?ned document class according to the security policy. [0056] In step 403, for each de?ned document class, the

[0040]

documents associated to the respective document class.

[0039]

FIG. 4 shoWs an embodiment of a sequence of

method steps for providing Data Leakage Prevention of docu ments Within an Information Security Management System, and [0041] FIGS. 5A and B shoW a schematic block diagram of an embodiment of an arrangement for providing Data Leak age Prevention of documents Within an Information Security

respective provided security policy is applied to the located [0057] Particularly, the step 403 of applying the respective provided security policy to the located documents associated to the respective document class includes transferring the respective provided security policy to all entities storing at

Management System.

least one document of the respective document class and enforcing the transferred security policy on the at least one document of the respective document class on the respective

[0042]

entity.

Similar or functionally similar elements in the ?g

ures have been allocated the same reference signs if not oth

[0058]

erWise indicated.

said plurality of entities, a ?ngerprint of the stored neW docu ment may be calculated and the document class of the stored

DETAILED DESCRIPTION

Further, if a neW document is stored on an entity of

neW document may be determined in dependence on the

FIG. 2 shoWs a ?rst embodiment of a sequence of

calculated ?ngerprint. Subsequently, the respective security

method steps for locating documents for providing DLP Within ISMS, the ISMS having a plurality of entities capable of storing documents. [0044] In step 201, a respective ?ngerprint for each docu

policy associated to the determined document class may be applied to said stored neW document. [0059] All above-mentioned embodiments of the methods

ment of the documents stored on the respective entity is calculated. Step 201 may be performed on each entity of the plurality of entities of the ISMS. [0045] In step 202, the calculated ?ngerprints are trans

means to be a respective embodiment of the system or

[0043]

ferred by the entities to a data localiZation server having a

of the present invention may be embodied by respective arrangement of the present invention. [0060] FIGS. 5A and 5B shoW a schematic block diagram of an embodiment of an arrangement 500 for providing DLP of documents Within an ISMS 501. The ISMS 501 has a

?ngerprint database for storing the transferred ?ngerprints. [0046] In step 203, at the data localization server, all copies

plurality of entities 502-505 Which are capable of storing said

of a specimen document are located by calculating a ?nger

laptop 504 and storage devices 505. Without loss of general ity, the ISMS 501 FIGS. 5A and 5B has only four entities

print of the specimen document and comparing the calculated ?ngerprint of the specimen document With the ?ngerprints stored in the ?ngerprint database. [0047]

FIG. 3 depicts a second embodiment of sequence

method steps for locating documents for providing DLP

documents. For example, there is a server 502, a PC 503, a

502-505. [0061] Further, said ISMS 501 has a data localiZation server

506 and an ISMS control entity 507 controlling or interrogat ing said data localiZation server 506.

Within ISMS.

[0062] An example of the functionality of said arrangement

[0048]

500 is described in the folloWing With reference to the steps 1-8 of FIGS. 5A and 5B. In particular, FIG. 5A shoWs the steps 1-4 for locating the documents in the ISMS 501, and FIG. 5B shoWs the steps 5-8 upon localiZing all copies of a

In step 301, a respective ?ngerprint for each docu

ment of the documents stored on the respective entity is calculated. Said step 301 may be performed on each entity of the plurality of entities of the ISMS. [0049] In step 302, the calculated ?ngerprints are trans ferred by the entities to a data localiZation server having a

?ngerprint database for storing the transferred ?ngerprints. [0050] In step 303, documents of at least one de?ned docu ment class are determined. In particular, said de?ned docu ment class may indicate sensitive documents Within the ISMS. [0051] In step 304, at a data localiZation server, all copies of a specimen document of said document class are located by

calculating the ?ngerprint of the specimen document and comparing the calculated ?ngerprint of the specimen docu

specimen document “Doc”. [0063] In step 1, a respective agent is installed on each entity 502-505 of the ISMS 501. The respective agent calcu lates a respective ?ngerprint of the documents stored in the

respective entity 502-505. [0064] The purpose in step 1 is to craWl the memories, in particular the hard discs, of the entities 502-505 and to cal culate said ?ngerprints for all documents found. A ?ngerprint may be a short, but characteristic summary of a document, e. g., the ten mo st frequent Words other than utility Words like “are”, “the” or the like.

ment With the ?ngerprints stored in their ?ngerprint database.

[0065]

[0052]

from the entities 502-505 to the data localiZation server 506.

In FIG. 4, an embodiment of a sequence of method

steps for providing DLP of documents Within ISMS is shoWn. [0053] In step 401, the documents stored on the entities are located. For applying step 401, the method of FIG. 2 or the method of FIG. 3 may be used.

[0054] In step 402, a respective security policy for each de?ned document class is provided.

[0055] Particularly, the respective security policy includes a storage policy indicating Which type or types of the entities have the right to store documents of the de?ned document class, and an action policy indicating at least one action to take When an entity tries to store a document of the de?ned

In step 2, the calculated ?ngerprints are transferred

The transferred ?ngerprints are stored in a ?ngerprint data base 508 of said data localiZation server 506.

[0066] In particular, as documents change on the entities 502-505, the ?ngerprints may be updated on the data local iZation server 506. Alternatively, the agents may send entire documents to the ?ngerprint database 508, and ?ngerprints may be calculated centrally by the data localiZation server 506.

[0067]

In step 3, the ISMS control entity 507 queries the

?ngerprint database 508 of the data localiZation server 506 by a specimen document Doc. By the inquiry, the ISMS control

Apr. 5, 2012

US 2012/0084868 A1

entity 507 asks data localization server 506 to locate all copies of the specimen document Doc. To ansWer this query, the data localiZation server 506 calculates the ?ngerprint of the speci men document Doc and searches the ?ngerprint database 508

With the calculated ?ngerprint for equal or similar ?nger

prints. [0068]

In this regard, tWo options may arise. First, the loca

tion of documents With similar or equal ?ngerprints may be returned directly. Second, it may be veri?ed if in addition to having similar ?ngerprints, the full documents are either identical or highly similar, e.g. overlapping in large or parts.

[0069] In step 4, the locations descriptors 509 are provided in dependence on comparing the calculated ?ngerprint of the specimen document Doc With the ?ngerprint stored in the

to all the documents that come in With the same ?ngerprint

like said specimen document Doc. [0080] What has been described herein is merely illustra tive of the application of the principles of the present inven tion. Other arrangements and systems may be implemented by those skilled in the art Without departing from the scope and spirit of this invention. What is claimed is:

1. A method for locating documents for providing Data Leakage Prevention (DLP) Within an Information Security Management System (ISMS), the ISMS having a plurality of

entities capable of storing documents, the method compris ing:

?ngerprint database 508. The provided location descriptors

on each entity of the plurality of entities, calculating a respective ?ngerprint for each document of the docu

509 may be con?gured to indicate the locations of the copies of the specimen document Doc Within the ISMS 501. [0070] For example, a de?nite location descriptor indicat

transferring the calculated ?ngerprints by the entities to a

ing a location of the specimen document Doc stored on one

entity 502-505 of the ISMS 501 is provided, ifi(as indicated above) the ?ngerprint associated to said specimen document stored in the ?ngerprint database 508 is equal or similar to the

ments stored on the entity;

data localiZation server having a ?ngerprint database for

storing the transferred ?ngerprints; and at the data localiZation server, locating copies of a speci men document by calculating a ?ngerprint of the speci men document and comparing the calculated ?ngerprint of the specimen document With the ?ngerprints stored in

calculated ?ngerprint of the specimen document Doc. [0071] Referring noW to FIG. 5B, in step 5, a respective security policy is retrieved for each de?ned document class.

the ?ngerprint database. 2. The method of claim 1, further comprising:

[0072] For example, the respective security policy may

determining documents of at least one de?ned document

include a storage policy and an action policy. The storage policy may indicate Which type or types of the entities 502 505 have the right to store documents of the de?ned document

at the data localiZation server, locating all copies of a

class. The action policy may indicate at least one action to take When an entity tries to store a document of the de?ned

document class Without having the right to store documents of

the de?ned document class according to the security policy. [0073] For example, if the specimen document Doc has been classi?ed, then a database (not shoWn) may return the security policy 510 applicable to its document class. Other Wise, a human operator may have to provide the applicable

security policy.

class, and specimen document of said document class by calculat ing the ?ngerprint of the specimen document and com paring the calculated ?ngerprint of the specimen docu ment With the ?ngerprints stored in the ?ngerprint database.

3. The method of claim 2, further comprising: determining documents of a de?ned document class indi

cating sensitive documents Within the ISMS; and at the data localiZation server, locating all copies of a

ence to a master copy, encrypt document, possibly tempo

certain sensitive document by calculating a ?ngerprint of the specimen document and comparing the calculated ?ngerprint of the specimen document With the ?nger prints stored in the ?ngerprint database. 4. The method of claim 3, Wherein a respective agent is installed on each entity of the plurality of entities, Wherein the ?ngerprints of the document stored on the respective entity are calculated by the respective agent. 5. The method of claim 4, Wherein the calculated ?nger

rarily or upgrade machine type to provide suitable controls. [0076] The machine types may be de?ned by security of?

prints are transferred to the data localiZation server by the agents, Wherein the transferred ?ngerprints are stored in the

cials and may distinguish machines based on the purpose,

?ngerprint database.

[0074]

Further, the storage policy may de?ne the machine

types that may store documents of the respective document class.

[0075]

Furthermore, the action policy may de?ne that

actions to be taken in a de?nite case, for example delete a

document, either automated, administrator-assisted, immedi ately or delayed. Further actions may be to replace by refer

e.g., PC vs. server, on their administration, e.g. user-admin

istered vs. professionally administered, on their localiZation, e.g. DMZ, Internet-facing or Intranet, on the controls they

implement and their clearance, e.g. processing of public vs. sensitive vs. highly sensitive data or documents.

[0077] In step 6, for all entities or machines 502-505 that Were found to store copies of the specimen document Doc, the actions that the security policy imposes are sent to the respec tive on-machine agents.

[0078]

In step 7, the on-machine agents perform the actions

imposed by the security policy. [0079] Further, step 8 may shoW an alternative. After step 5, the ISMS 501 knoWs the security policy that applies to docu ments that have the same ?ngerprint like document Doc.

Thus, this policy may henceforth be automatically be applied

6. The method of claim 5, Wherein location descriptors are

provided in dependence on comparing the calculated ?nger print of the specimen document With the ?ngerprints stored in the ?ngerprint database, the provided location descriptors being con?gured to indicate the locations of the copies of the specimen document Within the ISMS. 7. The method of claim 6, Wherein a de?nite location descriptor indicating a location of a de?nite document stored on one entity of the ISMS is provided if the ?ngerprint asso ciated to that de?nite document stored in the ?ngerprint data base is equal or similar to the calculated ?ngerprint of the

specimen document. 8. The method of claim 7, Wherein a de?nite location descriptor indicating a location of a de?nite document stored on one entity of the ISMS is provided, if the ?ngerprint

Apr. 5, 2012

US 2012/0084868 A1

associated to that de?nite document stored in the ?ngerprint database is equal or similar to the calculated ?ngerprint of the specimen document, and if the de?nite document stored on one entity is equal or similar to the specimen document, Wherein a similarity of documents is determined by a separate

algorithm. 9. The method of claim 8, Wherein the provided location descriptors are transferred to an ISMS control entity, the

ISMS control entity being con?gured to query the ?ngerprint database of the data localiZation server.

10. A method for providing Data Leakage Prevention (DLP) of documents Within an Information Security Manage ment System (ISMS), the ISMS having a plurality of entities

capable of storing the documents, the method comprising: locating the documents stored on the entities according to

claim 2; providing a respective security policy for each de?ned document class; and for each de?ned document class, applying the respective provided security policy to the located documents asso ciated to the respective document class. 11. The method of claim 10, Wherein the respective secu rity policy includes a storage policy indicating Which type or types of the entities have the right to store documents of the de?ned document class, and an action policy indicating at least one action to take When an entity tries to store a docu

ment of the de?ned document class Without having the right to store documents of the de?ned document class according

to the security policy. 12. The method of claim 11, Wherein the applying the

respective provided security policy to the located documents associated to the respective document class includes transfer

ring the respective provided security policy to all entities storing at least one document of the respective document class and enforcing the transferred security policy to the at least one document of the respective document class on the

respective entity. 13. The method of claim 12, further comprising: storing a neW document on an entity of the plurality of the

entities; calculating a ?ngerprint of the stored neW document; determining the document class of the stored neW docu ment in dependence on the calculated ?ngerprint; and

14. A system for locating documents for providing Data Leakage Prevention (DLP) Within an Information Security

Management System (ISMS), the system comprising: a plurality of entities for storing the documents, each entity of the plurality of entities having a respective agent, said respective agent being con?gured to calculate a respec tive ?ngerprint for each document of the documents stored on the entity and to transfer the calculated ?nger prints to a data localiZation server having a ?ngerprint

database for storing the transferred ?ngerprints; and the data localiZation server being con?gured to locate cop ies of a specimen document (Doc) by calculating a ?n

gerprint of the specimen document (Doc) and compar ing the calculated ?ngerprint of the specimen document (Doc) With the ?ngerprints stored in the ?ngerprint data base.

15. An arrangement for providing Data Leakage Preven tion (DLP) of documents Within an Information Security

Management System (ISMS), the arrangement comprising: a system for locating documents according to claim 14, and an ISMS control entity for receiving a respective security policy for each de?ned document class and for applying

the respective provided security policy to the located documents associated to the respective document class.

16. A non-transitory, computer readable storage medium having instructions stored thereon that, When executed by a computer implement a method for locating documents for providing Data Leakage Prevention (DLP) Within an Infor

mation Security Management System (ISMS), the ISMS hav ing a plurality of entities capable of storing documents, the method comprising: on each entity of the plurality of entities, calculating a respective ?ngerprint for each document of the docu ments stored on the entity;

transferring the calculated ?ngerprints by the entities to a data localiZation server having a ?ngerprint database for

storing the transferred ?ngerprints; and at the data localiZation server, locating copies of a speci men document by calculating a ?ngerprint of the speci men document and comparing the calculated ?ngerprint of the specimen document With the ?ngerprints stored in

the ?ngerprint database.

applying the respective security policy associated to the determined document class to the stored neW document.

*

*

*

*

*

Recommend Documents