Transcript
We have a very interesting topic here to talk about. We are going to discuss the regulations and how we comply on them. Yeah, our presenters here for today is going to be me, Ahmed Nabil, Solution Engineering Fortra. I have with me Mohamed Tariq, our Account Executive, and we have Nour, the Principal Solution Engineer. And our agenda for today, we're going to talk about what MDMO and PDPL expects from us. So us as security leaders, are we compliant or not? What should we do? How to approach the data classification and the protection and the lifecycle journey of the data itself, and how Fortra can help us and how Fortra can support us in implementing this. And of course, at the end, we're going to show you some real life examples alongside. Of course, if you have any questions or anything in mind, feel free to drop them in the Q&A or the questions tab in the webinar. We're going to get them by the end of the webinar. Okay, so before starting or before talking about anything, let's just discuss what is PDPL and what is MDMO? When and by whom have they been issued? So PDPL is the Personal Data Protection Law. It was issued on September 2021. And however, it was implemented on around 2023, the same month. The issuer, of course, was SADAIA, the Audi Authority for Data and Artificial Intelligence. Same for MDMO. MDMO was established on 2019 and was issued around 2022. Also, it was by an issuer, National Data Management Authority. Are we applied to these regulations? Who should comply to this? And of course, mainly most of us. This is the first question that pops in mind. Should we apply to these regulations or not? And of course, mainly yes, because for PDPL, any organization, every organization that is processing personal data for individuals in Saudi Arabia are compliant and should apply to PDPL. MDMO is the same for government entities and semi-government entities. Any government entity handling government or public sector data should apply to the MDMO. So this is mostly most of the organization that we have here. So most of us either have or deal with personal data and others deal with the government or public sector data. So yes, mainly most of us should apply to MDMO and PDPL. Who is accountable? So compliance is not now something for, you know, legal department only. Compliance also secures teams are very involved in compliance. Now the auditor or the regulator must come and collect evidence from the security team. So he comes open, show me the classification. How can I see the header? How do you protect your data? Try sending some email to an external domain that contains personal data. How is it blocked? Do you have evidence regarding this? Can you monitor the data? All of these evidence and all of these use cases, the regulators come and try to get it from us. And we must be able, we must be ready and we must be able to prove what we have and what we can protect. And the penalties are huge regarding this. So PDPL violations can lead to multi-million real as penalty or as fine, can lead to criminal liabilities as well. But again, the biggest risk is not the fine or not the penalties itself. You need to be responsible, you need to have control on all of the data that you have. And this is what we're going to be discussing today in the webinar. How can we control? How can we protect and how Fortran can help us control all of this? So some of the principles, some of the shared principles that NDMO and PDPL have is the data identification, data classification. Both of them talks clearly about the data classification identification, the risk, the data minimization, how do we minimize the data? How do we retain our data? So for how long should we keep, let's say PII information, national ID numbers? How do we detect the incidents? What happens when the incidents happen? Do we notify the users or not? Do we have any, some kind of backup and notification plan? And all of this will be discussed with AHAB. So I will leave the floor to AHAB that's going to discuss some key principles and controls regarding the NDMO and PDPL. AHAB, the floor is yours. Thank you so much, Ahmed. Thank you everyone for attending the webinar. And yeah, so let me share here some key points regarding to the NDMO and PDPL. And let's give me a second. Yeah, here. So in the NDMO and PDPL, there is and summarize what exactly the mandates which is required. So when we talk about NDMO domain number three, domain number 13, sorry, we see that already companies or organization mandates to identify an inventory and classify database on potential. And based on a potential impact of unauthorized disclosure or modification or loss. So this is, yeah, in domain 13. Go to the domain 14, we will go and see also in the NDMO and PDPL, also organizations mandate to protect the personal data, which is including national IDs, addresses, financial records, and that's that. Of course, we are talking today, maybe most of the customers today or the partners came from Saudi Arabia. So this is also here when we talk about the national IDs, talking about the national IDs of Saudi Arabia and the BII information. And this is exactly what we will see today, how can we cover it. Then in the article number 25, that's you need to restrict the controls of transferring the personal information outside the kingdom. And going to the article number 4 and 20 are subject or the companies are subject to have the right access and notify also the authorities. Lastly, in the domain 15 of NDMO and PDPL, article number 19, with organizations defined or need to define detailed cybersecurity controls and in the NDMO frameworks integrated with the required for data governance obligations. Okay, so let's here go to the next slide and let's go here, how our organization or FORTRAN can help you on this. Okay, so going beyond this, so here the organization, as we spoke Ahmed, can you control the screen for the next slide? Yeah, thank you. So the organization must, as we mentioned, it must identify and classify the data based on the potential impact of unauthorized disclosure and modification or data loss. So FORTRAN help you for identifying and help you on this within a couple of products. One of them, we will cover these two products today, but one of them, it's a FORTRAN data classification suite. And as you can see here in these two screenshots from the system itself, the DCS can help you to apply the classification labels, so it's public, it's confidential, it's internal, it's restricted, it's top secret, and so on. However, it's not only behind this. So customers also can allow or can put some information based on this. So for an example, if I have or I have one document, right, I cannot tell the classification the right information because just only it's public or just only confidential. I need someone to guide the user and help him to identify what type of confidential documents you are talking about. So here it came also in the data classification to help the customer or guide him. So we can ask the customer a couple of questions pre-configured also in our schema to ask him, for an example, is this data part of our organization? So maybe he said yes or no. Maybe we can ask, is this data already approved to use to the public use? This is another question, yes or no, right? Is this data will impact our organization, for an example, right, for any data disclosure, yes or no? What's exactly the partners you are sending the data? Did you, or the data will be sent, if I send an email, for an example, so what the partners, and I'm typing data as internal, so what the partners you are sending the data? So I have a list of partners or resellers, I can ask them about this, right, so he can tell me I have a partner X partner Y partner Z, for an example. So this type of questions on this type of helping, guiding, it will guide the user and guide the employee to choose the right classification. Of course, all of these data or all of these questions, it will be also part of the metadata. So now, when I apply DLP policy, I will apply for data which came from confidential, as well as a partner called X, and as well as the information, it's already, for this information, it's having potential, something like this. So all of these data, already we have it, it's a part of persistent metadata, and all of this, it will be a part of your DLP solution. So here, the problem, that's when you have your DLP, you will not just say, that's already, I will block every confidential file. Here, we help you to identify this. The good, in the product itself, it can help you to identify or classify the files, which is all the office, which is came, for an example, Word, Excel, PowerPoint, right, and Outlook, all of this, it's came to the picture of the, thank you so much Naveed. So it's came here to help you for the office. About, for an example, if I have BVF5, if I have a GPG, if I have a company, all of this, we can also classify these documents by using right-click, and you can also classify these documents, and you can see the persistent metadata. Of course, we are supporting Arabic language, as you see here, so if you can, or getting information in Arabic, so all of this, it can be identifiable, it can be discovered, it can be also classified. So this is, it's also very good, and we will help you on this. Comply with the regulations, right, so all of the solutions, or all the DCS components, it's having the pre-built policies for GDBR, for HEPA, for ITAR, and all of this stuff, it's came by default in the solution. And you can see here in the second picture, which is down, the good in the configuration, or the technology of Fortra, it can, we can use the concept of drag-and-drop. So here, you don't need to build, every time you need to build rules, rules, rules, no, just you build it once, and you just drag-and-drop, and put it here, and put it here, so, and changing the view to the customers, and changing the view, also, it's very important. And of course, if you have multiple branches, or you have, for an example, organizations, like for an example, we have an organization in UAE, or I have an organization in, for an example, in Europe, so all of these organizations, maybe they have different policies, and different view of their, of your configuration file, for all your organization, you can have a multiple configuration files, these configurations, it cannot be sent to the different Active Directory groups, or team members, for an example, different organizations, or different branches, that's already you have, so we can also support you on this. So, let's go for next here. So, you can also see, that's already in the data classification, right, and also for the discovery, we can help you to discover all of these data, which is already persistent for many, many years, maybe you have a SharePoint, which is having, for an example, PNG files, all of this, it can be discovered through our solution, the Fortra DCS Data Discovery Trust, it can help you to discover all of these data, even it's in Dropbox, even in Google Drive, it's a SharePoint, it's shared location, all of this, it can be also discovered, as well as, we can also help you to identify and automatically classify all of these data, and we will put the persistent metadata. And we will put the persistent metadata. So we will help you to identify all of these type of data, which is also resident in your organization and already from many years, which is you need also to classify. So if you are taking care or caring about the new files, we will take care about all the new files. And we will also help you to protect these files in case someone need to do any printing, for an example, or sending an email, and he insert, for an example, unclassified document, or he insert, for an example, an old document from your organization, we can also help you on this and tell him, for an example, here, we cannot send this email because this data, or we have found an attachment, like a PDF, for an example, this PDF, it's not classified. So take care about this. And there is also here, as you can see here, in the BDBL and MDMO, or the article number 19, we can detect the national IDs, addresses, and financial records, and health status. So here, we can help you, and you can see in the screenshots, that's already, we can identify this type of data. As I mentioned, if it's an Arabic language, we can detect this data. And if it's, for an example, in English, we can also detect this type of data, and you can see here, for an example, this is a Saudi ID number, this is a passport number, this is a Buba insurance, this is a GUSI number, all of this, also, it came by default, we built on our solution, you can use this type of regular expressions, and you can use this. However, it's not about also the regular expressions only. We have dedicated module, it's called DDE. So DDE, it's Data Detection Engine, it came also with the Fortra DCS, to help you to identify the documents, not just only in part of regular expressions, or advanced regular expressions. So we will go and scan the full entire document, and we will score this document for you. So for an example, I am writing an email, and telling, for an example, this came from an example from the CEO, I'm just giving you an example, how the DDE will identify this. So for an example, assume one day, that's already, we receive an email from our CEO, he mentions, that's already, guys, we are in the final negotiation to acquire a company called Bold and James, and we are in the near to track to close the deal. So this type of emails, 100%, you will not able to classify it in very easy way, because there is no certain keywords, there is no certain BII information written on this document. However, the email, it came from our CEO, and there is an announcement, and this announcement, it's internal. But however, if we disclose this type of information one day to, or has been disclosed to the partners, or disclosed to competitors, for an example, maybe we will lose the deal. So this is a concept of the DDE, which will help you to identify such a type of complex situations, and complex emails, and complex documents, and identify and give it score value, and based on the score, it can tell this document, we see it's confidential documents, this document, it's a top secret document, or this is a public document. So it's not based only on the, as I mentioned, it's not based on regular expressions, because regular expressions, sometimes it's failed, and sometimes it's working, but for the complex scenarios, it will not work, okay? So going to the next slide here, talking here about also how I will control the transferring of personal data. So of course, the data classification will help you on this, so if I need to send an email, for an example, from my Saudi account, right? And I put the number of my Saudi account, and this is one of the confidential information, for an example, right? I can not just only block the email, I can do option, for an example, like redact. So redact, you can see here in the black color, so this has been redacted, right? And you can see, right, there is no one can see this information, right? So if I need to send an information, which is having very classified information from your internal documents, we have the option to redact this. And based on this, we can also give the solution ability to control our domains as well. So maybe I can send this, or my Saudi account, to some distributors, sorry, or some partners, which is already I have, right? So for an example, if I need to send this to our BRO, for an example, he need to renew my account, for an example, so this is one of the domains, or we can allow this. But to send this to, for an example, Gmail account or unauthorized domains, we can see here in the picture that's already the following recipients cannot receive such type of email. And you can see here, this is bot at gmail.com, this is not our domain. So you can put the domains as a blacklist, and you can also put your whitelist domains in the allowed confidential documents, right? And this is very good here, so if you need to control your data in proper way, this, it can be achievable through our solution. So we can help you in the BDBL article number 29 to do this. However, here in the next slide, we will speak about not just only the classification and controlling, you need visibility about what exactly happen in your endpoints, right? And when we open the topic about the visibility, right, we are talking about here our DLP solution, Digital Guardian. So the DLP solution, it not just only came to you to help with only protecting your organization against the data leakage. No, it will help you to give you full visualizations, what's happened in the endpoints, right? So you can see here the number of applications which has been used, right? You can see here SV host and all of these applications, you can see how many launches this application has been taken. So I browse here for an example in number one and number four, you can see another applications here and the number of usages of this application. However, we can see here that's already also as a part of this in another view, telling this application has been started, this application is open, this guy is trying to do printing for an example, right? So we have give you full visibility about what exactly happened to your endpoint. And to be honest, this is one of the greatest use cases you will see. Because if I am, for an example, infected of malware and this malware tried to expose some confidential document, right? So here, when you talk about the DLP solution, right? So it just, it will only block. Our solution here will give you full visibility what's going on. Maybe there is a malware, there is an unauthorized application, it's happened, it's opened to the machine. So we see a use case or advanced use cases came to the customer, say, there is an, for an example, a new channel has been opened, for an example. We see that's already customers open, for an example, shared GBT, for an example. We can block this. How you identify when there is an AI tool or there is an application, it's called shared GBT, it's already installed, and the user tried to disclose your confidential documents using this application. So it's not about shared GBT, it's about applications which you are not aware of. So maybe you will find application called XYZ, it's open in your environment, right? And the users try to use this data or this application, it's totally unauthorized. So by getting the full visibility, we will help you to identify why I'm blocking this type of data, right? So this is, it's very good. As we're going to the next slide, we will see also, yeah, some here information about when the users try to open or try to give you, or try to do something on the machine. For an example, I'm doing file rename. I'm doing file open. I'm doing file copy. I'm doing file paste, as you see here. All of these transactions, which has happened by the user itself, it's also counted, right? And you can see here in the downside, right, number of activities which is done by user called client one, and you can see the operating system, and you can see here also the operating system, another operating system user built in. So just one day, that's already you find another user, which is, for an example, XYZ user. He is doing a lot of activities, thousands of activities, which has happened per minute or per day, right? So maybe this unauthorized user tried to disclose this information, right? And you can see every activity from the application or from the users, what type of things they are doing in the machine. This type of visibility can trigger you one day, you know, we need to stop. We need to here investigate. There is something here unauthorized do. There is something here, it's not, sorry. So there is something here we need to take care about, right, so this is very important, right? The visibility in the DLP solution will help you to identify, as I am infected, yes or no? What exactly the activities happen on the machine? So is this machine or this user trying to do, think it's legal or not legal? I will give you another example. Assuming that's any user, before he is lefting or resigning, right, he do couple of stuff. He trying to copy as much as he can from his internal PC or laptop and try to copy to the USB or try to transfer it or try to print it or try to do this, right? So you will get full information, what exactly is this user trying to do inside your organization, right? And you will see all of the activities that's already the files that he tried to open one day. Maybe he is taking pictures or taking something like this. So based on this, you can see here, this file has been opened, this file has been opened, this file has been opened. So meaning that he's trying to open a lot of files. Maybe he will try, as I mentioned, he's trying to do something illegal by using his mobile. For an example, taking a picture or trying to do whatever, right? So you will take care or we will give you full information about. The next slide, please. So back again to the MDMO and BDBL, we can see here in the article number four and article number 20, the data subjects have the right access and notify the authorities for any data breaches. So of course, our data classification built-in, we can, you can identify what type of classifications which has been added to the system and give you full information or reporting, right? As well as, as you see in the digital guardian will help you also to get the full visibility. And based on this, you can open a case which is also built-in in the digital guardian, which is having all the incidents that's already you collected right from the systems. And based on that case number, you can send it to the authorities or you can send it to the managers or you can send it to another one, tell them that's already, this is exactly the artifacts which is already happened by this user, for example, last couple of days ago. So when he sent his resignation, he tried to classify some documents or he tried to disclose some information and we have everything happened on the machine and we put all of these artifacts and incident to the case number, X, Y, Z. So you can print out the case and you can print out as a PDF and you can send it to the authorities or you can send it to the IT or you can send it to another one for full investigation and getting this as a penalty or getting this as a guilty or trigger this as a guilty user trying to do this. In the next slide, please. So here, before I will left, I will give you also, it's the same in the article number 40 and 20, same, right, it's the same information we need to notify the authorities. So you can see here, I'm trying. trying to here pasting the Emirates ID this is one of the artifacts for an example I'm trying to upload it in the web.whatsapp right and also I need or try to send it over the mail.google which is my gmail account right so all of these information as I mentioned it will help you one day if you have an incident right it will tell you exactly what's happened on the machine and you can based on this notify the authorities and tell us this guy is guilty and so on. Now I will leave the mic to Mohammed Tariq our regional sales manager he will guide us to the sales and getting more information about some use cases about in Saudi Arabia and how the customers are feeling together the data classification and DLP solution as long as the NDMO and PDPL. Thank you so much. Thank you. Next slide please. So how are you everyone? It's nice to have you here with us so I can see lots of familiar names to me. Let me introduce myself in the beginning I'm Mohammed Tariq I'm regional sales manager in Fortra. I have been hired since two years right now in Fortra and I was handling the data protection portfolio in the beginning then become to the defensive part along with my colleagues. So I will leave this slide for around 30 seconds one minute and I want to make sure that everyone have go through those questions and please list down for us any more questions in your mind related to the data protection journey or data protection projects. Feel free to use the question button and we are tracking all the questions and we will get the right answers at the end of the slides. So I will leave it right now for like 30 seconds one minute maximum and we can continue. Last two sessions from Mohammed and Nihab was a little bit embedded with information, numbers, compliance, regulation but I want to make sure that the final part of this webinar is a little bit light. We will focus on the business parts, we will discuss the projects, challenges, what's the 10 more seconds to go. So seems everything's fine so let me start. Again thank you everyone. Why we are not here to present something in particular in from Fortra but we are here to give some recommendation, best practice, how we can align with the regional regulations and so on. So as a part of this list of questions I have listed down during my experience in Fortra we have met around 300 plus customers across the region, most of them in Saudi Arabia. So frequent questions along with the projects, along with the engagement from sales, pre-sales activities and so on. We have a bunch more of questions but this is the most critical ones we are always being asked for. So what Fortra can offer for you in the data protection journey and excuse me I will repeat the journey many times because this is the actual case we are facing right now. Fortra can offer for you five pillars of data protection. First is the data classification, second is the DLB, DRM, CASB and DSPM. We are always recommend to our customers start with the data classification journey because the data classification is the core stone of the, you can say successful project in the data protection and why we are always strengthening on data classification because data classification will give you more visibility, more control, more labeling on the document and the emails scattered everywhere because you guys are experts in the domain, you know what is the measurement of the data leakage, what's the percentage of data leakage from internal user accidentally and intentionally. So we want here to make sure the data classification is implemented on place on the right time. But I am here right now exposing a different part which is the data classification services or data gathering services. It's something not offered from Fortra, however we always encouraging our customers especially the enterprise sector, medium sector and above to start their journey in the data classification, not with the tool, with the service itself. Why the service is so much needed because the information is scattered. All you guys is in different departments but trust me having the service will give you a better visibility about what could be achieved and when. Luckily there is so many regulation right now so that the management office become as a department, independent department and correlation with other department from IT and cybersecurity. The next part which is the DLP, once you have achieved and started the journey with the service data gathering, building your data flow and implementing the data classification in a proper milestone, then it comes the later journey like DLP, DRM and of course the new trendy topics like CASB and DSP. This is a list of most common compliances required from different sectors like starting from the well-known ones like PC, PCI, GDPR, HEPA, ITAR and so on for different sector coverage. Also we have here in the region PIR, NCA compliance, SAMA compliance and INDEMO which we already covered most of it in our previous slides with my colleagues. I will give you a heads up about data classification, what we can do, what we can offer. So in a nutshell, we came from a long experience journey from both amazing technologists Golden James and Titus. Luckily Fortra have acquired both of them and as you know Golden James is a little bit familiar here in the region however Titus was more familiar in the America's part. Luckily Fortra have acquired both of them and have migrated both of them into the new technology we are offered right now in the region which is we call it DCS, Data Classification Suite. So Fortra Data Classification Suite merge both technologies, the best part of Golden James which is the engine, the detection engine, the best part of the Titus which is usability of use, the user interface, the modification wide labeling, very responsive admin console which you saw some of the slides of our configuration tab and of course the AI and machine learning capabilities. As you can see here it is mostly common used in most of the sector finance, sector health care, manufacturing oil and gas defense and government sector. When I have joined Fortra I surprised that we have already on hand around 200 customers, most of them was using Golden James, very few was using Titus and due to the migration part we supported our customer to shift to the new technology and we are offering a free swap for the license part. Next slide please, yes. So why data classification is that important? Because data classification is connecting the dots between other technology like DLP, CASP, Identity Access Management, of course DRM, Policy Management, Behavior Analytics and so many more of controls you need to but you always may have a missing part which is the data classification. Okay, one step back, what we are covering in data classification? So data classification we are covering two main parts, data in motion which is regularly used by our end users and second most critical part which is the data address which is data scattered across your shared folders, FTP servers, across local network or even in your cloud. So how data classification works? As I told you before, we are focusing data creation, data traced across different platforms so our DCS data classification solution support both, well-known platforms of course Microsoft, Windows and Apple Mac OS, of course files of over the email, body of the email and so on. What is our main goal here? Just to make sure that you have a full understanding about data classification role. Data classification role is to identify the keywords, the regex, the content in the emails and the files and of course apply some labels. So there is two kinds of labels which is more, two of them is really critical and of course needed. The first one which we call the visual marks which is the header, footer, watermark that is visible for the end user to make him sense and feel the sensitivity of the document and what could be the appropriate policy applied on the DB part. Second one which is the most critical one, the metadata tags. So we are applying metadata tags across the emails of course and across the document and across the emails. So at the end of the journey what is you are expecting? You are expecting organized structured data, unstructured data a little bit with some labels and of course aligned with the compliance. Next slide please. Yes, this is the final output I'm looking for which comes the Fortra unique offering in the data classification. So first you need to classify the content and categorize the content. Regularly confidential information like restricted, confidential, secret, top secret is not shareable documents. However, in so many use cases and this is the missing part that always cyber security team do not collaborate with the business outcome. This is why I will come in my next slide what could be the best practice to make sure you are implementing good policies and the configuration across your controls in the data production to match the organization department workflow. So the final output we are looking for, first one classification, second one categorization. Yes, as previously was mentioned, I am working in a legal department. So I'm contacting other parties, other third parties. I'm working in finance department. I'm working on a contracting team. So as a part of their daily job is to send confidential information out to outside organization, but we will make it organized. So we need to classify the data in the right classification tag, then categorize it in the right categorization. Then your journey later on on the DLP, in the DRM, CASB or even DSPM will be way easier if you put your fingers down on the right classification with the right categorization. This is the final outcome you are looking for in your data classification journey. Second part, Fortra Digital Guardian. I'm not here to talk about the technology itself, but we have lots and lots of content in our websites, our vision, our roadmap. What is data DLP or data loss prevention from Fortra is covering. So there is two segments of DLP vendors worldwide. The integrated DLP solution, which is only four names, Fortra is one of them, and the rest is under a category of code light DLP. In Fortra, we are covering three parts, endpoint part, network, and of course, web and email part. This is the main, you can say modules that it's required as a part of the compliance despite the sector we are working in. Once you have the data classified and categorized well, the journey of applying the policy over the endpoint, network, web and email will be way easier. be way easier. So this is the most common lists of policies need to be Last slide, please. So next slide. Yes. applied across different modules starting from endpoint and the network DLB and of course web and email. The regular one for the document attachment, CD, local drives, cut and paste, copy, send, printing, deleting, recycling, all of these controls is there but the main question is when I am ready to apply all of these policies? When I'm ready to make sure that all of our end users understand this one. Back to the point I have highlighted before, data protection is a journey. This journey imagines like a big bus. All of us is there from the vendor, the consultant, the analyst team, cybersecurity team, infrastructure team and I will mention all of the stakeholders in my next slides. However, in this slide I need to highlight something. We can start building lots of things on the data classification and DLB. However, due to the maturity level of the end user, we are not ready to implement everything from the first day. So it is better and it's always recommended to our customer to elevate your journey step-by-step with the end user. After you achieve it, after you have your hands on the perfect policy needed, in this milestone you start activating some policies, some rules on the DLB part. Starting from logging the activity in a stealthy mode, alerting the end user, prompt it that we will identify, oh I am right now doing something wrong, I need to correct in my next part. Then justification, encryption, quarantine and of course the most aggressive one which is block mode. After reaching the maturity level, we know we are reaching the maturity level. After checking the reports which we saw, you saw previously a few of them and of course you need to apply more and more aggressive ones, you know, and understand your end user is ready for the next part. Why Fortra data protection is different? Because right now our technology is flexible for implementation. We have a huge team members. As a part of Fortra commitment to the region, as I told you before, I have joined two years back previously. One of our beloved colleagues Yousef was handling the team here in the region. We was only two of us. But right now during at the end of 25 and beginning of 26, Fortra have hired more than 20 people on ground and we have established good infrastructure around our beloved customer from distributor, qualified ones and partners that can offer and extend the experience and Fortra experience to our customers. Next slide, please. So how can I start the data protection journey? I can see right now a bunch of questions on the question part. Please feel free to write down the questions and we are just a few slides ahead to the end of the webinar and we are ready to answer lots of questions if you let us know. So who is the main stakeholders? From where I can start my journey? Of course, we are here directing the cyber security team, data management office team. But who will be with us in the journey? As I told you in my previous example, imagine we are on bus, this bus, we are there, you are there, cyber security team. We need infrastructure team to certain, in a certain level during the prerequisite readiness testing of the product, testing the servers, testing the agent, and lots of infrastructure work needed in a certain level or certain time of the project itself. Then later on the network team to let us integrate with other network, like a proxy, like exchange servers, and so on. Of course, I am always asking about the data management office, if it's there, especially in the government and semi-government, that would be much appreciated to inject them in the project and make them sure that they have full understanding about when they are needed and how we can use them and how we can rely on their information. And of course, the understanding of how we can configure it. Yes, lots and lots of use cases. I can see some familiar names in this webinar itself, and I'm still remembering the discussion we had with them about the data management office role in this project. And of course, the end user stakeholders. It is a part of the starting and the closure of the project itself. The project in data protection could be painful if we didn't take care of all these five pillars, stakeholders, or aspects, because the end user could have a bad project or a failed project or even a painful project. So we need always the end user stakeholders blessing in each milestone and make sure they understand the civility of their activity across the data leakage across the internet or even deep in the core. Next slide, please. So this is a very simple project milestones from where to start the initial phase, which we call it phase one on implementation phase, of course, identify the stakeholders, despite your sector, your architect or your hierarchy inside the organization, you might be smaller organization don't have the full stack from infrastructure team, network team, data management office, you might be smaller, but you need to identify who could be the stakeholders from the beginning of the project. Second data gathering and sharing because you need to share some document and some awareness session to through your departments and your end user about we are heading towards applying regulation related to data privacy, data management, and we need to make sure those guys is aware about the next step, what could be the solution implemented. Second component, we are always highlighting starting with the data classification, then data at rest, then later on DLP. Why is this order? Because data classification core stone to label the data, make sure that that address is labeled well. And of course, the DLP will handle the traffic who is eligible to send what outside. Of course, applying the best practice regulation, which will, I am always saying kicking the start of the project in order to applying the regular one like PCI, PII information to make sure that you are ready to be audited from the regulation. And of course, the roll out the agent across any specific department start with the headquarter. If you have remote branches or even remote department, it's better to schedule your roll out agent and make sure those end users or departments ready for the next step. Last slide, please. So what is the expectation when I can start enforcing and start the maintenance mode, the maintenance mode and the enforcement mode usually comes with after the stealth mode, which is the initial part we have discussed in the last slide, then we need to check the technical reports from the solution, either data classification or DLP solution, map it with the data management office, investigation of gathering information with other departments, increasing the awareness based as the reports that shown on the data classification, misclassification, wrong classification, downgrade of the classification, make a meetings with the department across department or different location or branches. And of course, it will be a little bit repetitive action each three months until you reach the maturity level you are working for. Last slide. So it was a pleasure to have you all of you here this journey, as I told you. So please let us know when we can support you at any part of this journey. We are not here to sell for the product. We are here to guide and educate the customer for needed questions. So right now, we have a couple of questions and I will leave the question answer to my colleague, Ahmad. Thank you, everyone. Thank you, Tarek. Okay, so we have a couple of minutes for questions. So please, anyone has any question or anything, feel free to drop them in the Q&A section. We have the first question here. Applying acceptable usage policies internally within the corporate, which is approved by the top management, aired and signed by the employees, would this be sufficient, or at least partially accepted towards PDPL? Well, AOPs, yes, it will be accepted by the PDPL as long as they are aligned with the PDPL rules. So let's see if I have an article in the PDPL saying that you shouldn't send sensitive information to private emails. However, this was signed and accepted by your AOPs, then this will not be applied. So you have to first see what PDPL says, and then do the AOPs that you have to align the two things together. When can I start publishing the policies and agents? This is a very good question, because a lot of users don't know how or when to start applying this. So anything handled by data is not easy to handle, because the end users are involved, everyone's involved regarding this. So to apply this, you should first do all the policies. That's why Tarek and everyone is saying you have to have the data classification at first. You need before applying policies, before protecting policies, you need to identify your data, know where your data is. So after having this data classification, data identification process done, then you can implement the use cases on the DLP and the Startup Set. You can apply it first of all in a stealth mode, just alerting, just to know what kind of behavior your users are having. So let's say I have the agent running without doing any controls. However, I see full visibility on the data, then I will do some alerts, then I will do some prompts, some user justification, then I will apply the policies to be blocked. So after having this first milestone, let's say of user alerting, user knowing that they are doing something wrong, then you know exactly when you should apply the policies after this. Can I add something also, Ahmad? So in an easy answer for your question, when I'm ready to apply it, once you are confident enough and have the placing from all the stakeholders, starting from cybersecurity team, infrastructure team, data management office, and the stakeholders on your testing machines, because do not go in a rush and apply all the policies, push the agent unless you have the placing from all of them, making sure the agent functionality works well. This is the expectation and this matches the data management office and the end user, you can say, end user expectations. So we have another question. What is the percentage of Fortra covering on the requirements of the NDMO regulations by NC in Saudi Arabia? Okay, so we get this a lot. So we can cover NDMO based on, as Tarek said, we have massive previous experience in Saudi Arabia. We've done a lot of projects regarding NDMO, regarding data classification and DLP. So we have our regional predefined configuration that we can apply. This will get us aligned with the regulation. However, you may find some policies that you need to fine tune for yourself. So let's say you have your own invoice number, your own invoice number contains specific characters different than anyone else. NDMO says that invoice numbers shouldn't be applied, shouldn't be sent. However, we don't know exactly the invoice number. That's why we have to fine tune it based on your outcome. So we have a last question for the discovery part. When it comes to the discovery and how the scanner is aware of the context around the regis. So it is a very nice question, Mohamed. So because, again, we are not magicians. Every technology has its own limitation and just we need to make sure and be aware about the perfect use case so we can align with the perfect technology to fulfill this one. So in a very quick way, data classification, as I mentioned, support two levels or two modules starting from data in motion and data at rest. However, the data at rest piece is focusing on unstructured data documents and has the capability even to track the document that inside an archived file and zip the file. However, there is lots of technology limitation that will not make the data classification be able to scan everything. If it's like an images, encrypted files, quarantine files or any file that is not accessible. So the data classification will not be sufficient here. We will need to activate the data discovery model over the DLB network, DLB DLB part, so again, we are always asking our customer, what is the use cases you are looking for? And let us guide you what could be the best practice based on the experience based off the technology limitation and, or even a strength point. And to add Mohammed here from the technical perspective regarding this specific questions, if I want to differentiate between date and date of birth, how am I going to do this? We have something called data fingerprinting or structured data fingerprinting or semi-structured data fingerprinting. So even if you have a database that contain all of the data, date of births of your employees, then we can scan this database and detect if these are sensitive information or not. Only this date of births are going to be prevented or blocked by the DLP. However, all of the other dates will not be, will not be prevented by this. I know we're a bit out of time. We have one last question. Thank you everyone for your time. It was a pleasure to host you today and to remind you, we have a lots and lots of content over our website. Please make sure to go through it. You can find lots of tabs, reach us at any point of time. Thank you. And hope to see you soon in more productive sessions around data protection or even other data or other pillars we are covering right now. Thank you everyone.
