A Practical Guide to Data Classification

Transcription

1 A Practical Guide to Data Classification or There and Back Again Michael A. Morabito Cardinal Health

2 Agenda Demographics quiz Where we started Why bother? Buckets and labels Two pronged attack Overlap and underlap Selling this idea

3 Where We Started I think we know where all the private data is Is this going to cost more? Do we even have any trade secrets? We have a wall of steel! Who would want to hack into us?

4 Why Bother? Federal, state, and local laws Contractual obligations Protection from intellectual property theft Mobile devices destroying the perimeter Cloud storage and cloud data centers Increasing cost to protect everything Computer crime isn t going away

5 Buckets and Labels Public Internal Use Only Confidential Private We give this away in the mail, news, etc. Everything else, which probably makes no sense to anyone else This is our competitive edge, we look bad if we lose it Law, contracts require us to protect it. We go to jail and pay fines if we lose it

6 Buckets and Labels What s Confidential? Legal Board of Directors Passwords I.T. Things the news papers don t need!! Internal Investigations Legal Proceedings System Logs Network Configuration Things hackers want!! Bank Account # s Pre-release Financial Data Transactions & Profile Data Intellectual Property & Trade Secrets Glove designs, Material formulas, Etc. Finance M&A plans before announcement Business Strategy Business Segment

7 The Big Picture 1 Policy Awareness 1. Clear direction from leadership 2. Single point of ownership 3. Training for all levels of leadership 2 Classify Catalog and Assess 4. Document business processes using HIPAA data 5. Catalog all applications using HIPAA data 6. Discover all storage systems containing HIPPA data 3 Tiered Controls Operational Documents 7. Finalize technical controls 8. Build control environments 9. Integrate with M&A strategy to prevent future issues 4 Prioritize Remediate 10. Prioritize applications/business processes 11. Remove unneeded HIPAA data from bus. processes 12. Migrate applications/storage into new environments

8 Two Pronged Attack Data Security Strategy Private Data Phase 1. Policy and Awareness Communications plan w/ Eileen Town Hall, EC, OC, Manager s Briefing, newsletters Schedule speaking engagements w/eileen Draft Messages for Steve, Patty All Managers Briefing CIO EC & OC Meetings Employee HIPAA Training Ongoing Communications 2. Classify and Catalog Discovery FY13-Q2 myleader Incident Create discovery process and teams alerts received at Keep IT Safe See Business Process Discovery tab Kickoff Business Process Discovery Kickoff Data Repository Discovery Ongoing See Data Discovery tab 3. Tiered Controls and Architecture Create new network architecture to protect Private Data Stakeholders determine controls Document Architecture and transition states Implement Design [Add more detail] Year 3 Design Updates [Add more detail] Year 5 Design Updates [Add more detail] 4. Prioritize and Remediate FY13-Q2 myleader Incident created priority for HIPAA/ Private data Tactical Remediation Efforts Segment Encrypt ACLS Purge Tech Adoption Lifecycle Buy Build Migrate Apps Tactical Remediation Efforts Tech Adoption Lifecycle Buy Build Migrate Apps Operationalize Operationalize

9 Two Pronged Attack cont. Data Security Strategy Private Data - 2. Classify and Catalog - Business Process Discovery Phase Spinoff identify Business Process Team Receive alert at Keep IT Safe Review alert for necessary contact information Contact alert originator Enough info to schedule meeting? Yes Facilitator Scheduled meeting w/ Privacy Officer Full Team has first review meeting with P.O. and SMEs Agenda and Questions: What data do you receive? Who needs to use it? How is it used? Where is it stored? -Create data flow diagrams -Discuss de-identifying data another gap Document business processes and information use cases Document findings on secured SharePoint site Verify Data with Data Discovery Team Document Recommendations and Observations Facilitator Scheduled meeting w/ Privacy Officer Full Team has closing meeting with P.O. and SMEs Remediation action items Document findings on secured SharePoint site [see additional documents] NO Business Unit Privacy Officer Facilitator Scheduled meeting w/ Privacy Officer P.O. contacts necessary subject matter experts to attend meeting Full Team has first review meeting with P.O. and SMEs Facilitator Scheduled meeting w/ Privacy Officer Full Team has closing meeting with P.O. and SMEs Data Discovery Team Receive data??? verification request Also see detailed Data Discovery Team Process Remediation Team Receive remediation Engage PMO Create remediation plan? items Also see detailed Remediation Team Process

10 Two Pronged Attack, Actual CEO Mfg Logistics EIT 1 Bus. Bus. Security 2 App Dev App Dev DBA

11 Two Pronged Attack, Actual 1 The Business What data do you think is Private? [or confidential] Who s the first person in our company who touches it? Where do they put it? Who else needs to use it? When/where/how do we ever give it to a 3 rd party? 2 Data Storage Teach the DBA s to recognize Private and Confidential data Set up data loss prevention tools, web filtering, queries, even batch files [if you have to] to locate key data types Examine DB schemata to find suspect fields

12 Overlap and Underlap Business Process IT Search Results

13 Selling this Idea Fear Federal, state, and local laws Contractual obligations Unacceptable risks Savings Mobile devices destroying the perimeter Cloud storage and cloud data centers Increasing cost to protect everything Self Defense Computer crime isn t going away Protect your competitive edge

14 Selling this Idea FY13 FY14 FY15 FY16 FY17 1 Policy Awareness $?Training HIPAA $?Training $?Training $?Training $?Training 2 Classify Catalog & Assess Private $?Data discovery Confidential $?Data discovery 3 Tiered Controls Operational Docs $? DLP $? Sensage $? PaloAlto $? Rapid7 $? PAAM $? DAM $? Tokenize $? Web Svcs $? DAM $? App Sec $? 2 Factor $? Tokenize $? App Sec $? 2 Factor $? App Sec 4 Prioritize Remediate $? Remediation $? BAA Remediation $? per app to remediate (x6 apps) $?operationalize $? per app to remediate (x10 apps) $???M total $???M total $???M total $???M total $???M total

15 Now Accepting?????