Data Masking Best Practices



Similar documents
REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Data Masking. Cost-Effectively Protect Data Privacy in Production and Nonproduction Systems. brochure

CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS

Cisco Advanced Services for Network Security

Making Database Security an IT Security Priority

Enterprise Risk Management taking on new dimensions

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

External Supplier Control Requirements

Data Masking: A baseline data security measure

Why Add Data Masking to Your IBM DB2 Application Environment

Cybersecurity and internal audit. August 15, 2014

05.0 Application Development

Developing the Corporate Security Architecture. Alex Woda July 22, 2009

Test Data Management for Security and Compliance

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

PII Compliance Guidelines

Establishing a Strategy for Database Security Is No Longer Optional

Big Data, Big Risk, Big Rewards. Hussein Syed

PENETRATION TESTING GUIDE. 1

The Protection Mission a constant endeavor

Security, Privacy, Compliance

Application Security in the Software Development Lifecycle

Validating Enterprise Systems: A Practical Guide

Managing internet security

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

How to address top problems in test data management

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan

Information Security Program CHARTER

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

An Oracle White Paper June Oracle Database 11g: Cost-Effective Solutions for Security and Compliance

Specific recommendations

John Essner, CISO Office of Information Technology State of New Jersey

Business Case Outsourcing Information Security: The Benefits of a Managed Security Service

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

IBM Software Wrangling big data: Fundamentals of data lifecycle management

Newcastle University Information Security Procedures Version 3

Cyber security Building confidence in your digital future

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

What do passwords cost your business?

Franchise Data Compromise Trends and Cardholder. December, 2010

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

Enterprise Security Governance. Robert Coles Chief Information Security Officer and Global Head of Digital Risk & Security

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Standard CIP Cyber Security Systems Security Management

Information Security Policy

Data Privacy and Gramm- Leach-Bliley Act Section 501(b)

CloudCheck Compliance Certification Program

Formulate A Database Security Strategy To Ensure Investments Will Actually Prevent Data Breaches And Satisfy Regulatory Requirements

Practical Overview on responsibilities of Data Protection Officers. Security measures

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Teradata and Protegrity High-Value Protection for High-Value Data

Securing and protecting the organization s most sensitive data

Appendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises

University of Central Florida Class Specification Administrative and Professional. Information Security Officer

Key Cyber Risks at the ERP Level

Information security controls. Briefing for clients on Experian information security controls

Proven LANDesk Solutions

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Complete Database Security. Thomas Kyte

Nine Steps to Smart Security for Small Businesses

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

IT Risk Management: Guide to Software Risk Assessments and Audits

Contact: Henry Torres, (870)

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

Five keys to a more secure data environment

Cloud Security: The Grand Challenge

IBM QRadar Security Intelligence April 2013

How To Secure Cloud Computing

8 Steps to Holistic Database Security

What is Security Intelligence?

HIPAA Compliant Infrastructure Services. Real Security Outcomes. Delivered.

INFORMATION TECHNOLOGY SECURITY STANDARDS

Information Technology

Information Security Program Management Standard

Privacy Impact Assessment (PIA) Consular Affairs Enterprise Service Bus (CAESB) Last Updated: May 1, 2015

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

CYBER AND IT SECURITY: CLOUD SECURITY FINAL SESSION. Architecture Framework Advisory Committee November 4, 2014

Enterprise Computing Solutions

Standard: Information Security Incident Management

Protecting Your Organisation from Targeted Cyber Intrusion

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

ISO Controls and Objectives

An article on PCI Compliance for the Not-For-Profit Sector

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

Obtaining Enterprise Cybersituational

112 BSIMM Activities at a Glance

Basics of Internet Security

"Data Manufacturing: A Test Data Management Solution"

Cloud Security Trust Cisco to Protect Your Data

Transcription:

Data Masking Best Practices 1

Information Security Risk The risk that sensitive information becomes public 2

Information Security Risk Government systems store a huge amount of sensitive information Vital Statistics Health Information Social Services Criminal Justice Financial Information 3

Information Security Risk Many people have access to the information for various different roles System End Users Application Administrators Data Consumers Application Support Staff Project Team Members External Vendors 4

Sensitive Information General Information Name, Address, Date of Birth, SIN, &c. Financial and Banking Information Credit Card, Bank Account, Salary, &c. Health Information MCP, E Health Records, Consent Management, &c. 5

Potential Repercussions In the event sensitive data becomes public Regulatory and Legal Liability Loss of Trust and Confidence Salary Reduction / Loss of Employment Damage to Reputation Subject to Investigation Cost of Incident Response 6

Risk Stakeholders Government Executive OCIO Executive Client Department Executive Project Manager and Project Team Application Support Infrastructure and Network Operations System Administrators and End Users 7

Risk Mitigation We use information security technologies to mitigate and control the risk User Authentication and Access Control Network Perimeter Defence Virtual Private Networking Intrusion Prevention & Detection Systems Antivirus Systems 8

Risk Mitigation We have information security processes to mitigate and control the risk Information Management Assessment Information Security Classification Privacy Impact Assessment Threat / Risk Assessment Vulnerability Assessment 9

Residual Risk Existing risk mitigation focuses primarily on the product of system development There is a significant residual risk related to the process of system development 10

Residual Risk Production data is often being used in Upgrade and Enhancement of existing systems Migration to replacement systems Development of Data Warehousing or Business Intelligence systems Application Support Training 11

Project Exposure Project Managers and other Project Team Members are exposed to this risk Non Disclosure Agreements recognize an awareness and intention to address the risk Are the strategies employed by your team and your organization sufficient? How much risk are you accepting? 12

Data Masking Avoids the Risk Removes the need for production data in non production environments Allows selected data to be obscured in production environments Supports development, testing, training, application support, &c. 13

Data Masking A set of techniques and technologies aimed at preventing the abuse of sensitive data by hiding it from users The process of concealing private data...such that application developers, testers, privileged users, and outsourcing vendors do not get exposed to such data 14

Static Data Masking Begins by taking production data as input Applies transformations to de identify records and remove sensitive information Preserves structure of data by maintaining referential integrity in and between databases Provides high quality, realistic test data for use in non production environments 15

Static Data Masking Non Production Database with Masked Data Non Production User Masked Values 1234 6789 1000 4422 2233 6789 3456 5555 Static Data Masking creates non production data Production Database with Sensitive Data Production User Values in Database 3890 6784 2945 0093 3245 9999 2456 7658 16

Dynamic Data Masking Creates an additional layer of security between databases and applications Selectively masks sensitive information from users who do not require it to do their jobs Provides fine grained, role based security Allows security roles to be defined across multiple databases and applications 17

Dynamic Data Masking Authorized User Original Values 3890 6784 2945 0093 3245 9999 2456 7658 Unauthorized User A Masked Values xxxx xxxx xxxx 0093 xxxx xxxx xxxx 7658 Unauthorized User B Scrambled Values 1234 6789 1000 4422 2233 6789 3456 5555 Dynamic Data Masking applies rules based on user role Values in Database 3890 6784 2945 0093 3245 9999 2456 7658 Database Containing Sensitive Data 18

19

Analyze Identify fields containing sensitive information in the production data Determine application level relationships Determine enterprise level relationships for other data sets in view Define security roles for dynamic masking 20

Model Choose the data fields to be masked Determine an appropriate masking strategy Static masking rules for each field Dynamic masking rules by field and role Map the internal and external dependencies for each target field 21

Develop Configure dynamic masking security roles Create data masking configurations Configure application level data relationships Configure enterprise level data relationships Setup target database environments Test and validate configurations 22

Execute Deploy dynamic masking security roles and masking rules Execute static masking process to create non production data sets Provide access to non production data Establish schedule for automated masking and refresh of non production data 23

Roles Engaged Data Masking Specialist Information Management Specialist Database Administrator Application Support Specialist Business Subject Matter Expert 24

Success Criteria OCIO Executive Masked data meets IM/IP requirements Application functionality preserved Internal stakeholders confirm masking success Application Services Application functionality preserved User friendliness Reusability 25

Success Criteria Database Management Ease of use Enterprise level strategy (cross platform) Information Protection Masking occurs in a secure and acceptable fashion Masking effectively removes sensitive information Process is well documented Process is repeatable 26

Conclusion Use static masking to remove risks associated with using production data in non production environments Use dynamic masking to reduce exposure with an additional layer of role based security offering fine grained access control Extend data masking across applications to leverage enterprise wide benefits 27

Questions 28

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information