Embarcadero Technologies, with contributions from Ron Lewis, Senior Security Analyst, CDO Technologies



Similar documents
Why Data Warehouse Projects Fail Using Schema Examination Tools to Ensure Information Quality, Schema Compliance, and Project Success

Selecting the Right Change Management Solution Key Factors to Consider When Evaluating Change Management Tools for Your Databases and Teams

Using Database Monitoring Tools to Measure, Manage, and Prove SLA Compliance Embarcadero Technologies

Setting up IIS on Windows 7: Build Web Services with RAD Studio 2010

Role-Based Benefits of Buying and Using ER/Studio Enterprise Portal

Reducing the Time and Costs Associated with Sarbanes-Oxley Compliance

Tech Notes. Corporate Headquarters EMEA Headquarters Asia-Pacific Headquarters 100 California Street, 12th Floor San Francisco, California 94111

New Tools for Faster SQL Tuning and Analysis Embarcadero Technologies

Embarcadero Rapid SQL

Embarcadero ToolCloud for XE Quick Start Guide. ToolCloud for Embarcadero XE Products Last Published May 5, 2010

Best Practices and a Must Have Toolset for SOA Migration Projects

ER/Studio Data Architect

Healthcare Data Management Survey Report

International Sybase User Group Member Survey Report

Database Trends Survey Report

Managing Java EE Performance with Embarcadero s J Optimizer Request Analyzer

Cloud Computing for Technology Tools

Software Development Predictions For 2009

The High Performance DBA Series Best Practices That Every Multi-Tasking DBA Must Know

InterBase SMP: Safeguarding Your Data from Disaster

Embarcadero DB Change Manager 6.0 and DB Change Manager XE2

Department of Defense DIRECTIVE

Best Practices for Managing Multiple Database Platforms for Performance & Availability

Your Agency Just Had a Privacy Breach Now What?

From Visual C++ Application to Native Mac in 90 Seconds

Top 10 Considerations for Choosing Database Tools Beyond the Feature Matrix

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

Performance Tuning Essentials for Java Manage Application Speed, Scalability and Reliability Throughout the Development Process

POSTAL REGULATORY COMMISSION

OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION

A New Tooling Charter for Data-Driven Software Development

Office of Inspector General

Identity and Access Management Initiatives in the United States Government

Privacy Impact Assessment (PIA) for the. Certification & Accreditation (C&A) Web (SBU)

Security management solutions White paper. IBM Tivoli and Consul: Facilitating security audit and compliance for heterogeneous environments.

Rapid SQL XE Product Reviewer Guide

Fiscal Year 2007 Federal Information Security Management Act Report

EPA Needs to Strengthen Its Privacy Program Management Controls

Mission Assurance and Security Services

Evaluation Report. Office of Inspector General

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

HiSoftware Policy Sheriff. SP HiSoftware Security Sheriff SP. Content-aware. Compliance and Security Solutions for. Microsoft SharePoint

Provide access control with innovative solutions from IBM.

Ringing the Changes for Change Management Philip Rathle and Scott Walz

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

Estate Agents Authority

California State University, Sacramento INFORMATION SECURITY PROGRAM

Compliance and Security Solutions

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

WIRELESS LOCAL AREA NETWORK (WLAN) IMPLEMENTATION

Privacy Recommendations for the Use of Cloud Computing by Federal Departments and Agencies. Privacy Committee Web 2.0/Cloud Computing Subcommittee

EPA Classification No.: CIO P-09.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

Iowa Health Information Network (IHIN) Security Incident Response Plan

Supporting FISMA and NIST SP with Secure Managed File Transfer

UCI FISMA Core Program Procedures & Processes Frequently Asked Questions (FAQs)

The Impact of HIPAA and HITECH

Commodity Futures Trading Commission Privacy Impact Assessment

Facilitating Efficient Data Management by Craig S. Mullins

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

IT SECURITY EDUCATION AWARENESS TRAINING POLICY OCIO TABLE OF CONTENTS

Federal Trade Commission Privacy Impact Assessment. Conference Room Scheduling PIA

OFFICE OF INSPECTOR GENERAL. Audit Report. Evaluation of the Railroad Retirement Board Medicare Contractor s Information Security

Order. Directive Number: IM Stephen E. Barber Chief Management Officer

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

Privacy Incident Handling Guidance

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

NetIQ FISMA Compliance & Risk Management Solutions

United States Citizenship and Immigration Services (USCIS) Enterprise Service Bus (ESB)

MINNESOTA STATE STANDARD

SMITHSONIAN INSTITUTION

Self-Service SOX Auditing With S3 Control

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

BRIDGEVALLEY COMMUNITY & TECHNICAL COLLEGE OPERATING POLICY

SYSTEM NAME: Digital Identity Access Management System (DIAMS) - P281. SYSTEM LOCATION: U.S. Department of Housing and Urban Development, 451 Seventh

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES

Department of the Interior Privacy Impact Assessment

NETWORK AND AIS AUDIT, LOGGING, AND MONITORING POLICY OCIO TABLE OF CONTENTS

Delphi Developer Certification Exam Study Guide

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Department of Veterans Affairs VA Handbook Information Security Program

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

VA Office of Inspector General

Information Security Program Management Standard

8 Steps to Holistic Database Security

How To Audit The Mint'S Information Technology

Implementing HIPAA Compliance with ScriptLogic

DEPARTMENT OF THE INTERIOR. Privacy Impact Assessment Guide. Departmental Privacy Office Office of the Chief Information Officer

PCI Data Security Standards (DSS)

Payment Card Industry Data Security Standard

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

Physical Access Control System

Appendix A: Rules of Behavior for VA Employees

Federal Trade Commission Privacy Impact Assessment

`DEPARTMENT OF VETERANS AFFAIRS VA SOUTHEAST NETWORK Automated Information System User Access Notice

U.S. DEPARTMENT OF COMMERCE UNITED STATES PATENT AND TRADEMARK OFFICE. Privacy Impact Assessment

APHIS INTERNET USE AND SECURITY POLICY

2015 List of Major Management Challenges for the CFPB

Transcription:

White Paper Ensuring Personally Identifiable Information (PII) Security within U.S. Government Agencies Using Data Management Tools to Ensure FISMA and Privacy Act Compliance Embarcadero Technologies, with contributions from Ron Lewis, Senior Security Analyst, CDO Technologies January 2009 Corporate Headquarters EMEA Headquarters Asia-Pacific Headquarters 100 California Street, 12th Floor San Francisco, California 94111 York House 18 York Road Maidenhead, Berkshire SL6 1SF, United Kingdom L7. 313 La Trobe Street Melbourne VIC 3000 Australia

Safeguarding personally identifiable information in the possession of the government and preventing its breach are essential to ensure the government retains the trust of the American public. This is a responsibility shared by officials accountable for administering operational and privacy and security programs, legal counsel, Agencies Inspectors General and other law enforcement, and public and legislative affairs. It is also a function of applicable laws, such as the Federal Information Security Management Act of 2002 (FISMA) and the Privacy Act of 1974. (Clay Johnson III, Deputy Director for Management, Office of Management and Budget). 1 REGULATORY OVERVIEW: PII AND THE FEDERAL GOVERNMENT Many different organizations collect Personally Identifiable Information (PII), ranging from hospitals and banks to apartment complexes and utility companies. However, government agencies are in a uniquely challenging position mandated to simultaneously widely disseminate and strongly protect the information they collect. How do Chief Information Officers (CIOs) and Senior Agency Officials for Privacy (SAOPs) balance the basic considerations and assumptions described in OMB Circular A-130 2 : The Federal Government is the largest single producer, collector, consumer, and disseminator of information in the United States. Government information is a valuable national resource. The free flow of information between the government and the public is essential to a democratic society. The individual's right to privacy must be protected in Federal Government information activities involving personal information. These statements, supported by regulations such as the Freedom of Information Act and FISMA, can appear to be in direct conflict with one another. For government agencies, most information should be disclosed by default; however, PII is the opposite it should always be protected from disclosure except when legally mandated. This, of course, makes complete sense when you think about how you would like your own name and social security number treated by any public or private organization storing that information. Over the past several years, the OMB has extended FISMA s annual reporting requirements to include specific reviews and reports on each agency s handling of PII. In general, the regulations, mandates, and related guidance boil down to (see Additional Information at the end of this paper for a complete list of current PII-related OMB memos). 1. Know what PII you collect and all the places it is stored and used 2. Reduce the collection and storage of PII wherever you can 3. Control access to PII no matter where or how it is accessed 4. Encrypt all PII both at rest (storage) and in motion (transmission) 5. Monitor for, alert on, and notify when a privacy breach occurs 1 7/m07-16.pdf 2 v/omb/circulars/a130/a130trans4.html Embarcadero Technologies - 1 -

Given the difficulty and expense of implementing these 5 simple statements, it may be helpful to tighten the scope of the problem by reviewing the OMB s definition of PII: Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother s maiden name, etc. (Clay Johnson III, Deputy Director for Management, Office of Management and Budget). 3 And, of course all of this requires a good set of policies, procedures, and processes with strong oversight, reporting, and enforcement and it cannot be accomplished without the information security controls that make up the other 99 percent of FISMA compliance. WHEN PII IS STORED IN A DATABASE: AUDITING, REPORTING, AND PROTECTING Databases typically represent the largest concentration of sensitive information and, thus, are the primary target of hackers. Sometimes containing millions of records, compromised databases are the most damaging, even if the disclosure is accidental. Unfortunately for those involved in the design, development, and administration of agency databases, there are almost no explicit references to databases in the FISMA and PII guidance provided by the OMB. Even the technical guidance provided by NIST is much more appropriate to process, application, and O/S controls. Examples are given below to highlight the difference between the two: EXAMPLE 1 GENERAL CONTROL Agencies must now also review their current holdings of all personally identifiable information and ensure, to the maximum extent practicable, such holdings are accurate, relevant, timely, and complete, and reduce them to the minimum necessary for the proper performance of a documented agency function. Agency-specific implementation plans and progress updates regarding this review will be incorporated as requirements in agencies annual report under FISMA. 4 EXAMPLE 2 DATABASE-SPECIFIC CONTROL Agencies must log all computer-readable data extracts from databases holding sensitive information and verify each extract including sensitive data has been erased within 90 days or its use is still required. 5 3 7/m07-16.pdf 4 7/m07-16.pdf 5 6/m06-16.pdf Embarcadero Technologies - 2 -

USING EMBARCADERO TOOLS Several Embarcadero tools address the five basic PII protection fundamentals listed above. For a complete control-by-control list of how each product addresses relevant FISMA requirements (as mandated in FIPS 200 and further explained in NIST SP 800-53). MANAGING CHANGE WITHIN YOUR DATABASES: CHANGE MANAGER It is important that PII not be compromised as a result of general database configuration problems. Embarcadero Change Manager allows agencies to establish Configuration Standards for Oracle, DB2 LUW, SQL Server, and Sybase databases and run compliance checks between these standards and agency databases on a regularly-scheduled basis. Change Manager is currently being used by many civilian and Department of Defense agencies for this and other purposes. Change Manager is a mature and sophisticated product that has been in extensive use in government and the private sector for many years. Its uses span the development lifecycle, where it is commonly used to manage, report, and troubleshoot change across any database environment. It also plays a role in auditing permissions, privileges, and access controls. Maintaining the principle of least privilege is considered a best practice, along with the practice of role-based security. Change Manager can report on changes to users, roles, or groups (including permission changes), and capture point-in-time snapshots of user, role, and permission settings, which can be automatically reported upon. Virtually any object definition tables, stored procedures, views can be captured and compared between points in time, providing a definitive historical record that can be used for roll-back, compliance investigation, reporting, or change alerting. In addition, Change Manager can compare data sets either against a historical snapshot, against a mirrored database, or even against a different brand of database. This can be used to determine if any data had been changed in the event of a breach or to synchronize reference data across multiple databases. Agencies using this technology have experienced significant gains in productivity and capability for compliance-related activities. FISMA / NIST 800-53 Categories: Access Control, Audit and Accountability, Configuration Management, System and Information Integrity FINDING AND DOCUMENTING DATABASES WITH PII: ER/STUDIO Complying with the Federal Information Management Act (FISMA) and automating the reporting process is something that challenges even the most advanced federal agencies. ER/Studio provides the ability to identify, track, and categorize where sensitive data is stored. With a clear understanding of the data and how it is structured, Embarcadero addresses the Embarcadero Technologies - 3 -

agencies data documentation needs, allowing it to report on large quantities of data and metadata from disparate sources. Through reverse- and forward-engineering, ER/Studio enables users to roll out privacy and regulatory tags to databases in development and existing production databases. This type of functionality is also repository-based, so users are able to conduct impact analysis or query an enterprise model for all data elements containing encrypted or secure data. ER/Studio allows an agency to reverse engineer an existing environment, discover the PII in that legacy environment, tag the PII data elements as sensitive data per FISMA, standardize this across development and production environments, and perform automated annual reporting. Furthermore, using the tagging capability in ER/Studio, an agency can generate the real time reports required by FISMA, should a data compromise or breach be suspected. The ER/Studio advanced meta-data management tool, ER/Studio Enterprise Portal, takes reporting a step further as a web-based query tool that provides real time reports on metadata information stored in the agency s data models. With a clear understanding of the data contained in agency databases, Embarcadero addresses agencies PII documentation needs, allowing it to report on large quantities of data and metadata from disparate sources. FISMA / NIST SP 800-53 Categories: Access Control, Planning, Risk Assessment, System & Services Acquisition SECURING PII WITHIN DATABASES: DBARTISAN A key component to preventing a data breach is to control access to databases. Complex environments with databases physically located all over the world, multiple database platforms, and incomplete or hard-to-use native tools make the process of creating user accounts, roles and permissions (as well as removing them) extremely difficult to manage. DBArtisan provides a single console for managing security, performance, and availability across multiple database platforms simultaneously and managing users, roles, permissions, and passwords. Quickly and easily lock down inactive and terminated employee accounts or remove unnecessary components. You can also monitor on use of shared accounts and terminate sessions using those accounts, all from the same authorized, easy-to-use interface regardless of whether you are working on Oracle, SQL Server, Sybase, DB2, or MySQL. This tool eases the creation of Standard Operating Procedures (SOPs) for day to day database management, as required by FISMA and simplifies the Trusted Facility Manual (TFM). All of the standard activities can be accomplished in a single, cross-platform tool with an easy to use interface. FISMA / NIST 800-53 Categories: Access Control, Audit and Accountability, Personnel Security Embarcadero Technologies - 4 -

VALIDATING DATABASE CONTROLS AND STREAMLINING PII STORAGE: DSAUDITOR One of the biggest burdens of FISMA compliance is monitoring and reporting PII data access and usage. DSAuditor provides an automated means of generating the required FISMA reports documenting that PII is only being accessed by authorized users. It also provides a means of identifying and recording unauthorized access attempts so that system owners can proactively monitor for real world threats. DSAuditor is the only tool that provides a continuous automated means of validating database level control functionality at the point closest to the data (e.g., the database) that is that the controls are operating as expected. Agencies often get stuck housing more PII than necessary. DSAuditor shows which PII is actually being used, how frequently, by whom, and by which method the data is being accessed. DSAuditor can quickly identify dormant and rarely utilized PII data which enables Federal agencies to streamline PII storage and more effectively manage the PII assets. CONCLUSION Safeguarding personally identifiable information and remaining in compliance with government regulations is a difficult challenge made easier with database tools from Embarcadero Technologies. For additional information on how Embarcadero can help you document and securely manage your databases, please visit www.embarcadero.com, or contact your local sales rep for more information, including the Embarcadero white paper: Mapping Embarcadero Products to FISMA Requirements. ADDITIONAL INFORMATION Federal Information Security Management Act of 2002 Health Insurance Portability and Accountability Act of 1996 Privacy Act of 1974 http://csrc.nist.gov/drivers/documents/fisma-final.pdf http://www.cms.hhs.gov/hipaageninfo/downloads/hipaalaw.pdf http://opm.gov/feddata/usc552a.txt Embarcadero Technologies - 5 -

OMB PII GUIDANCE Title Description URL M-06-15: Safeguarding Personally Identifiable Information Requires Senior Agency Official for Privacy to conduct a review of PIIrelated policies and procedures M-06-16: Protection of Sensitive Agency Information M-07-16: Safeguarding Against and Responding to the Breach of Personally Identifiable Information M-07-19: FY 2007 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management M-08-09: New FISMA Privacy Reporting Requirements for FY 2008 M-08-21: FY 2008 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management States required protections when PII cannot be protected by physical security (mobile devices, laptops, remote access) Requires the development and implementation of a breach notification policy Extends 2007 FISMA reporting requirements to include an appendix specifically on agency meeting PII safeguards (the above memos, reduction in collection/holding of PII, enforcement policies) Identifies additional privacy reporting requirements that will be required for FISMA 2008 (internal reviews, summary of policies and advisories issued during the year, written complaints and how they were handled) Specifies 2008 FISMA reporting requirements (same categories as 2007 with some additional questions in the report template) NIST INFORMATION SECURITY GUIDE 6/m-06-15.pdf 6/m06-16.pdf 7/m07-16.pdf 7/m07-19.pdf 8/m08-09.pdf 8/m08-21.pdf FISMA Implementation Project Special Publications FIPS 199 FIPS 200 http://csrc.nist.gov/groups/sma/fisma/index.html http://csrc.nist.gov/publications/pubssps.html http://csrc.nist.gov/publications/fips/fips200/fips-200-finalmarch.pdf http://csrc.nist.gov/publications/fips/fips199/fips-pub-199- final.pdf Embarcadero Technologies - 6 -

Embarcadero Technologies, Inc. is a leading provider of award-winning tools for application developers and database professionals so they can design systems right, build them faster and run them better, regardless of their platform or programming language. Ninety of the Fortune 100 and an active community of more than three million users worldwide rely on Embarcadero products to increase productivity, reduce costs, simplify change management and compliance and accelerate innovation. The company s flagship tools include: Embarcadero Change Manager, CodeGear RAD Studio, DBArtisan, Delphi, ER/Studio, JBuilder and Rapid SQL. Founded in 1993, Embarcadero is headquartered in San Francisco, with offices located around the world. Embarcadero is online at www.embarcadero.com..

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information