08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview



Similar documents
A Flexible and Comprehensive Approach to a Cloud Compliance Program

Cloud Security and Managing Use Risks

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Ensuring Cloud Security Using Cloud Control Matrix

Cybersecurity The role of Internal Audit

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Security Controls What Works. Southside Virginia Community College: Security Awareness

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

Critical Controls for Cyber Security.

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Cloud Computing. Cloud Computing An insight in the Governance & Security aspects

Altius IT Policy Collection Compliance and Standards Matrix

Cloud Security. DLT Solutions LLC June #DLTCloud

Supplier Security Assessment Questionnaire

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

Security, Compliance & Risk Management for Cloud Relationships. Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32

STATE OF NEW JERSEY Security Controls Assessment Checklist

Top Ten Technology Risks Facing Colleges and Universities

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

Cloud Security Panel: Real World GRC Experiences. ISACA Atlanta s 2013 Annual Geek Week

John Essner, CISO Office of Information Technology State of New Jersey

SECURITY RISK MANAGEMENT

IT risk management discussion 2013 PIAA Leadership Camp May 15, 2013

PII Compliance Guidelines

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing

Data Loss Prevention. Keeping sensitive data out of the wrong hands*

Creating Business Value with Effective, Pervasive Cloud Security and Cloud Enablement Services

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:

Security Issues in Cloud Computing

DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

Payment Card Industry Data Security Standard

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

University of Pittsburgh Security Assessment Questionnaire (v1.5)

HIPAA Security Alert

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

Cloud Computing Governance & Security. Security Risks in the Cloud

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Microsoft s Compliance Framework for Online Services

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

FINRA Publishes its 2015 Report on Cybersecurity Practices

How to Secure Your Environment

Compliance and Cloud Computing

HITRUST CSF Assurance Program

Through the Security Looking Glass. Presented by Steve Meek, CISSP

Miami University. Payment Card Data Security Policy

Enterprise Security Solutions

PCI Compliance for Cloud Applications

plantemoran.com What School Personnel Administrators Need to know

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Click to edit Master title style

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples

Cloud Security Introduction and Overview

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Information Security Program

How To Protect Your Data From Theft

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Defending Against Data Beaches: Internal Controls for Cybersecurity

whitepaper The Benefits of Integrating File Integrity Monitoring with SIEM

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.

North American Electric Reliability Corporation (NERC) Cyber Security Standard

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

Intel Enhanced Data Security Assessment Form

HITRUST CSF Assurance Program

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

Italy. EY s Global Information Security Survey 2013

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security Team

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

Best Practices in Incident Response. SF ISACA April 1 st Kieran Norton, Senior Manager Deloitte & Touch LLP

Big Data, Big Risk, Big Rewards. Hussein Syed

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

How to ensure control and security when moving to SaaS/cloud applications

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Attachment A. Identification of Risks/Cybersecurity Governance

San Francisco Chapter. Presented by Mike O. Villegas, CISA, CISSP

Managing Cloud Computing Risk

Privacy and Data Breach Protection Modular application form

Franchise Data Compromise Trends and Cardholder. December, 2010

CYBERSECURITY: ISSUES AND ISACA S RESPONSE

Appendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises

Fundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals

How To Ensure Your Supplier Is Secure

INCIDENT RESPONSE CHECKLIST

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

The Second National HIPAA Summit

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

have adequate policies and practices for secure data disposal have not established a formal 22% risk management program

Cybersecurity: What CFO s Need to Know

Third Party Risk Management 12 April 2012

Overview. What are operational policies? Development, adoption, implementation

Security Manual Template Policy and Procedure Manual Compliance Management Made Easy ISO / HIPAA / SOX / CobiT / FIPS 199 Compliant

Firewall Administration and Management

Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services.

ForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002

IIA Conference. September 18, Paige Needling Director, Global Information Security Recall, Inc.

Transcription:

Data protection and compliance In the cloud and in your data center 1 November 2013 Agenda 1 Introduction 2 Data protection overview 3 Understanding the cloud 4 Where do I start? 5 Wrap-up Page 2 Data protection life cycle and goals 1. Understand the data held by the organization and its value. Answer the question: What is the information that needs to be protected the most? 2. Classify data as it is created, using labels that are clear and meaningful. 3. Protect data based on its classification, with the highest protections afforded to the most sensitive data. 4. Monitor the environment to identify data that is not appropriately classified or protected. 5. Continuously improve the program and remediate identified errors and processes. Page 3 1

Common data loss channels Loss or theft of laptops and mobile devices Unauthorized transfer of data to portable media Sensitive data stored in unprotected locations File sharing/p2p Instant messaging, social media, personal web mail Copying/printing of sensitive data Corporate email Page 4 Global Information Security Survey (GISS) insights Data protection control implementation Which of the following actions has the company taken? 72% 68% 57% 43% 41% 39% 38% 38% 31% 23% 16% Defined a specific policy regarding the classification and handling of sensitive information Employee awareness programs Implemented additional security mechanisms for protecting information (e.g. encryption) Locked down/restricted use of certain hardware components (e.g., USB drives, firewire ports) Utilized internal audit for testing of controls Defined specific requirements regarding protection of information taken outside office Implemented log review tools Implemented data loss prevention tools Restricted or prohibited use of instant messaging or email for sensitive data transmission Prohibited use of camera devices within sensitive or restricted areas Restricted access to sensitive information to specific time periods Source: Ernst & Young s 2012 Global Information Security Survey: Fighting to close the gap Page 5 The rise in digital information further challenges effective data protection Rising reliance on IT is expected to stimulate digital storage demand at a projected annual growth rate of over 60% through 2020 Worldwide, the prevalence of digital information is expected to escalate to be 44 times bigger in 2020 than it was in 2009 Over the next decade: Number of servers (virtual and physical) worldwide will grow by a factor of 10 Amount of information managed by enterprise data centers will grow by a factor of 50 Number of files the data center will have to deal with will grow by a factor of 75 However, the number of IT professionals in the world will grow by less than a factor of 1.5 Source: IDC, The Digital Universe Decade Are You Ready?, May 2010 IDC, Extracting Value from Chaos, June 2011 Page 6 2

Perpetual storage of all data can be a risky and costly strategy Many companies have retained information years beyond their useful retention dates or its business value due to: Confusing retention schedules Embracing the false concept that storage is cheap Mitigating a defense for potential litigation Data preservation due to litigation holds BT survey: A quarter of decision-makers surveyed predict that data volumes in their companies will rise by more than 60% by the end of 2014, with the average of all respondents anticipating a growth of no less than 42%. Avanade survey: 55% of respondents reporting a slowdown of IT systems and 47% citing data security problems. Data should be archived for historical reference and litigation protection, but it should not have infinite copies stored in unknown locations Page 7 Understanding the cloud Page 8 Understanding the cloud Page 9 3

Cloud Security Alliance Not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. https://www.cloudsecurityalliance.org Source: https://cloudsecurityalliance.org/about/ Page 10 Cloud computing top threats in 2013 1. Data Breaches 2. Data Loss 3. Account Hijacking 4. Insecure APIs 5. Denial of Service 6. Malicious Insiders 7. Abuse of Cloud Services 8. Insufficient Due Diligence 9. Shared Technology Issues Source: https://cloudsecurityalliance.org/download/the-notorious-nine-cloud-computing-top-threats-in-2013/ Page 11 Where do I start? Page 12 4

Data protection control model Data protection controls Data in motion Perimeter security Structured data Data in use Privileged user monitoring Data at rest Encryption Focus areas Network traffic monitoring/blocking Web content filtering Data collection and exchange Workstation restrictions Application controls Data labeling/tagging Obfuscation/tokenization Mobile device protection Network/server repository control Messaging (email, IM) Removable/external media control Physical media control Remote access Export/clipboard/print control Archive, disposal and destruction Unstructured data Supporting information security processes Identity/access management Security information management Configuration management Vulnerability management Digital rights management Incident response Physical security Training and awareness Asset management Data privacy Employee screening and vetting Third-party management BCP/DR Records management Risk management and reporting Change management/sdlc Page 13 What s important? Corporate data Price/cost lists Target customer lists New designs Source code Formulas Pending patents Intellectual property Customer data Customer list Spending habits Contact details User preference Product customer profile Payment status Contact history Transaction data Bank payments B2B orders Vendor data Sales volumes Purchase power Revenue potential Sales projections Personally identifiable data Full name Birthday, birthplace Biometric data Genetic information Credit card numbers SSN, passport numbers Driver s license numbers Page 14 Risk assessment Each type of sensitive data held by the company should be assessed to determine the relative value, dollar value, if possible, and relative risk Again, this should be led by the business and facilitated by Information Security (or whoever owns data protection within the organization) The result should be clear guidance to the data protection team of what types of data require the most protection High value data from the risk assessment should be mapped to use cases Page 15 5

Architecture A core component of a data protection program is understanding data flows and identifying applications, databases and unstructured repositories that contain sensitive data. Key questions to understand include: Where is my data flowing, both inside and outside the organization? What structured repositories hold sensitive data? What unstructured repositories are available to users for sharing and collaboration? Where is data archived? Are users local drives stored on the network? Page 16 Risk and audit Data handling: Loss of control over data Lack of information isolation Data recovery Data privacy Encryption methods Areas for heightened risk awareness and audit focus: IT operations Third party evaluations System integration/ Services transaction flow These may be addressed by a combination of: Continuous monitoring for availability statistics Validating data concerns by assessing vendor Legal/vendor: data management Compliance: methods Legal support capability Physical: Validating vendor SOX longevity and capability Vendor support Natural disasters using contractual HIPAA methods with Service measurement Unauthorized access contingencies in place PCI Reviewing the vendor Vendor viability Theft compliance policies and FISMA third-party certification Certified personnel Reviewing access and identity management methods and controls Defining and validating integration points both internally and externally Page 17 Cloud Security Alliance resources Cloud Controls Matrix (CCM) Controls framework for 13 domains Mapped to ISO 27001/27002, ISACA COBIT, PCI DSS, HIPAA, NIST and NERC CIP Consensus Assessments Initiative (CAI) Set of questions a cloud consumer and cloud auditor may ask of a cloud provider Aligns to the CCM Security, Trust & Assurance Registry (STAR) Registry that documents the security controls provided by various cloud computing offering Helps users assess the security of cloud providers Source: https://cloudsecurityalliance.org/research/ccm/ https://cloudsecurityalliance.org/research/cai https://cloudsecurityalliance.org/star/ Page 18 6

We have covered a lot of topics today! Let s recap The ever evolving risk landscape is becoming more challenging to manage. With data loss, prevention is always better then recovering after a breach. Consider the following next steps: Understand your data program Risk assessment Gain an understanding of current data protection processes, stakeholders and technology Understand legal requirements, regulatory requirements and business drivers for DLP Understand existing data protection improvement plans Undertake a risk assessment to identify potential exposure and uncontrolled data loss channels Determine whether sensitive data has been identified, inventoried and risk ranked Consider using a DLP network monitoring tool to aid in the risk assessment process Control assessment Determine data protection program maturity by assessing data protection controls Consider all relevant controls that contribute to data protection Program improvement Identify gaps in the current program and controls Identify additional technology and processes required to achieve desired maturity Develop specific recommendations for improvement and remediation Develop road map for improvement Page 19 Thank you Fighting to close the gap: Ernst & Young s 2012 Global Information Security Survey http://www.ey.com/giss2012 EY s 2013 Global Information Security Survey coming soon! http://www.ey.com/informationsecurity Eric Brothers Manager, Advisory Services Atlanta, GA Phone: +1 404 817 4419 Email: eric.brothers@ey.com Page 20 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information