Protect your organization s sensitive information and reputation with high-risk data discovery

Similar documents
Vulnerability Management Policy

Application Security in the Software Development Lifecycle

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan

Network Security & Privacy Landscape

ITAR Compliance Best Practices Guide

An Executive Overview of GAPP. Generally Accepted Privacy Principles

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

And Take a Step on the IG Career Path

Formulate A Database Security Strategy To Ensure Investments Will Actually Prevent Data Breaches And Satisfy Regulatory Requirements

Research Information Security Guideline

Threat and Vulnerability Management (TVM) Protecting IT assets through a comprehensive program. Chicago IIA/ISACA

PRIVACY BREACH MANAGEMENT POLICY

How-To Guide: Cyber Security. Content Provided by

Preventing. Payment Card Fraud. Is your business protected?

AB 1149 Compliance: Data Security Best Practices

How To Protect Your Data From Theft

Best Practices for Protecting Sensitive Data in an Oracle Applications Environment. Presented by: Jeffrey T. Hare, CPA CISA CIA

Preemptive security solutions for healthcare

Dispatch: A Unique Security Solution

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

To all GRSB debit and credit card customers:

Make information work to your advantage. Help reduce operating costs, respond to competitive pressures, and improve collaboration.

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

Nine Network Considerations in the New HIPAA Landscape

SecurityMetrics. PCI Starter Kit

The Value of Vulnerability Management*

HP Application Security Center

Payment Card Industry Data Security Standards

With the Target breach on everyone s mind, you may find these Customer Service Q & A s helpful.

Why Add Data Masking to Your IBM DB2 Application Environment

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

Protecting personally identifiable information: What data is at risk and what you can do about it

Statement of Qualifications Cybercrime & data breach

Privacy and Data Breach Protection Modular application form

Cyber Liability. Michael Cavanaugh, RPLU Vice President, Director of Production Apogee Insurance Group Ext. 7029

Getting real about cyber threats: where are you headed?

Security management solutions White paper. IBM Tivoli and Consul: Facilitating security audit and compliance for heterogeneous environments.

White Paper. Managing Risk to Sensitive Data with SecureSphere

AVOIDING ONLINE THREATS CYBER SECURITY MYTHS, FACTS, TIPS. ftrsecure.com

Staying a step ahead of the hackers: the importance of identifying critical Web application vulnerabilities.

Reporting of HIPAA Privacy/Security Breaches. The Breach Notification Rule

7 VITAL FACTS ABOUT HEALTHCARE BREACHES.

Protection of Privacy

Why Is Compliance with PCI DSS Important?

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

PCI Data Security. Meeting the Challenges of PCI DSS Payment Card Security

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

Securing Database Servers. Database security for enterprise information systems and security professionals

Defending yesterday. Financial Services. Key findings from The Global State of Information Security Survey 2014

White Paper: Are there Payment Threats Lurking in Your Hospital?

The Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES

HFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY

Reducing Cyber Risk in Your Organization

Common Data Breach Threats Facing Financial Institutions

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

Data Security for the Hospitality

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

CSR Breach Reporting Service Frequently Asked Questions

Impact of Data Breaches

Security Basics: A Whitepaper

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Review: McAfee Vulnerability Manager

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Introduction to Data Privacy & ediscovery Intersection of Data Privacy & ediscovery

Payment Card Security

Transcription:

www.pwc.com Protect your organization s sensitive information and reputation with high-risk data discovery Locate, identify, and classify sensitive data to reduce data privacy risks, lower potential data sharing exposure, and improve compliance

Table of contents High-risk data is an important business asset. Are you protecting it wisely?... 1 Taking the practical approach to high-risk data discovery... 5 What this means for your business... 8

High-risk data is an important business asset. Are you protecting it wisely? To operate its day-to-day business successfully, a company must be adept at collecting, storing, processing, and transforming data. These capabilities allow a company to efficiently bill customers, create new products and services, and analyze sales trends to devise targeted marketing plans. This critical information should be protected like any other valuable asset. As the world has become more reliant on technology, high-tech criminals have also adapted, becoming more and more sophisticated and organized. They can exploit human error and weak security controls to steal trade secrets, payment card data, employee and customer information, and other personal information. Hackers not only rob a company of data, they impugn its integrity, breach its trust with clients and customers, and damage its brand and reputation. Criminals are not the only concern. Well-meaning employees may lack the tools and training to protect high-risk data. Consider what could happen if someone e-mails an unencrypted file containing high-risk data to the wrong recipient, loses a flash drive containing sensitive information, or leaves a notebook computer unguarded at a restaurant, coffee shop, or other public location. Similarly, organizations may lack the technology, standards, and processes that can help identify, catalog, and control high-risk data throughout the organization. Awareness of identity theft and personal privacy has never been higher, and employees and customers expect your company to protect their sensitive information. The government and many industry groups require your company to be responsible caretakers of their own and other people s information. Consider the effects of: The Health Insurance Portability and Accountability Act (HIPAA) The Gramm-Leach-Billey Act (GLBA), which sets rules regarding the protection of personally identifiable information The Payment Card Industry Data Security Standard (PCI-DSS) The Sarbanes-Oxley Act (SOX) Federal and state data privacy laws High-risk data is any information that, when lost, can lead to significant contractual or legal liabilities; serious damage to your organization s image and reputation; or legal, financial, or business losses. Examples of high-risk information include: Name and contact information PwC Page 1

Name and initials in any combination Home address Home telephone number E-mail address Mobile telephone number Date of birth Personal characteristics Age Gender Marital status Nationality Sexual orientation Racial or ethnic origin Religious beliefs Personally identifiable information Social security number State-issued identification number Mother s maiden name Driver s license number or similar operating license information Passport number Any other government-issued identification number Credit history Criminal history Financial institution data Credit, ATM, and debit card numbers Bank account numbers Financial account numbers Payment card information such as expiration dates, personal identification numbers (PINs), magnetic stripe data, and card verification values (CVVs) PwC Page 2

Security codes, access codes, and passwords that permit access to financial accounts Health and insurance account information Physical and psychological health status and history Disease status and history Medical treatment history Diagnoses by healthcare professionals Prescription information Health insurance information and account number Insurance claim history Medicare and Medicaid information Employment information Income Salary Service fees Other compensation information Background check information Where do you start? Despite the increasing risks and regulations, some companies may hesitate to take the first step toward implementing a high-risk data discovery or recovery strategy. Some decision-makers will ask what it costs and how it fits into the business strategy. Others may not understand the need review high-risk data concerns, or will not want to address something that may expose risks or that has not presented problems in the past. In other cases, company leaders may not understand their company s exposure to high-risk data loss. They may not know how to articulate their needs, or how to start addressing their challenges. After a security breach involving high-risk data, companies are required to create an inventory of high-risk data on the affected systems in order to determine what may have been compromised and to inform customers of the breach. Your company may not know what high risk-data it collects, where the data is stored, or how it is protected. Companies often say they lack these critical capabilities because their information technology (IT) operations grew rapidly to accommodate business requirements, and database administrators simply were not aware of the risk management issues and leading practices involved in collecting and storing certain types of information. PwC Page 3

Other companies say that high-risk data became hard to manage because business units developed separate databases to collect and store data, which limits connectivity between IT systems and slows the adoption of enterprise-wide standards and governance. Introducing processes, technology, and new methods for collecting and storing high-risk data represents an investment of time, people, and money for many companies, and does not readily offer as compelling a return as other IT initiatives. These concerns are valid, but it is important to remember that high-risk data initiatives, like all exercises in information security, can play a significant role in your IT organization s evolution from asset guardian to strategic business enabler. While highrisk data discovery can be a one-time exercise for your organization, it can also be part of a well-designed, multifaceted security strategy, aligned to business objectives. PwC Page 4

Taking the practical approach to high-risk data discovery Look for a solution that will fit your needs If time and money were no object, your company could scour every single data byte to discover where its high-risk data is located, and determine the risks associated with each kind of information. Of course, this type of intense scrutiny is rarely necessary or worthwhile. Even if your company had the resources to conduct such a high-risk data discovery initiative, a manual effort would be slow, expensive, and inefficient. Instead, your company should look for a high-risk data discovery strategy that is practical, efficient, and provides useful and valuable results. When searching for a solution provider, consider the following: A solution provider should help you locate the data, determine what kind of information it is, identify its current storage state (that is, whether it is held in the clear, or stored in an obfuscated state such as encryption, truncation, or tokenization), and the risk it may present. A solution provider should combine top-down and bottom-up approaches to add specificity to the known high-risk data areas within your systems, while also finding the unknown sensitive data risks. The top-down approach involves talking to people and reviewing processes, while the bottom-up approach uses a variety of tools to search for potentially sensitive information. Combined, these two approaches provide a complete, thorough, and detailed investigation of a company s known and unknown data risks. A solution provider should not just rely on technology. Professionals should also work with your company to understand your people, practices, and systems so that they better understand how information is stored in your organization and where highrisk data may be most vulnerable. A solution provider should help your company use a wide variety of tools from leading applications to custom designed programs to find high-risk data stored in multiple locations as cost effectively, efficiently, and accurately as possible. Results from the high-risk data discovery process should help your company address its information vulnerabilities with thorough details, customized reports, data categorization, and risk assessments that can be used to design improvements and remediation action plans. PwC Page 5

How PwC helps companies locate, identify, and classify high-risk data Your company should focus its protection efforts and controls where the need is the greatest: around its high-risk data. To do this, the company must understand the relative value of different classes of information. PwC can help your company locate, identify, and classify information. PwC s High-Risk Data Discovery team helps companies inventory their data, regardless of physical location, and assign classifications of sensitivity based on legal, compliance, and riskmanagement criteria. Organizations store high-risk data in two environments: What is it? Examples Structured environments Ordered databases May be linked to business applications, human resources (HR), or payroll systems, sales and marketing software, or financial applications Information is typically located on servers that are shared either by the entire organization or by individual business units Oracle databases Unstructured environments Information saved outside an arranged database Typically exists in files that can be scattered throughout the enterprise in various documents, saved on servers or individual employees computers Can also be located on media not connected to the organization s networks, such as thumb drives, optical discs, or portable hard drives Files may be saved and encrypted in myriad formats, depending on customs and preferences of users and work groups Microsoft Excel worksheets IBM DB2 Enterprise Server databases Microsoft SQL databases Microsoft Word documents Text files Each environment requires a different approach to effectively locate high-risk data. For structured data environments, PwC has developed a proprietary database analysis tool. PwC s data identification tool scans databases efficiently and precisely, identifying field names or records that might signify high-risk data and then validating actual field values against field format requirements to gain information about the data type, its current state, and its relative risk rating. For unstructured environments, PwC helps companies take advantage of industry-leading data discovery tools to search for sensitive data in documents that are spread across multiple locations. PwC can also help companies use a data discovery tool to look for sensitive data in e-mail messages and attachments. PwC takes a thorough approach to data discovery. In addition to analyzing the structured and unstructured data environments, our professionals interview application owners and review documentation to gain a fuller understanding of your company s practices and potential risk areas. PwC Page 6

Seeing the big picture And the smallest details PwC s Data Discovery Summary Tool provides immediate, interactive access to the findings and results in the following areas: A bird s-eye view of the overall data environment: All of the servers, databases, and applications in the IT environment, and their relationships to each other Searchable, detailed information: Detailed information about databases, tables, and fields on each server, along with risk magnitude information for each high-risk data type Custom reports: Summary reports that can be printed, or exported to Excel PwC Page 7

What this means for your business Your company may be under pressure to locate, identify, and classify high-risk data to meet government and industry requirements. Or you may need to undertake a high-risk data discovery exercise in response to a recent security breach. Or you may decide to pursue high-risk data discovery to gain a more complete picture of your organization s risks and vulnerabilities. Regardless of the factors that have led you to consider high-risk data discovery services, protecting your company s information is clearly a strategic business imperative. A highrisk data discovery exercise can be part of a broader initiative to protect the confidentiality, integrity, and accessibility of sensitive information around the enterprise. PwC can help your company design a high-risk data discovery solution that meets your organization s needs and goals. For a deeper conversation about high-risk data discovery and what it can do for your company, please contact: Laura Guilbert laura.guilbert@us.pwc.com 415-498-5710 Andrew Toner andrew.toner@us.pwc.com 646-471-8327 PwC Page 8

2010 PricewaterhouseCoopers LLP. All rights reserved. In this document, "PwC" refers to PricewaterhouseCoopers LLP, a Delaware limited liability partnership, which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity. This document is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information