How To Protect Your Data From Theft



Similar documents
Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Presentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy

Network Security & Privacy Landscape

Information Security Awareness Training

Data Loss Prevention. Keeping sensitive data out of the wrong hands*

CSR Breach Reporting Service Frequently Asked Questions

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

How-To Guide: Cyber Security. Content Provided by

Managing IT Security with Penetration Testing

Cybersecurity and internal audit. August 15, 2014

Sample Data Security Policies

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

Data Loss Prevention Best Practices to comply with PCI-DSS An Executive Guide

Do you know your privacy risks? How new technologies, changing business models, and emerging regulations are changing the data-protection landscape

Cybersecurity. Considerations for the audit committee

PII Compliance Guidelines

SECURE FILE SHARING AND COLLABORATION: THE PATH TO INCREASED PRODUCTIVITY AND REDUCED RISK

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

IT risk management discussion 2013 PIAA Leadership Camp May 15, 2013

Reducing Cyber Risk in Your Organization

Don't Be The Next Data Loss Story

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

Computer Security at Columbia College. Barak Zahavy April 2010

Personal Information Protection Act Information Sheet 11

Application Security in the Software Development Lifecycle

Managing data security and privacy risk of third-party vendors

The Ministry of Information & Communication Technology MICT

Data Security: Fight Insider Threats & Protect Your Sensitive Data

The Department of Health and Human Services Privacy Awareness Training. Fiscal Year 2015

How To Implement Data Loss Prevention

THE EXECUTIVE GUIDE TO DATA LOSS PREVENTION. Technology Overview, Business Justification, and Resource Requirements

RSA Solution Brief RSA. Data Loss. Uncover your risk, establish control. RSA. Key Manager. RSA Solution Brief

10 Smart Ideas for. Keeping Data Safe. From Hackers

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

PCI Solution for Retail: Addressing Compliance and Security Best Practices

Franchise Data Compromise Trends and Cardholder. December, 2010

Data Breach and Senior Living Communities May 29, 2015

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

RSA Solution Brief RSA. Encryption and Key Management Suite. RSA Solution Brief

Privilege Gone Wild: The State of Privileged Account Management in 2015

Data Privacy and Gramm- Leach-Bliley Act Section 501(b)

Protecting personally identifiable information: What data is at risk and what you can do about it

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

Best Practices for DLP Implementation in Healthcare Organizations

Internal audit of cybersecurity. Presentation to the Atlanta IIA Chapter January 2015

Websense Data Security Suite and Cyber-Ark Inter-Business Vault. The Power of Integration

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Wellesley College Written Information Security Program

Aftermath of a Data Breach Study

Protecting Sensitive Data Reducing Risk with Oracle Database Security

Enterprise Data Protection

CREDIT CARD SECURITY POLICY PCI DSS 2.0

Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services.

Into the cybersecurity breach

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

Privacy Rights Clearing House

Research Information Security Guideline

trends and audit considerations

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

Teradata and Protegrity High-Value Protection for High-Value Data

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

Plugging the Leaks: Best Practices in Endpoint Security

Third Party Security: Are your vendors compromising the security of your Agency?

IBM Data Security Services for endpoint data protection endpoint encryption solution

Top Ten Technology Risks Facing Colleges and Universities

HFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY

SUPREME COURT OF COLORADO OFFICE OF THE CHIEF JUSTICE

ITAR Compliance Best Practices Guide

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

Transcription:

Understanding the Effectiveness of a Data Protection Program IIA: Almost Free Seminar 21 June 2011

Agenda Data protection overview Case studies Ernst & Young s point of view Understanding the effectiveness of a program Page 1

Why is a a Concern? Data loss in the news Large retail company 45.6 million credit and debit card numbers were stolen over a period of more than 18 months Large BCBS insurer 57 hard drives containing member-protected health information were stolen Department of Commerce an employee inadvertently transmitted over the Internet an unencrypted file containing the personally identifiable information (PII) of Commerce employees to other department employees A medical center in Kentucky is notifying 5,418 patients of a breach resulting from the theft of an unencrypted portable hard drive stored in a locked area FTC Consent Decree requires monitoring and filtering of outbound computer traffic to block export of sensitive information Sources: Ponemon Institute, engadget, Computerworld and CNET news. More than 250 privacy laws that mandate disclosure of data breaches 2% of laptop inventory cannot be located Fortune 500 companies lose two laptops a day Page 2

High Value Data It s all about the data Page 3

Complexity of Today s challenges with protecting data BUs, HR, Legal Customer service Confidential information Marketing plans, intellectual property Customer data SSN, salaries, customer names Sales Your data Contractors Health care information Medical records, payment information Financials Upcoming reports, M&A plans Doctors Finance Data breach incidents cost US companies $204 per compromised record, with an average total per-incident cost of $6.75m Ponemon Institute Page 4

Data Loss Incidents How does it happen? 1 2 Loss or theft of laptops and mobile devices Unauthorized transfer of data to USB devices 7 Access to sensitive files by unauthorized users 3 Unable to locate and protect sensitive data 4 6 Lack of content awareness and coordinated response to intrusions 5 Print and copy of client data by staff Theft of company secrets by employees Page 5

Example 1: Technology Company Client Concerns Organization is concerned about software code being pirated During recent quarter ending, client was concerned about employees communicating confidential information to analysts prior to analyst call Client wanted to understand their data loss exposure Things to Consider Do the employees know what they can or can not communicate to outsiders? Does the organization have adequate controls around this sensitive information? Should the people leaking information even have access to this information? Can the company detect or prevent this from happening? How would the company deal with this situation? Page 6

Example 2: Oil & Gas Company Client Concerns Organization suspected hack by the Chinese System administrators accidently discovered compromised systems when they were logged off Client did not know how long suspected systems were compromised and what had been stolen Organization notified FBI and DHS of data breach Things to Consider How long has the company been hacked? Has the company lost any valuable information? Does the company have to report this breach to anyone? What is the root cause of the breach, and can it happen again? Was there an insider or was this completely accomplished from the outside? Page 7

Example 3: Chemical Research Company Client Concerns Foreign national working as a chemist in the R&D department resigns Before the employees leaves, she downloads a large amount of intellectual property from highly restricted file shares Client discovers this after the employee has left and now has concerns on the extent of the damage and tries to prevent this from happening in the future Things to Consider How does the company monitor employees with access to sensitive information? Is there still an insider threat? Does the company have any legal protection related to employee theft? Does the company have to report the loss? How can the company prevent this from happening in the future? Page 8

Ernst & Young Point of View 13 th Annual Global Information Security Survey More than half say protecting reputation and brand is their biggest information security challenge 64% see the disclosure of sensitive data as one of their top five IT risks 55% indicate they are increasing the level of investment related to their top five areas of information security risk 52% see the use of personal devices as the main cause of an increasing risk of data leakage 50% plan to spend more in the next year on data loss prevention efforts Page 9

Program Success Factors People, process and technology considerations A top-down approach must be applied to holistically address the problem of data loss Governance must be established and roles and responsibilities defined to effectively manage and maintain the program Supporting IT processes must be enhanced based upon gaps uncovered by data loss risk assessment Technology solutions must be adopted to cover data at rest, data in motion and data in use, to effectively monitor, prevent and respond to data protection requirements A data protection program must include all domains of people, process and technology Page 10

The Program Data protection requires many people, processes, and technologies Data protection is an umbrella term that describes the program, governance, policy instantiation, management controls and solution implementation of people, process and technology measures to prevent the loss of, or unauthorized access to, sensitive data Data protection conceptual model Employees Contractors Third party Partners Program components Former employees Data in motion Hackers/competitors Program components Personnel security Secure data transfer Secure messaging Data loss prevention Data audit and reporting Access controls Awareness and training Data loss prevention Data in use Access management Rights management Data audit and reporting System and network controls Privacy Encryption operations Data redaction Data masking Incident response Data at rest Asset management Database encryption Storage/disk encryption Mobile data encryption Data loss prevention Continuity management Information classification, policies and standards Data management, audit and reporting Data governance and compliance Page 11

Understanding the Effectiveness Assessing the data protection program Business Drivers Risk, Threat, & Vulnerability Assessments Strategy Policies & Standards Data Classification, Tagging and Labeling Processes and Operational Practices Technology Specifications People & Organizational Management Program Compliance Monitoring and Reporting Page 12

Contact information Anil Markose CISA, CISSP, CIPP Senior Manager, Ernst & Young LLP anil.markose@ey.com Direct: 214 969 9734 Page 13

Ernst & Young Assurance Tax Transactions Advisory About Ernst & Young Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 141,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential. Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst&Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com. About Ernst & Young s Assurance Services Strong independent assurance provides a timely and constructive challenge to management, a robust and clear perspective to audit committees and critical information for investors and other stakeholders. The quality of our audit starts with our 60,000 assurance professionals, who have the experience of auditing many of the world s leading companies. We provide a consistent worldwide audit by assembling the right multidisciplinary team to address the most complex issues, using a proven global methodology and deploying the latest, high-quality auditing tools. And we work to give you the benefit of our broad sector experience, our deep subject matter knowledge and the latest insights from our work worldwide. It s how Ernst & Young makes a difference. 2011 Ernst & Young LLP. All Rights Reserved. 1010-1200121 Page 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information