Data Protection. Plugging the gap. Gary Comiskey 26 February 2010

Similar documents
Corporate Information Security Policy

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

The Common Controls Framework BY ADOBE

Canada Life Cyber Security Statement 2018

External Supplier Control Obligations. Cyber Security

Standard CIP Cyber Security Critical Cyber Asset Identification

Information Technology Branch Organization of Cyber Security Technical Standard

Standard CIP Cyber Security Critical Cyber Asset Identification

SECURITY & PRIVACY DOCUMENTATION

Information Security Policy

Checklist: Credit Union Information Security and Privacy Policies

Inventory and Reporting Security Q&A

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC

Best Practices in Securing a Multicloud World

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

Information Security Controls Policy

locuz.com SOC Services

Apex Information Security Policy

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

MEETING ISO STANDARDS

Secure Access & SWIFT Customer Security Controls Framework

Advent IM Ltd ISO/IEC 27001:2013 vs

Optimisation drives digital transformation

Lakeshore Technical College Official Policy

Daxko s PCI DSS Responsibilities

QuickBooks Online Security White Paper July 2017

Cyber Security Program

Oracle Data Cloud ( ODC ) Inbound Security Policies

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Modern Database Architectures Demand Modern Data Security Measures

Juniper Vendor Security Requirements

01.0 Policy Responsibilities and Oversight

One Hospital s Cybersecurity Journey

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

Employee Security Awareness Training Program

Network Security Policy

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

ADIENT VENDOR SECURITY STANDARD

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

Security Standards for Electric Market Participants

IT risks and controls

Security and Privacy Governance Program Guidelines

Oracle Security Products and Their Relationship to EBS. Presented By: Christopher Carriero

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Certified Information Security Manager (CISM) Course Overview

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

HIPAA Compliance Checklist

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Altius IT Policy Collection

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

Teradata and Protegrity High-Value Protection for High-Value Data

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Sparta Systems TrackWise Digital Solution

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

CA Test Data Manager Key Scenarios

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

10 FOCUS AREAS FOR BREACH PREVENTION

Healthcare Security Success Story

COMPLIANCE BRIEF: HOW VARONIS HELPS WITH PCI DSS 3.1

AUTHORITY FOR ELECTRICITY REGULATION

USING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES

GDPR Draft: Data Access Control and Password Policy

1 Introduction to Identity Management. 2 Access needs evolve. Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

IT MANAGER PERMANENT SALARY SCALE: P07 (R ) Ref:AgriS042/2019 Information Technology Manager. Reporting to. Information Technology (IT)

Sample Security Risk Analysis ASP Meaningful Use Core Set Measure 15

POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Internet of Things Toolkit for Small and Medium Businesses

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Optim. Optim Solutions for Data Governance. R. Kudžma Information management technical sales

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

SOLUTION BRIEF RSA SECURID SUITE ACCELERATE BUSINESS WHILE MANAGING IDENTITY RISK

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

BULLETPROOF365 SECURING YOUR IT. Bulletproof365.com

HIPAA Security and Privacy Policies & Procedures

How to Prepare a Response to Cyber Attack for a Multinational Company.

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

Information Technology General Control Review

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

Cybersecurity The Evolving Landscape

Standard CIP 005 2a Cyber Security Electronic Security Perimeter(s)

Cloud Security Standards and Guidelines

SIEM: Five Requirements that Solve the Bigger Business Issues

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

Trust Services Principles and Criteria

Projectplace: A Secure Project Collaboration Solution

University of Pittsburgh Security Assessment Questionnaire (v1.7)

The Future of IT Internal Controls Automation: A Game Changer. January Risk Advisory

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

Transcription:

Data Protection. Plugging the gap Gary Comiskey 26 February 2010

Data Protection Trends in Financial Services Financial services firms are deploying data protection solutions across their enterprise at different levels of maturity -in silos, clusters and center of excellence models. Off shoring and outsourcing to third party firms demand a solution to enable the flow of data across the network perimeter. Increased brand protection focus as consumers and business partners grow intolerant of numerous and massive breaches. Financial firms are focusing on the compliance and remediation of risk; balanced and aligned with their technology strategy. Vendor landscape is consolidating and maturing into a vertical solutions, less vendors with more robust functionality Developer access to production programs are driving data obfuscation as a solution to a piece of the problem, regulation is becoming more specific / prescriptive Regulatory and compliance pressures, the need to enable more efficient delivery models (offshoring and outsourcing), reducing developer access to production risk, are driving financial services to deploy data protection solutions as an enterprise control - 2 -

Recent Deloitte Surveys Irish Survey 77% believe it is easy to remove sensitive data from the workplace 80% of respondents said that sensitive data was left unattended in their work place 50% indicated that sensitive data was left unattended across the organisation. 49% 25% 15% Desks Printers Photocopiers Fax Machines All Global Survey 66.4% of respondents experienced between 6 and 20 incidents and 12.3% indicated more than 20 events. Almost 10% of respondents has lost more than 25,000 recorded in one data breach 21.5% were not sure how many records were lost! No Response Not Sure 1 to 100 101 to 1,000 1,001 to 5,000 5,001 to 25,000 Over 25,000 6% Records lost during single "most significant" data breach 0 6% 0 5 10 15 20 25 Percentage of respondents - 3 -

Firewall Ways Enterprise Data is Compromised The majority of these breeches occur inside the firewall layer. Privileged users (developers, systems administrators, testers) present a substantial risk due to their knowledge of systems and access to data. External Users 2 File Server 4 File server Internal Users Privileged Users 1 Type of threat: 1. External users 2. Internal users 3. Files/Web servers 4. Administrators/DBAs/developers 5. Database vulnerability 6. Data backup Load Balancer Web Server 3 Insider threats a concern: 75% of threats come from insiders 60% of internal threats are undetected - 4 - App Server ERP 5 Database 6 Backups Source: Forrester

Administration Network Ways to Protect Enterprise Data Strong Security Measures Users Encryption DB Server Strict Access Control Web Server App Server DB Server Dev Test Q&A Stage - Data masking - Dummy data Developer Testers Admin Audit Process / Procedures Encryption Backups Audit Security Policies and Procedures - 5 -

Understanding Data Protection Controls A layered security approach should be adopted to protect sensitive data within environments. Sensitive data protection can be viewed as a combination of the following: Controlling access to sensitive data via user access Controls Masking/obfuscating sensitive data when user access controls are not sufficient Protection of sensitive data can be achieved by a combination of data masking and user access controls: For production systems, restrict access to sensitive data (e.g., eliminate developer access to production, provide need-only basis access to support personnel) Systems/ Applications Users Data Data masking in production systems is achieved at the application layer using native tools and custom scripts For Test, QA and Development systems, eliminate use of production data Data masking in Test, QA and Development systems is achieved at the database level - 6 -

Key Considerations for Data Protection An enterprise data protection strategy starts with understanding what your assets are. Not all data can be protected equally - we must first understand what needs to be protected the most. What information and systems/ application assets are most critical? What is the data of concern? What are the data integrity and data privacy responsibilities? A risk-based approach to data protection focuses on mitigating high-risk issues first. Begin by establishing risk profiles that account for the factors listed below: Sensitivity of the data. End-users that will access the data (i.e. developers, testers, QA personnel). Systems and applications that will access and store the sensitive data. Establishing risk profiles helps organizations understand their landscape and aids the security teams with setting policies that determine how systems/applications are configured, what rights users have, and what security mechanisms need to be in place to protect sensitive data (data of concern). Data: how critical is it? How exposed is it? Systems/ applications: what are they and how secure are they? Users: what data do they handle? Are they a security risk? - 7 -

Step 1 Understand where your data is Understand Existing Methodologies Data Inventory/Lifecycle Methodology & Process Key Deliverable: Data flow diagrams???? - 8 -

Use Technology Where Possible Where is sensitive data located? What is the user doing with it? Where is the data going? Apply DP Policy and Actions? Discovery Desktops Servers Storage Classification Tagging Content Similarity Keyword Dictionary Context Server Application File Type User Unstructured Data Read Write Copy/Paste Move Print Burn Upload Structured Data View Modify Delete Extract E-mail Applications Devices Networks Alert Detection Notify Awareness Prompt Intent Encrypt Protection Block Protection Mask Need to know Audit Logging 9-9 -

Data Protection Methods Data Protection is a general term that encompasses a number of methods, including: Data Encryption refers to a method of modifying data so that it is meaningless and unreadable in it s encrypted form. It also must be reasonably secure, i.e., must not be easily decrypted without the proper key. Data Obfuscation is data that is rendered unusable by some means, but is not considered a serious form of encryption (obfuscating the data with a simple substitution cipher is not considered encryption): - Substitution, which replaces a value in the column with fictionalized data. - Randomization, which replaces the value with random data. - Shuffling, which switches column values between records. - Nullifying, which replaces column values with NULL. - Skewing, which alters the numeric data by a random variance. - Encryption/decryption, which employs reversible scrambling. Data Masking is a method of hiding sensitive data in a way that the clear text cannot be reconstructed from the displayed data. This is useful in situations where it is only necessary to display a portion of the data. Data Generation is a method of creating fictional data following certain patterns to completely replace the original data set with the intent of being fully displayed. Data Redaction is a method of locating unstructured data in the document, index it using OCR and masking or obfuscating as appropriate. - 10 -

Key Objectives of a Data Protection Solutions An effective data protection program requires four critical factors to ensure success. Scalability Solution meets the volume and performance requirements demanded by scaling the number of applications (e.g., data obfuscation process for 20 applications scaling to UAT with 200 applications.) Sustainability Solution has the required checks and balances in place to ensure integrity and longevity of the obfuscated data (e.g., segregation of duties, algorithm safeguard and vault, request and distribution process.) Repeatability Solution can be replicated across multiple environments to ensure consistency (e.g., as the obfuscated data proliferates in the environment the obfuscation processes need to be reusable and repeated across the enterprise.) Control Solution is a compensating control and needs to be treated with discipline, including the governance, reviews, monitoring and testing to ensure the control objectives are met (e.g., scheduled audits of obfuscation processes, random tests for reversibilities, etc.) - 11 -

Data Protection Areas of Focus Information Security Policy To provide management direction and support for information security The policy document should be approved by management, published and communicated, as appropriate to all employees Review and evaluation The policy should have an owner who is responsible for its maintenance and review according to a defined review process. Information Security Infrastructure Establish a Management Forum to ensure that there is clear direction and visible management support for security initiatives shall be in place. Consider a cross-functional forum with representatives from relevant parts of the organisation to coordinate the implementation of information security controls. Responsible for the protection of information assets and for carrying out specific security processes - 12 -

Data Protection Areas of Focus Access Control Establish formal user registration and de-registration procedures for granting access to all multi-user information systems and services. The allocation and use of privileges should be restricted and controlled. Ensure adequate password security is implemented, minimum length, frequently changes, complex characters Implement a process to review users access rights at regular intervals. Don't forget physical security! Logging & Monitoring Audit logs recording exceptions and other security relevant events should be produced and kept for an agreed period to assist in future investigations and access control monitoring. Use technology where possible however manual work arounds are possible Consider building this into any system change requests Conduct periodic reviews of access patterns Inform staff that access is monitored and ensure they are aware of their responsibilities - 13 -

Data Protection Areas of Focus System Development & Maintenance Business requirements for new systems, or enhancements to existing systems should specify the Data Protection requirements. Validation checks should be performed for any data migration to ensure that data remains current an accurate. Test Data should be protected and controlled, preferably dummy data should be used. Portable Storage Devices The biggest area for accidental data loss Must be password protected & should be encrypted Preferable not to store personal or sensitive data Ensure that all default passwords are changed Use secure access to central data storage where possible Ensure that the latest encryption standards are used Consider two factor authentication - 14 -

Data Protection Areas of Focus Data Destruction Should have appropriate procedures. Ensure that electronic storage devices are securely destroyed. Where external parties are used ensure they sign up to data protection standards. Develop a data retention policy decide how long data will be kept for Ensure that destruction process is robust Consider periodic reviews of destruction providers to ensure that procedures are appropriate don't just rely on the contract - 15 -

Data Protection Technology and Tool Selection Criteria When selecting a data protection tool it is crucial to ensure that it can adapt and fit into your organisation. Some pointers to consider range from compatibility, to its integration with the SDLC. Platforms and Database Compatibility Protection Process on Extract Referential Integrity and Key Identification Built in Protection Techniques Graphical User Interface (GUI) Version Control Integration With SDLC When selecting a tool ensure that the supported databases and platforms fit the need, and requirements of the organization. Analyze the protection process on extract to include: various timing, scheduling, maintenance, and monitoring. Ensure that the tool can identify all database level keys and table integrity. Most solutions ship with a number of protection techniques or algorithms. This can significantly enhance and simplify the implementation process. Most tools can be controlled by a GUI however, there are vendor tools that still utilize a command line level of management. Version control varies across tools. It is beneficial to ensure the selected tools version control methods. Ensure that the tool can Integrate with the given organizations SDLC throughout deployment and implementation. - 16 -

Key Challenges Securing buy-in from senior management The need to understand the data held within the organisation Training and awareness for staff Using the right technology solutions Embedding Data Protection into the organisation - 17 -

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback