THE PROCESS FOR ESTABLISHING DATA CLASSIFICATION. Session #155

Similar documents
How to Prepare a Response to Cyber Attack for a Multinational Company.

Security Policies and Procedures Principles and Practices

Data Loss Prevention:

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

Checklist: Credit Union Information Security and Privacy Policies

Jeff Wilbur VP Marketing Iconix

HIPAA Security and Privacy Policies & Procedures

Best Practices for a Successful DLP Deployment

McAfee Total Protection for Data Loss Prevention

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

Information Security Data Classification Procedure

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

Information Security Policy

Apex Information Security Policy

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

Data Compromise Notice Procedure Summary and Guide

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

A company built on security

Data Protection. Plugging the gap. Gary Comiskey 26 February 2010

ANATOMY OF A DATA BREACH: DEVELOPMENTS IN DATA SECURITY AND CLOUD COMPUTING LAW

Cybersecurity The Evolving Landscape

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Protecting your data. EY s approach to data privacy and information security

CipherCloud CASB+ Connector for ServiceNow

ADIENT VENDOR SECURITY STANDARD

DeMystifying Data Breaches and Information Security Compliance

Archiving. Services. Optimize the management of information by defining a lifecycle strategy for data. Archiving. ediscovery. Data Loss Prevention

Building a Complete Program around Data Loss Prevention

Red Flags/Identity Theft Prevention Policy: Purpose

Cyber Risks in the Boardroom Conference

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

IT risks and controls

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Building a Privacy Management Program

SECURITY & PRIVACY DOCUMENTATION

Cybersecurity Auditing in an Unsecure World

Preventing Corporate Espionage: Investigations, Data Analyses and Business Intelligence

for the Dental Industry

Cyber Security. The Question of the Day. Sylint Group, Inc. How did we come up with the company name Sylint and what does it mean?

Sarbanes-Oxley Act (SOX)

HIPAA Compliance Checklist

GM Information Security Controls

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

01.0 Policy Responsibilities and Oversight

74% 2014 SIEM Efficiency Report. Hunting out IT changes with SIEM

CloudSOC and Security.cloud for Microsoft Office 365

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Juniper Vendor Security Requirements

Data Breaches: Is IBM i Really At Risk? All trademarks and registered trademarks are the property of their respective owners.

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

GDPR: Is it just another regulation or a great opportunity for operational excellence? Athens, February 2018

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Information Technology General Control Review

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services

Sponsored by Oracle. SANS Institute Product Review: Oracle Audit Vault. March A SANS Whitepaper. Written by: Tanya Baccam

Information Security Management Criteria for Our Business Partners

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

INFORMATION ASSET MANAGEMENT POLICY

Putting It All Together:

Seven Requirements for Successfully Implementing Information Security Policies and Standards

SDR Guide to Complete the SDR

Google Cloud & the General Data Protection Regulation (GDPR)

GDPR: An Opportunity to Transform Your Security Operations

What is ISO ISMS? Business Beam

Business continuity management and cyber resiliency

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

Altitude Software. Data Protection Heading 2018

locuz.com SOC Services

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

Ian Speller CISM PCIP MBCS. Head of Corporate Security at Sopra Steria

GDPR: A technical perspective from Arkivum

Department of Public Health O F S A N F R A N C I S C O

NIST Standards. October 14, 2016 Steve Konecny

Subject: University Information Technology Resource Security Policy: OUTDATED

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. John McDonald

2015 HFMA What Healthcare Can Learn from the Banking Industry

Effective Strategies for Managing Cybersecurity Risks

KuppingerCole Whitepaper. by Dave Kearns February 2013

Security Audit What Why

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

An Introduction to the ISO Security Standards

2017 RIMS CYBER SURVEY

BULLETPROOF365 SECURING YOUR IT. Bulletproof365.com

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

General Data Protection Regulation (GDPR) The impact of doing business in Asia

Why you MUST protect your customer data

Information Governance, the Next Evolution of Privacy and Security

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Teradata and Protegrity High-Value Protection for High-Value Data

Recommendations for Implementing an Information Security Framework for Life Science Organizations

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Transcription:

THE PROCESS FOR ESTABLISHING DATA CLASSIFICATION Session #155

David Forrestall, CISSP CISA SecurIT360 SPEAKERS Carl Scaffidi, CISSP, ISSAP, CEH, CISM Director of Information Security Baker Donelson

AGENDA Overview Legal Strategy Implementation Protection Strategies Benefits of DLP References

OVERVIEW AND STATEGY

DATA PROTECTION LIFECYCLE Understand Classify Data Improve and remediate Protect

BASICS Definition - in the context of information security, is the classification of data based on its level of sensitivity and the impact to the Organization should that data be disclosed, altered or destroyed without authorization. Purpose To apply proper security to different levels of sensitivity

DATA CLASSIFICATION STANDARDS Government ISO 27000 ISACA Others

CLASSIFICATION PROCEDURES 1. Define Classification Levels 2. Specify the Criteria by which data will be classified 3. Have the Data Owner indicate the classification level 4. Identify the data custodian who will be responsible for maintaining the data and its security level 5. Indicate the controls to be applied at each classification level

Definition categorization of information based on sensitivity Purpose To apply proper security to different levels of sensitivity

PRACTICAL APPLICATION

PRACTICAL APPLICATION (2)

AS YOU MATURE

SUGGESTED CLASSES FOR LAW FIRMS 1. Public or non- sensitive 2. Firm Internal 3. Confidential Internal 4. Client Confidential 5. Highly Confidential Client

SUGGESTED CLASSES FOR LAW FIRMS 1. Public or non- sensitive Public information may be shared with no risk of negative impact to the firm or its clients (i.e. the data is not confidential). Data integrity is not vital. Loss of service due to malicious attacks is an acceptable danger. 2. Firm Internal External access to this information is to be prevented, but should this data become public, the consequences are not critical and would have minimal impact to the firm. Data integrity is important but not vital.

SUGGESTED CLASSES FOR LAW FIRMS (2) 3. Confidential Internal Information in this class is confidential within the firm and protected from external access. If such data was accessed by unauthorized persons, it could influence the firm's operational effectiveness, cause an important financial loss, cause reputational risk to the firm. Data integrity is critical. 4. Client Confidential Under the governing rules of professional responsibility, nearly all data relating to client representations requires protection. Unauthorized external access to this data would be damaging to the firm. Data integrity is vital. Strict rules should be adhered to in the usage of this data.

SUGGESTED CLASSES FOR LAW FIRMS (3) 5. Highly Confidential Client Client and firm data regulated with additional security requirements. Unauthorized internal OR external access to this data could have a major impact to the firm. Breach notification is required. Fines and other penalties could occur. Data integrity is vital. Examples: Banking, Healthcare, Military, minors, and other types of data governed by legislating bodies.

FOR EACH CLASS Examples: Banking, Healthcare, Military, minors, and other types of data governed by legislating bodies. Access: employees with a business need to know. As required by client, access will be restricted only to Attorneys and staff that have been assigned to client engagements. Distribution within : Standard interoffice mail, approved electronic mail and encrypted electronic file transmission methods. Distribution outside of : U.S. mail and other public or private carriers, approved encrypted electronic mail and electronic file transmission methods. Electronic distribution: All highly confidential client information should be transferred using encryption. Storage and backup: Keep from view of unauthorized people; erase whiteboards, do not leave in view on tabletop. Highly Confidential Client information should not be stored on devices or media that is not owned or managed by. When stored on removable media, information should be encrypted, password protected, or both. Highly Confidential Client information should be backed up following normal procedures. Disposal/Destruction: Deposit outdated paper information in specially marked disposal bins on premises; electronic data should be expunged/cleared. Reliably erase or physically destroy media.

LEGAL MATRIX

DATA PROTECTION

DATA PROTECTION LIFECYCLE Understand Classify Data Improve and remediate Protect

DATA PROTECTION LIFE CYCLE STEPS 1. Understand 2. Classify 3. Protect 4. Monitor 5. Improve and remediate

PROTECTING DATA People Policy Process Education Technology DLP

WHERE DOES DATA LIVE Servers Laptops and Desktops Cloud Collaboration (SharePoint, etc) Email Removable Media Mobile

HOW CAN DATA BE LOST Loss or theft of laptops and mobile devices Sensitive data stored in unprotected locations DATA LOSS Unauthorized transfer of data to portable media File sharing/p2p Instant messaging, social media, and personal web mail Copying/printing of sensitive data Corporate email

DATA LOSS EVENTS OCCUR DAILY AND COST ORGANIZATIONS MILLIONS OF DOLLARS Impact of data loss incidents: Significant incident response costs and legal fees Regulatory fines Reputational damage Brand loyalty switch Loss of investor confidence Erosion of trust Customer turnover Loss of competitive advantage According to the 2016 Ponemon Institute study, the consolidated total cost per data breach was $4 million. ($158 per compromised record)

THINK LIKE AN OUTSIDER WHAT TYPES OF INFORMATION ARE MOST LIKELY TO BE TARGETED? Examples of questions that should be discussed with data owners include: What data would hurt us the most if it fell into the wrong hands? What information gives us competitive advantage in the market? What data would someone want to steal? What knowledge makes us better than our competition? Where are we investing in research and development? What would we be very embarrassed to lose? What data would trigger compliance requirements?

DATA LOSS IS A SIGNIFICANT RISK Personally identifiable information (PII) Intellectual property Proprietary information Examples of sensitive data types Names, addresses, email addresses, phone numbers and demographic information Social security numbers and other national identifiers Banking information and credit card numbers Personal health information (PHI) Product designs Source code Pending patents Formulations Manufacturing process instructions and procedures Research and development results and analysis Exploration data Customer lists Pricing, cost and sales information Pre-released financial results Merger and acquisition information Third-party contracts Strategy and product road maps Bid plans Scientific papers

DLP DATA LOSS PREVENTION

Data Governance Policies and standards Identification Risk assessment Classification Architecture Quality Data protection controls Data in motion Perimeter security Structured data Data in use Privileged user monitoring Data at rest Encryption Focus areas Network traffic monitoring/blocking Web content filtering Data collection and exchange Messaging (Email, IM) Workstation restrictions Application controls Data labelling/tagging Removable/external media control Obfuscation/tokenization Mobile device protection Network/server repository control Physical media control Remote access Export/clipboard/print control Archive, disposal and destruction Unstructured data Supporting information security processes Identity/Access management Security information management Configuration management Vulnerability management Digital rights management Incident response Physical security Training and awareness Asset management Data privacy Employee screening and vetting Third party management BCP/DR Records management Risk management and reporting Change management/sdlc

DATA IN USE Active data user is currently interacting with Screen Capture Copy/Paste Print & Fax Document editing and creation

DATA IN MOTION Data currently traversing through a network Internal or External Email Instant Messaging Websites

DATA AT REST Data being stored Hard drives NAS File Servers Databases Removable Media Backups

DLP SOLUTIONS Data Matching Structured Data Fingerprinting Statistical Methods Rule and RegEx Matching Published Lexicons Conceptual Definitions Keywords

TECHNICAL SOLUTION DEPLOYMENT Endpoint Control user capabilities on endpoint systems Data in Use Workstations Network Prevention Detect sensitive data flowing through border and block traffic which violates DLP rules Data at Rest Switch Email, SSL, Web proxy Databases or Repositories Data in Motion Switch Network Discovery Scan the network and specific hosts/shares to identify and report (and potentially quarantine) unprotected sensitive data Network Monitoring Detect and report on sensitive data in motion Internet

RULE ENFORCEMENT Data is scanned Data rule is triggered Data is actioned

PROGRAM BENEFITS Data compliance for audits Meet certification requirements Streamlined risk management Improved Recovery Time Objective (RTO) Streamlined user access and collaboration Simplified encryption Actionable security intelligence SIEM integration Monitor for sensitive info based on classification Alert for data leakage Active data leakage deterrence

PROGRAM CHALLENGES Difficulty in identifying all relevant data loss channels within the organization Complexity of information flows within the extended enterprise User capabilities to access, copy and send sensitive data outside of the company, including across borders Growing number and complexity of regulatory requirements to protect sensitive information, particularly for companies operating in many different states and internationally Lack of forensic / incident response capabilities to effectively respond to data loss and data breaches Encryption tools allow malicious users to hide their activity from most DLP technology Maximizing the value of a data

FUNDAMENTAL QUESTIONS TO ANSWER What sensitive data do you hold? What is your highest risk sensitive data considering personally identifiable data, customer data and intellectual property? Where does your sensitive data reside, both internally and with third parties? Where is your data going? Do you comply with the relevant data privacy laws?

ADDITIONAL QUESTIONS FOR THE BOARD & C-SUITE Are you confident your intellectual property, trade secrets, proprietary information and customer data are protected from insiders? Are your regulatory and compliance obligations for data protection and privacy being met? Does your Information Security function know what data is most valuable to the business? Are stakeholders inquiring what the organization is doing to proactively protect sensitive information? Have you had a significant data loss incident in the past?

REFERENCES https://www.sans.org/readingroom/whitepapers/auditing/information-classification-who-846 http://www.cmu.edu/iso/governance/guidelines/dataclassification.html Google data classification policy Email david@securit360.com for Word & Excel Templates Email cscaffidi@bakerdonelson.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback