THE PROCESS FOR ESTABLISHING DATA CLASSIFICATION Session #155
David Forrestall, CISSP CISA SecurIT360 SPEAKERS Carl Scaffidi, CISSP, ISSAP, CEH, CISM Director of Information Security Baker Donelson
AGENDA Overview Legal Strategy Implementation Protection Strategies Benefits of DLP References
OVERVIEW AND STATEGY
DATA PROTECTION LIFECYCLE Understand Classify Data Improve and remediate Protect
BASICS Definition - in the context of information security, is the classification of data based on its level of sensitivity and the impact to the Organization should that data be disclosed, altered or destroyed without authorization. Purpose To apply proper security to different levels of sensitivity
DATA CLASSIFICATION STANDARDS Government ISO 27000 ISACA Others
CLASSIFICATION PROCEDURES 1. Define Classification Levels 2. Specify the Criteria by which data will be classified 3. Have the Data Owner indicate the classification level 4. Identify the data custodian who will be responsible for maintaining the data and its security level 5. Indicate the controls to be applied at each classification level
Definition categorization of information based on sensitivity Purpose To apply proper security to different levels of sensitivity
PRACTICAL APPLICATION
PRACTICAL APPLICATION (2)
AS YOU MATURE
SUGGESTED CLASSES FOR LAW FIRMS 1. Public or non- sensitive 2. Firm Internal 3. Confidential Internal 4. Client Confidential 5. Highly Confidential Client
SUGGESTED CLASSES FOR LAW FIRMS 1. Public or non- sensitive Public information may be shared with no risk of negative impact to the firm or its clients (i.e. the data is not confidential). Data integrity is not vital. Loss of service due to malicious attacks is an acceptable danger. 2. Firm Internal External access to this information is to be prevented, but should this data become public, the consequences are not critical and would have minimal impact to the firm. Data integrity is important but not vital.
SUGGESTED CLASSES FOR LAW FIRMS (2) 3. Confidential Internal Information in this class is confidential within the firm and protected from external access. If such data was accessed by unauthorized persons, it could influence the firm's operational effectiveness, cause an important financial loss, cause reputational risk to the firm. Data integrity is critical. 4. Client Confidential Under the governing rules of professional responsibility, nearly all data relating to client representations requires protection. Unauthorized external access to this data would be damaging to the firm. Data integrity is vital. Strict rules should be adhered to in the usage of this data.
SUGGESTED CLASSES FOR LAW FIRMS (3) 5. Highly Confidential Client Client and firm data regulated with additional security requirements. Unauthorized internal OR external access to this data could have a major impact to the firm. Breach notification is required. Fines and other penalties could occur. Data integrity is vital. Examples: Banking, Healthcare, Military, minors, and other types of data governed by legislating bodies.
FOR EACH CLASS Examples: Banking, Healthcare, Military, minors, and other types of data governed by legislating bodies. Access: employees with a business need to know. As required by client, access will be restricted only to Attorneys and staff that have been assigned to client engagements. Distribution within : Standard interoffice mail, approved electronic mail and encrypted electronic file transmission methods. Distribution outside of : U.S. mail and other public or private carriers, approved encrypted electronic mail and electronic file transmission methods. Electronic distribution: All highly confidential client information should be transferred using encryption. Storage and backup: Keep from view of unauthorized people; erase whiteboards, do not leave in view on tabletop. Highly Confidential Client information should not be stored on devices or media that is not owned or managed by. When stored on removable media, information should be encrypted, password protected, or both. Highly Confidential Client information should be backed up following normal procedures. Disposal/Destruction: Deposit outdated paper information in specially marked disposal bins on premises; electronic data should be expunged/cleared. Reliably erase or physically destroy media.
LEGAL MATRIX
DATA PROTECTION
DATA PROTECTION LIFECYCLE Understand Classify Data Improve and remediate Protect
DATA PROTECTION LIFE CYCLE STEPS 1. Understand 2. Classify 3. Protect 4. Monitor 5. Improve and remediate
PROTECTING DATA People Policy Process Education Technology DLP
WHERE DOES DATA LIVE Servers Laptops and Desktops Cloud Collaboration (SharePoint, etc) Email Removable Media Mobile
HOW CAN DATA BE LOST Loss or theft of laptops and mobile devices Sensitive data stored in unprotected locations DATA LOSS Unauthorized transfer of data to portable media File sharing/p2p Instant messaging, social media, and personal web mail Copying/printing of sensitive data Corporate email
DATA LOSS EVENTS OCCUR DAILY AND COST ORGANIZATIONS MILLIONS OF DOLLARS Impact of data loss incidents: Significant incident response costs and legal fees Regulatory fines Reputational damage Brand loyalty switch Loss of investor confidence Erosion of trust Customer turnover Loss of competitive advantage According to the 2016 Ponemon Institute study, the consolidated total cost per data breach was $4 million. ($158 per compromised record)
THINK LIKE AN OUTSIDER WHAT TYPES OF INFORMATION ARE MOST LIKELY TO BE TARGETED? Examples of questions that should be discussed with data owners include: What data would hurt us the most if it fell into the wrong hands? What information gives us competitive advantage in the market? What data would someone want to steal? What knowledge makes us better than our competition? Where are we investing in research and development? What would we be very embarrassed to lose? What data would trigger compliance requirements?
DATA LOSS IS A SIGNIFICANT RISK Personally identifiable information (PII) Intellectual property Proprietary information Examples of sensitive data types Names, addresses, email addresses, phone numbers and demographic information Social security numbers and other national identifiers Banking information and credit card numbers Personal health information (PHI) Product designs Source code Pending patents Formulations Manufacturing process instructions and procedures Research and development results and analysis Exploration data Customer lists Pricing, cost and sales information Pre-released financial results Merger and acquisition information Third-party contracts Strategy and product road maps Bid plans Scientific papers
DLP DATA LOSS PREVENTION
Data Governance Policies and standards Identification Risk assessment Classification Architecture Quality Data protection controls Data in motion Perimeter security Structured data Data in use Privileged user monitoring Data at rest Encryption Focus areas Network traffic monitoring/blocking Web content filtering Data collection and exchange Messaging (Email, IM) Workstation restrictions Application controls Data labelling/tagging Removable/external media control Obfuscation/tokenization Mobile device protection Network/server repository control Physical media control Remote access Export/clipboard/print control Archive, disposal and destruction Unstructured data Supporting information security processes Identity/Access management Security information management Configuration management Vulnerability management Digital rights management Incident response Physical security Training and awareness Asset management Data privacy Employee screening and vetting Third party management BCP/DR Records management Risk management and reporting Change management/sdlc
DATA IN USE Active data user is currently interacting with Screen Capture Copy/Paste Print & Fax Document editing and creation
DATA IN MOTION Data currently traversing through a network Internal or External Email Instant Messaging Websites
DATA AT REST Data being stored Hard drives NAS File Servers Databases Removable Media Backups
DLP SOLUTIONS Data Matching Structured Data Fingerprinting Statistical Methods Rule and RegEx Matching Published Lexicons Conceptual Definitions Keywords
TECHNICAL SOLUTION DEPLOYMENT Endpoint Control user capabilities on endpoint systems Data in Use Workstations Network Prevention Detect sensitive data flowing through border and block traffic which violates DLP rules Data at Rest Switch Email, SSL, Web proxy Databases or Repositories Data in Motion Switch Network Discovery Scan the network and specific hosts/shares to identify and report (and potentially quarantine) unprotected sensitive data Network Monitoring Detect and report on sensitive data in motion Internet
RULE ENFORCEMENT Data is scanned Data rule is triggered Data is actioned
PROGRAM BENEFITS Data compliance for audits Meet certification requirements Streamlined risk management Improved Recovery Time Objective (RTO) Streamlined user access and collaboration Simplified encryption Actionable security intelligence SIEM integration Monitor for sensitive info based on classification Alert for data leakage Active data leakage deterrence
PROGRAM CHALLENGES Difficulty in identifying all relevant data loss channels within the organization Complexity of information flows within the extended enterprise User capabilities to access, copy and send sensitive data outside of the company, including across borders Growing number and complexity of regulatory requirements to protect sensitive information, particularly for companies operating in many different states and internationally Lack of forensic / incident response capabilities to effectively respond to data loss and data breaches Encryption tools allow malicious users to hide their activity from most DLP technology Maximizing the value of a data
FUNDAMENTAL QUESTIONS TO ANSWER What sensitive data do you hold? What is your highest risk sensitive data considering personally identifiable data, customer data and intellectual property? Where does your sensitive data reside, both internally and with third parties? Where is your data going? Do you comply with the relevant data privacy laws?
ADDITIONAL QUESTIONS FOR THE BOARD & C-SUITE Are you confident your intellectual property, trade secrets, proprietary information and customer data are protected from insiders? Are your regulatory and compliance obligations for data protection and privacy being met? Does your Information Security function know what data is most valuable to the business? Are stakeholders inquiring what the organization is doing to proactively protect sensitive information? Have you had a significant data loss incident in the past?
REFERENCES https://www.sans.org/readingroom/whitepapers/auditing/information-classification-who-846 http://www.cmu.edu/iso/governance/guidelines/dataclassification.html Google data classification policy Email david@securit360.com for Word & Excel Templates Email cscaffidi@bakerdonelson.com