Data Loss Prevention:

Similar documents
THE PROCESS FOR ESTABLISHING DATA CLASSIFICATION. Session #155

Cybersecurity The Evolving Landscape

GDPR: A QUICK OVERVIEW

Security and Privacy Governance Program Guidelines

Teradata and Protegrity High-Value Protection for High-Value Data

Managing Cybersecurity Risk

DeMystifying Data Breaches and Information Security Compliance

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Big data privacy in Australia

Cyber Risks in the Boardroom Conference

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Is Your Compliance Strategy Putting Your Business at Risk?

Building a Complete Program around Data Loss Prevention

CipherCloud CASB+ Connector for ServiceNow

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Altitude Software. Data Protection Heading 2018

2015 VORMETRIC INSIDER THREAT REPORT

Global Security Consulting Services, compliancy and risk asessment services

A Privacy and Cybersecurity Primer for Nonprofits Nonprofits in the Digital Age March 9, 2016

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

University of Sunderland Business Assurance PCI Security Policy

EY s data privacy service offering

A Framework for Managing Crime and Fraud

Protecting your data. EY s approach to data privacy and information security

SOC for cybersecurity

Demonstrating data privacy for GDPR and beyond

Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

Developing your GDPR response for competitive advantage. EU General Data Protection Regulation (GDPR)

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

2017 RIMS CYBER SURVEY

PCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

mhealth SECURITY: STATS AND SOLUTIONS

Incident Response and Cybersecurity: A View from the Boardroom

Information Security Data Classification Procedure

PROTECTING BRANDS IN CYBERSPACE

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

Advanced Security Centers. Enabling threat and vulnerability services in a borderless world

Cybersecurity Threat Modeling ISACA Atlanta Chapter Geek Week Conference

01.0 Policy Responsibilities and Oversight

IMPROVING NETWORK SECURITY

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Cyber Diligence. EY Deals Forum Ian McCaw EY Transaction Advisory Services

Information Governance, the Next Evolution of Privacy and Security

Demonstrating Compliance in the Financial Services Industry with Veriato

PTLGateway Data Breach Policy

The Data Breach: How to Stay Defensible Before, During & After the Incident

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

Cyber Security. The Question of the Day. Sylint Group, Inc. How did we come up with the company name Sylint and what does it mean?

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

locuz.com SOC Services

Preparing for a Breach October 14, 2016

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

BREAKING BARRIERS TO COLLABORATE WITH THE C-SUITE

Introduction. When it comes to GDPR compliance, is OK for now enough? Minds made for protecting financial services

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Putting It All Together:

Data Breaches: Is IBM i Really At Risk? All trademarks and registered trademarks are the property of their respective owners.

Cyber Insurance: What is your bank doing to manage risk? presented by

COBIT 5 With COSO 2013

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Embedding Privacy by Design

Cyber Security Incident Response Fighting Fire with Fire

Anticipating the wider business impact of a cyber breach in the health care industry

Effective Strategies for Managing Cybersecurity Risks

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Data Compromise Notice Procedure Summary and Guide

Healthcare HIPAA and Cybersecurity Update

CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n

Defense in Depth Security in the Enterprise

Continuous protection to reduce risk and maintain production availability

Cyber Security Issues

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

How to Prepare a Response to Cyber Attack for a Multinational Company.

Does someone else own your company s reputation? EY Global Information Security Survey 2018

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

Database Auditing and Forensics for Privacy Compliance: Challenges and Approaches. Bob Bradley Tizor Systems, Inc. December 2004

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Avanade s Approach to Client Data Protection

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

A Global Look at IT Audit Best Practices

Business White Paper. Healthcare IT In The Cloud: Predicting Threats, Protecting Patient Data

EY s Data Privacy Services. January 2019

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

GRC SURVEY RESULT Please indicate your profession

Application for Certification

The Common Controls Framework BY ADOBE

Security Policies and Procedures Principles and Practices

General Data Protection Regulation (GDPR)

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Cybersecurity in Higher Ed

Turning Risk into Advantage

Presented by: Jason C. Gavejian Morristown Office

Transcription:

Data Loss Prevention: Considerations from an IT Audit Perspective ISACA November Luncheon 11 November 2010

Agenda What is data loss prevention (DLP)? Ernst & Young point of view on DLP Data loss risk assessment Moving forward after the DLP risk assessment Case studies and examples Page 1

What is DLP? Defining the concepts Data loss and data leakage what does it all mean? How does it occur? Why does it occur? What is the end result? What are DLP solutions intended uses? Page 2

It s all about the data Data is the most valuable asset for many companies and must be protected as such New business and technology paradigms force a shift from reliance on traditional perimeter security to data level security and controls Page 3

Ernst & Young point of view on DLP Data loss in the news Large retail company 45.6 million credit and debit card numbers were stolen over a period of more than 18 months Large BCBS insurer 57 hard drives containing member-protected health information were stolen Department of Commerce an employee inadvertently transmitted over the Internet an unencrypted file containing the personally identifiable information (PII) of Commerce employees to other department employees A medical center in Kentucky is notifying 5,418 patients of a breach resulting from the theft of an unencrypted portable hard drive stored in a locked area FTC Consent Decree requires monitoring and filtering of outbound computer traffic to block export of sensitive information Sources: engadget, Computerworld and CNET news. More than 250 privacy laws that mandate disclosure of data breaches 2% of laptop inventory cannot be located Fortune 500 companies lose two laptops a day Page 4

Ernst & Young point of view on DLP 13 th Annual Global Information Security Survey More than half say protecting reputation and brand is their biggest information security challenge 64% see the disclosure of sensitive data as one of their top five IT risks 55% indicate they are increasing the level of investment related to their top five areas of information security risk 52% see the use of personal devices as the main cause of an increasing risk of data leakage 50% plan to spend more in the next year on data loss prevention efforts Page 5

Ernst & Young point of view on DLP Common myths and challenges Confidential information Marketing plans, intellectual property BUs, HR, Legal Customer service Customer data SSN, salaries, customer names Sales Your data Contractors Health care information Medical records, payment information Doctors Finance Financials Upcoming reports, M&A plans Common myths Company does not have any sensitive information that we need to worry about Employees are trained and aware of the data loss risks associated with sensitive data Data loss can be solved with just a tool implementation The space is not very mature and only early adopter companies are investing in DLP Common challenges Majority of data loss scenarios are unintentional and inadvertently committed by insiders Complexity of information flows within the extended enterprise Lack of forensic and incident response capabilities to respond to data loss and data breaches Growing number of and complexity of regulatory requirements to protect sensitive information Page 6

The cost of a data breach Brand damage and loss of reputation Loss of competitive advantage Loss of customers Erosion of shareholder value Fines and civil penalties Litigation and legal action Regulatory action and sanctions Significant cost and effort to notify affected parties and recover from the breach Data breach incidents cost US companies $204 per compromised record, with an average total per-incident cost of $6.75m Ponemon Institute Page 7

Data loss risk assessment What is the goal? Drivers Business case 1 2 Loss or theft of laptops and mobile devices Unauthorized transfer of data to USB devices 7 Access to sensitive files by unauthorized users 3 Unable to locate and protect sensitive data 4 6 Lack of content awareness and coordinated response to intrusions 5 Print and copy of client data by staff Theft of company secrets by employees Stakeholders Recent data loss Page 8

Data loss risk assessment Ernst & Young s use of a leading DLP appliance Clients want an independent third party to help in assessing and addressing risks associated with data loss. Our Information Security Services has the industry depth to provide clients with information security assistance that is tailored for their industry and company. Use of technology for an assessment provides clients with evidence of data loss and provides value when coupled with our knowledge of the client s company and industry. Source: Gartner MQ June 2010 Page 9

Data loss risk assessment Our assessment approach combines our deep data protection, regulatory and compliance experience with the use of a leading DLP technology: Identify critical information types within the enterprise, primary and secondary locations, and communication vectors Monitor data leaving the corporate network using a DLP solution Analyze collected data Provide a report and close-out session providing observations and recommendations aimed at reducing data protection gaps and risks to the enterprise At the completion of the assessment, our client understands: Where critical and sensitive information resides in their network How that information is moving throughout their enterprise, over which communications channels, and who is sending and receiving that information Compliance risks in thier environment previously not recognized Next steps, quick wins, and long-term recommendations to reduce data and business risks Page 10

Moving forward after the DLP risk assessment People, process and technology considerations A top-down approach must be applied to holistically address the problem of data loss Governance must be established and roles and responsibilities defined to effectively manage and maintain the program Supporting IT processes must be enhanced based upon gaps uncovered by data loss risk assessment Technology solutionsmust be adopted to cover data at rest, data in motion and data in use, to effectively monitor, prevent and respond to any potential data loss A DLPprogram must include all domains of people, process and technology to effectively prevent the loss of data. Page 11

Case study: international oil and gas company, domestic financial institution, international software company Client concerns Client concerned about data loss and aware of emerging threat industry Wanted to build a business case for investing in DLP Organization had a low awareness related to data loss and the types of sensitive data on their network Company had inconsistent processes related to the management of sensitive data Company wanted to see if they had any issues with data loss Company wasn t aware where they had sensitive data stored internally Ernst & Young solutions and results Ernst & Young deployed the DLPappliances to gain a better understanding of the company s management of sensitive information as it is stored and transferred The assessments highlighted weaknesses in the overall DLP program and evidenced the loss of sensitive data such as IP, PII and PHI Technology was accompanied with business process assessment to provide process-level root cause for data loss Assessment provided CIO, IA, Legal, HR, CFO, Audit Committee, with insight to the company s data loss exposure and detailed recommendations on how to address DLP Page 12

Case study: establish your process before starting Make sure Legal and HR are aware of the assessment. For the assessment, you are less concerned with getting someone in trouble than stopping the problem. You will find something have a defined process before you start the assessment. Business process failures usually involve escalation within IT and engagement with the business unit itself. Employee violations, due to their sensitivity, require a more formal process. You want to implement whatever process you already have in place for internal employee investigations and potential termination. Page 13

Case study: things to analyze Top violations by data type Top violations by business unit Top violations by volume False positive patterns Different violations from same source Unusual origins Page 14

Case study: dashboard view Ris k rd Risk Dashboa Viola o r ts tion rep s um m a ry P ag e 2 Pag e 1 Page 3 Page 15 Dash board

Case study: HR sending sensitive info to webmail Provides evidence of data loss of sensitive employee information Page 16

Case study: employee salary info sent to webmail Provides evidence of data loss of sensitive employee information Page 17

Case study: employee PII sent to webmail Provides evidence of data loss of sensitive employee information Multiple employees PII clearly listed in this email Page 18

Case study: employee PII sent to external party Provides evidence of data loss of sensitive employee information Multiple employees PII clearly listed in this email Page 19

Case study: credit card numbers sent unencrypted Credit card number used for payment sent in the body of an email Credit Card number clearly listed in this email Page 20

Case study: employee PII sent unencrypted Personal data sheet contains new hire s social security number Page 21

Case study: high-level PII dataflow Helps to understand business process and root cause of data loss Page 22

Case study: sample analysis of data loss incidents Provides client with Ernst & Young observations related to what the DLP tools found Number of incidents: 67 44 incidents contained bulk SSN Content commonly found in: Excel documents PDF documents Word documents Text files SSN commonly used as employee identifier Identity theft or fraud Observations Risks to company Possible prosecution of company under state privacy laws: Subject to fines Loss of reputation Decline in business Potential root causes Lack of employee awareness High use of PII in routine business activities Attempt to steal employee PII Training and awareness Recommendations Collect only what you need and can protect Create policies and procedures around accessing and transferring this information Monitor electronic communications for large number of PII Page 23

Case study: high-level road map for a DLP program Provides client with short term and longer-term recommendations to increase their maturity 0 2 Months 2 4 Months 4 6 Months 6 12 Months People Obtain certification from network users Create communication plan to notify users of proper use of sensitive data Define data owners, roles and responsibilities Develop a formal training and awareness program Technology Process Acceptable use policy Conduct internal and external scans on a periodic basis Update policies to restrict the use of webmail for business use Block all non-business related traffic outbound to high-risk countries, as defined in assessment Assess business processes that collect, use, store and transfer sensitive data Provide guidance and tools to allow users to encrypt sensitive emails that may or may not use TLS Define sensitive information and identify where it resides Secure sensitive data and enforce acceptable use policy Monitor all outbound traffic for sensitive information Baseline network traffic for anomaly detection Actively manage firewall rules Increasing maturity of a company s DLP program Page 24

Conclusion: the benefits of a data protection program Holistically addressing the data loss problem Data protection is an umbrella term that describes the program, governance, policy instantiation, management controls and solutionimplementation of people, process and technology measures to prevent the loss of, or unauthorized access to, sensitive data Employees Contractors Third party Partners Program components Former employees Data in motion Hackers/competitors Program components Personnel security Secure data transfer Secure messaging Data loss prevention Data audit and reporting Access controls Awareness and training Data loss prevention Data in use Access management Rights management Data audit and reporting System and network controls Privacy Encryption operations Data redaction Data masking Incident response Data at rest Asset management Database encryption Storage/disk encryption Mobile data encryption Data loss prevention Continuity management Information classification, policies and standards Data management, audit and reporting Data governance and compliance Page 25

Contact information Anil Markose CISA, CISSP, CIPP Senior Manager, Ernst & Young LLP anil.markose@ey.com Direct: 214 969 9734 Page 26

Ernst & Young Assurance Tax Transactions Advisory About Ernst & Young Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 141,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential. Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst&Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com. About Ernst & Young s Assurance Services Strong independent assurance provides a timely and constructive challenge to management, a robust and clear perspective to audit committees and critical information for investors and other stakeholders. The quality of our audit starts with our 60,000 assurance professionals, who have the experience of auditing many of the world s leading companies. We provide a consistent worldwide audit by assembling the right multidisciplinary team to address the most complex issues, using a proven global methodology and deploying the latest, high-quality auditing tools. And we work to give you the benefit of our broad sector experience, our deep subject matter knowledge and the latest insights from our work worldwide. It s how Ernst & Young makes a difference. 2010 Ernst & Young LLP. All Rights Reserved. 1010-1200121 Page 27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback