LBI Public Information. Please consider the impact to the environment before printing this.

Similar documents
The Common Controls Framework BY ADOBE

SECURITY & PRIVACY DOCUMENTATION

Google Cloud & the General Data Protection Regulation (GDPR)

Checklist: Credit Union Information Security and Privacy Policies

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

How do you decide what s best for you?

_isms_27001_fnd_en_sample_set01_v2, Group A

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

QuickBooks Online Security White Paper July 2017

HIPAA Security and Privacy Policies & Procedures

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Security Architecture

Information Technology Branch Organization of Cyber Security Technical Standard

Embedding GDPR into the SDLC

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

Advent IM Ltd ISO/IEC 27001:2013 vs

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Embedding GDPR into the SDLC. Sebastien Deleersnyder Siebe De Roovere

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

Accelerate GDPR compliance with the Microsoft Cloud

Putting It All Together:

RMS(one) Solutions PROGRESSIVE SECURITY FOR MISSION CRITICAL SOLUTIONS

01.0 Policy Responsibilities and Oversight

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

Managing SaaS risks for cloud customers

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

Verasys Enterprise Security and IT Guide

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Trust Services Principles and Criteria

University of Pittsburgh Security Assessment Questionnaire (v1.7)

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

ZIMBRA & THE IMPACT OF GDPR

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

WELCOME ISO/IEC 27001:2017 Information Briefing

Information Security at Veritext Protecting Your Data

HIPAA / HITECH Overview of Capabilities and Protected Health Information

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Accelerate GDPR compliance with the Microsoft Cloud Agustín Corredera

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

Altius IT Policy Collection

Apex Information Security Policy

Information Security Policy

ADIENT VENDOR SECURITY STANDARD

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

Cybersecurity Auditing in an Unsecure World

Eco Web Hosting Security and Data Processing Agreement

Altius IT Policy Collection Compliance and Standards Matrix

Security Information & Policies

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

Information Security Controls Policy

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

Data Processing Agreement

MEETING ISO STANDARDS

Ex Libris. Summon Privacy Impact Assessment

The Honest Advantage

A company built on security

RAPID7 INFORMATION SECURITY. An Overview of Rapid7 s Internal Security Practices and Procedures

Altius IT Policy Collection Compliance and Standards Matrix

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

Security Audit What Why

EU General Data Protection Regulation (GDPR) Achieving compliance

WHITE PAPER. Title. Managed Services for SAS Technology

Database Auditing and Forensics for Privacy Compliance: Challenges and Approaches. Bob Bradley Tizor Systems, Inc. December 2004

Ο ρόλος της τεχνολογίας στο ταξίδι της συμμόρφωσης με τον Γενικό Κανονισμό. Αντιγόνη Παπανικολάου & Νίκος Αναστόπουλος

Baseline Information Security and Privacy Requirements for Suppliers

Oracle Data Cloud ( ODC ) Inbound Security Policies

Secure Access & SWIFT Customer Security Controls Framework

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

Cloud Security Standards Supplier Survey. Version 1

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Cloud Security Standards and Guidelines

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

EHR SECURITY POLICIES & SECURITY SITE ASSESSMENT OVERVIEW WEBINAR. For Viewer Sites

Avanade s Approach to Client Data Protection

GDPR: Is it just another regulation or a great opportunity for operational excellence? Athens, February 2018

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

Database Centric Information Security. Speaker Name / Title

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

No Country for Old Security Compliance in the Cloud. Joel Sloss, CDSA Board of Directors May 2017

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. Ralf Kaltenbach, Regional Director RSA Germany

Security Principles for Stratos. Part no. 667/UE/31701/004

1 Privacy Statement INDEX

RFC 2350 YOROI-CSDC. Expectations for Computer Security Incident Response. Date 2018/03/26. Version 1.0

IBM services and technology solutions for supporting GDPR program

Connected Medical Devices

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Privacy Breach Policy

locuz.com SOC Services

ITG. Information Security Management System Manual

EHR SECURITY POLICIES & SECURITY SITE ASSESSMENT OVERVIEW WEBINAR. For Data Contributor, Identity Provider, or Viewer Sites

Security Policies and Procedures Principles and Practices

AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE

Morningstar ByAllAccounts Service Security & Privacy Overview

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

Fabrizio Patriarca. Come creare valore dalla GDPR

Transcription:

LBI Public Information. Please consider the impact to the environment before printing this.

DGPC Framework People Executive management commitment Engaged management team Integrated governance organization Trained, aware, and accountable Process Structured and repeatable processes Practical and enforceable policies Harmonized frameworks and standards Effective internal control environment Technology Secure infrastructure Identity and access control Information protection Auditing and reporting DGPC Aware Culture DGPC Embedded in Processes DGPC Enabled in Technology

The DGPC Framework: Technology

Transfer (New Lifecycle)

Secure Infrastructure Safeguards against malware Safeguards against unauthorized access to sensitive info Protect systems from evolving threats Identity and Access Control Protect personal information from unauthorized access or use Provide management controls for identity, access and provisioning Information Protection Protect sensitive personal information in structured databases Protect sensitive personal information in unstructured documents, messages and records, through encryption Protect data in transit Auditing and reporting Monitor to verify integrity of systems and data Monitor to verify compliance with business processes

Secure Infrastructure Identity and Access Control Information Protection Auditing and reporting Manual Controls Collect Update Process Delete Transfer Storage 1. Honor policies throughout the information lifecycle 2. Minimize risk of data misuse 3. Minimize impact of data loss 4. Demonstrate effectiveness of data protection policies and measures

Risk/Gap Analysis process

Establish a context for analysis Evaluate effectiveness Determine risk treatment 1. Clearly Identify define the business (model) purpose potential of the flow 2. Identify threats privacy, security and compliance objectives for the flow 3. Identify systems using the data 4. Define the Use Cases for the data Analyze risks

App. Servers Trust Boundary Log Storage Cloud Provider Trust Boundary

Establish a context for analysis Diagram of flow Evaluate effectiveness Identify (model) potential threats 1. Data Flow Diagrams (DFD) 2. Data stores & Data Flows 3. Place Trust Boundaries! Threat Identification Determine risk treatment Analyze risks

Establish a context for analysis Diagram of flow Evaluate effectiveness Identify (model) potential threats Threat Identification Determine risk treatment 1. Experts can brainstorm 2. How to do this without being an expert? a) Use a method Analyze risksto step through b) Get specific about threats

Use the Privacy Frame to step through elements Ask Frame questions on Each Element to get Threats Property Question to Ask _ Information Protection Access Accountability Choice & Consent Data Quality Compliance Ensure Confidentiality, Integrity and Availability? Verify correctness of identifying information? Means to enforce privacy policies, regulations and laws? Provide notice and consent to collection, use, disclosure and control? Ensured to be accurate, timely, and relevant? Verified through logs, reports and controls?

Microsoft s IT Infrastructure Threat Modeling Guide: http://technet.microsoft.com/en-us/library/dd941826.aspx

Establish a context for analysis Evaluate effectiveness 1. Build Identify the Risk/Gap analysis (model) matrix potential 2. Apply threats existing mitigations 3. Identify residual risk Determine risk treatment Analyze risks

Evaluate effectiveness Establish a context for analysis 1. Identify additional mitigations to eliminate Leverage what you all ready have!!! 2. Determine risk treatment a) Mitigate b) Transfer c) Assume Identify (model) potential threats Determine risk treatment Analyze risks

Secure Infrastructure Identity and Access Control Information Protection Auditing and reporting Manual Controls Collect / Update Servers are on regular OS and App. Patch cycle, and upto-date in malware signatures Incoming data is correctly classified and tagged as per customer choice and consent Transaction log data is encrypted in transit and at rest All material transactions are to be logged as per logging framework Communications channel to, and log servers are monitored. Failover process to local log servers in processor facilities is up and running

Secure Infrastructure Identity and Access Control Information Protection Auditing and reporting Manual Controls Collect / Update Servers are on regular OS and App. Patch cycle, and upto-date in malware signatures Incoming data is correctly classified and tagged as per customer choice and consent All transactions to take place on authenticated communications channel Transaction log data is encrypted in transit and at rest All material customer transactions arrive over encrypted comms channel All material transactions are to be logged as per logging framework Communications channel to, and log servers are monitored. Failover process to local log servers in processor facilities is up and running Alerts and alert recipients defined and operational Set of access and use reports, along with recipients and deliver schedules are defined

Secure Infrastructure Identity and Access Control Information Protection Auditing and reporting Manual Controls Transfer Cloud infrastructure protection requirements specified contractually All transfers to take place on authenticated communications channel Provision of access to stored information specified contractually All transfers to cloud take place over encrypted communications channel Encryption methods for data on cloud are specified contractually Data backup process and integrity requirements are specified contractually Access and use reports from cloud defined and schedule in place Cloud incident response and notification processes in place Compliance requirements from Cloud provider specified contractually

Secure Infrastructure Identity and Access Control Information Protection Auditing and reporting Manual Controls Storage Log servers are on regular OS and App. Patch cycle, and up-todate in malware signatures Access to transaction logs and transaction log reports is granted on a per-role basis Periodic review of log access privilege lists, as per policy Transaction log data is encrypted while at rest Log failover data transfer and backup procedures in place Log backup process and schedule in place

Establish a context for analysis Evaluate effectiveness Determine risk treatment Identify 1. Ensure you are covering the (model) entire data lifecycle potential threats 2. Examine each trust boundary 3. Have you made a clear decision of how each risk will be treated? 4. Are mitigations done right? Analyze risks

the specific confidential data elements that need to be protected

A Guide to Data Governance for Privacy, Confidentiality, and Compliance. The series

DGPC Framework People Executive management commitment Engaged management team Integrated governance organization Trained, aware and accountable DGPC Aware Culture Process Structured and repeatable processes Practical and enforceable policies Harmonized frameworks and standards Effective internal control environment DGPC Embedded in Processes

DGPC Framework People Executive management commitment Engaged management team Integrated governance organization Trained, aware and accountable DGPC Aware Culture Process Structured and repeatable processes Practical and enforceable policies Harmonized frameworks and standards Effective internal control environment DGPC Embedded in Processes Technology Secure infrastructure Identity and access control Information protection Auditing and reporting DGPC Enabled in Technology

DGPC Framework People Executive management commitment Engaged management team Integrated governance organization Trained, aware and accountable DGPC Aware Culture Process Structured and repeatable processes Practical and enforceable policies Harmonized frameworks and standards Effective internal control environment DGPC Embedded in Processes Technology Secure infrastructure Identity and access control Information protection Auditing and reporting DGPC Enabled in Technology

Conclusion

www.microsoft.com/datagovernance

www.microsoft.com/webcast http://go.microsoft.com/fwlink/?linkid=41781

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback