Administration and Data Retention. Best Practices for Systems Management

Similar documents
University Information Technology Data Backup and Recovery Policy

University of Pittsburgh Security Assessment Questionnaire (v1.7)

WELCOME TO TIVOLI NOW!

Vendor Security Questionnaire

WHITE PAPER- Managed Services Security Practices

Will your application be secure enough when Robots produce code for you?

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Optim. Optim Solutions for Data Governance. R. Kudžma Information management technical sales

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

TRACKVIA SECURITY OVERVIEW

Information Technology General Control Review

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

Altius IT Policy Collection

SQL Compliance Whitepaper HOW COMPLIANCE IMPACTS BACKUP STRATEGY

WHITE PAPER. Title. Managed Services for SAS Technology

Information Security Data Classification Procedure

QuickBooks Online Security White Paper July 2017

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

locuz.com SOC Services

HIPAA Compliance Checklist

Data Protection. Plugging the gap. Gary Comiskey 26 February 2010

SECURITY & PRIVACY DOCUMENTATION

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

COBIT 5 With COSO 2013

HIPAA Security and Privacy Policies & Procedures

Projectplace: A Secure Project Collaboration Solution

DATA BACKUP AND RECOVERY POLICY

PROFESSIONAL SERVICES (Solution Brief)

Database Centric Information Security. Speaker Name / Title

Use of data processor (external business unit)

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

Networks - Technical specifications of the current networks features used vs. those available in new networks.

Data Backup and Contingency Planning Procedure

ALERT LOGIC LOG MANAGER & LOG REVIEW

IT Audits at Penn. IT Orientation

Juniper Vendor Security Requirements

HIPAA Controls. Powered by Auditor Mapping.

Maher Duessel Not for Profit Training July Agenda

Granted: The Cloud comes with security and continuity...

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

San Francisco Chapter. What an auditor needs to know

Data Storage, Recovery and Backup Checklists for Public Health Laboratories

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Compliance and Privileged Password Management

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Subject: University Information Technology Resource Security Policy: OUTDATED

Recommendations for Implementing an Information Security Framework for Life Science Organizations

IT CONTINUITY, BACKUP AND RECOVERY POLICY

ISO27001 Preparing your business with Snare

Policy. Sensitive Information. Credit Card, Social Security, Employee, and Customer Data Version 3.4

GETTING STARTED WITH THE SIG 2014: A RESPONDENT S GUIDE By Shared Assessments

CCISO Blueprint v1. EC-Council

The simplified guide to. HIPAA compliance

THE PROCESS FOR ESTABLISHING DATA CLASSIFICATION. Session #155

Checklist: Credit Union Information Security and Privacy Policies

Data Security: Public Contracts and the Cloud

The Common Controls Framework BY ADOBE

Altius IT Policy Collection Compliance and Standards Matrix

Security Audit What Why

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Introduction to SURE

Tape Sucks for Long-Term Retention Time to Move to the Cloud. How Cloud is Transforming Legacy Data Strategies

Kerio Cloud. Adam Bielawski. Cloud Hosted Enterprise-Class , Calendars, Contacts, Tasks, and Instant Messaging. Twitter LinkedIn Facebook

1 Data Center Requirements

Oracle Security Products and Their Relationship to EBS. Presented By: Christopher Carriero

HIPAA Compliance and OBS Online Backup

Altius IT Policy Collection Compliance and Standards Matrix

Moving From Reactive to Proactive Storage Management with an On-demand Cloud Solution

IT MANAGER PERMANENT SALARY SCALE: P07 (R ) Ref:AgriS042/2019 Information Technology Manager. Reporting to. Information Technology (IT)

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009

IT Attestation in the Cloud Era

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Information Security Risk Strategies. By

IBM Tivoli Storage Manager Version Introduction to Data Protection Solutions IBM

ROLE DESCRIPTION IT SPECIALIST

Information Security Policy

Cybersecurity in Higher Ed

Data Security and Privacy Principles IBM Cloud Services

Balancing Between Risk and Compliance

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

COMPLIANCE BRIEF: HOW VARONIS HELPS WITH PCI DSS 3.1

Position Description IT Auditor

Key Customer Issues to Consider Before Entering into a Cloud Services Arrangement

Table of Contents. Preface xiii PART I: IT GOVERNANCE CONCEPTS. Chapter 1: Importance of IT Governance for All Enterprises 3

IBM Spectrum Protect Version Introduction to Data Protection Solutions IBM

Plenary Session: Branch Cybersecurity Controls Thursday, February 22 1:15 p.m. 2:15 p.m.

GDPR: A QUICK OVERVIEW

An Introduction to the ISO Security Standards

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

ADDING BUSINESS VALUE THROUGH EFFECTIVE IT SECURITY MANAGEMENT

Sparta Systems TrackWise Digital Solution

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

Layer Security White Paper

Technology Security Failures Common security parameters neglected. Presented by: Tod Ferran

Certified Information Systems Auditor (CISA)

Transcription:

Administration and Data Retention Best Practices for Systems Management

Agenda Understanding the Context for IT Management Concepts for Managing Key IT Objectives Aptify and IT Management Best Practices Best Practices for Administration Data Quality Projects Data Retention and Archiving

UNDERSTANDING THE CONTEXT FOR IT MANAGEMENT

Overview: IT Management Factors Internal Factors Management Directives Organizational Policies Service Level Agreements System Availability External Factors Audit Regulatory/Compliance Vendor/Partner Contracts

Management Directives Business Continuity and Disaster Recovery Approximately 8,000 Intel-based servers and approximately 5,000 UNIX servers were lost at an approximate replacement cost of $370 million. It has also been estimated that 30,000 securities positions (defined as trading, sales, research, and operations positions) were lost in the seven WTC buildings and another 15,000 to 20,000 positions in the adjacent buildings. Data Retention Policies Capacity Planning and Backup Management Availability and Service Level Agreements Information Lifecycle Management (ILM) Initiatives Tower Group, a research and advisory firm, estimates that it will cost $3.2 billion to replace technology at the affected securities firms. Of this estimate, $1.7 billion will be spent on hardware from trading stations, sales stations, workstations, PCs, servers, printers, mini-computers, storage devices, cabling, and communications hubs to routers and switches. The remaining $1.5 billion will cover services and software to install and connect the necessary networks, operating systems, and applications infrastructures. Digital Asset Management --Tech Republic, 5/17/2002

Regulatory Requirements Sarbanes Oxley Act (SOX) Security of financial data for public companies and related Health Insurance Portability and Accountability Act (HIPAA) Privacy of healthcare related information USA PATRIOT Act Impacts the ability for companies to utilize cloud-based resources across international borders EU Data Protection Directive Impacts data retention schedules

PCI Payment Card Industry Compliance Account Management Policies Backup Policies Acceptable Use Policies Incident Reporting Plans Card Storage Guidelines and Related Requirements Encryption and Network Policy Requirements Application/Environment Change Control Physical Security Policies

Overall Impacts Stricter Requirements on HW and SW Purchases Tighter Management Controls Additional Time and Effort by Team Members Ongoing Policy Upkeep and Compliance Efforts Higher Costs associated with Audits Potential Non-Compliance Sanctions

Policy Development Frameworks COBIT - Control Objectives for Information and Related Technologies ITIL Information Technology Infrastructure Library ISO/IEC 38500 ISO Standard for IT Governance

IT Governance Model Resource Framework Applications Systems Resources Formally documented Change Management Management Guidelines Policies and Procedures are in place, approved by management, and reviewed Monitoring annually. Audit Vendors Policy 1.1 Change Control A. Record of all changes made to all systems require a case to be created. B. All changes must be tested in prior to deployment to production by the business owner. Approval by the business owner is required for changes to be placed into production. Control Objectives C. For high-risk changes, case information must be entered prior to deployment. Measurement D. Policies Procedures

Management Recap IT decisions are impacted by internal and external factors Impacts include tighter management controls and higher operating costs Policy Development Frameworks, such as COBIT, are designed to help organizations manage Information Resources

APTIFY AND IT MANAGEMENT BEST PRACTICES

Common Management Objectives Affecting Aptify Security Administration Availability Data Quality/Integrity/Activity Logging Change Control Disaster Recovery Security Incident Response System Monitoring Data Retention Patch/Update Scheduling

Change Control Best Practices Simplify the process as much as possible Maintain record history on all Framework and Types/Codes entities Utilize Aptify Framework for all DB objects Test every component prior to deployment Test deployment process Ensure proper authorization by management and business unit is in place Record authorization Utilize Case Management to Log Related System Changes (OS, IIS, Supporting Systems, etc) Ensure a back-out plan

Backup/Recovery Best Practices Ensure recovery requirements are supported by DB backups Retain cyclical backups (ie. grandfather-father-son scheme) Consider using frequent incremental backups Backup transaction logs according to recovery requirements Store backups to tape or external device (ie. Barracuda Backup Service) Test recovery from backup frequently and determine the time required for recovery

Test Environment Setup Best Practices Maintain at least one test environment separate from production dev-test-production dev-test-staging-production Make sure all sensitive data is cleansed from test systems prior to release to staff (also includes disabling certain features) Remove financial information Disable merchant accounts Update all email addresses to test address Create non-production environments to the same rigor and network topology as production to ensure adequate testing

Disaster Recovery Best Practices Build a disaster recovery plan that meets business objectives Test the disaster recovery plan Ensure that backups (part of every DR plan) are readily available, etc. Retain information on each environment to enable proper rebuilding if necessary Processor and memory configuration Drive mappings SAN/RAID Array Layout (physical and virtual) Maintain a backup DR site, as per availability requirements

Security Best Practices Utilize trusted connections for SQL Server Set the sa password to difficult password Ensure only named logins are used to reach the server and individually assigned for audit purposes Grant only required authorization levels to staff members Change the encryption keys frequently or per related policies (i.e. PCI requirements) Ensure only native (Aptify-driven) permissions are present on the SQL Server; evaluate on a cyclical basis Write and test an incident response plan

Privacy Best Practices Determine the Internal and External factors present Customer Privacy (ie. SSN) Management Objectives (competitive advantage, proprietary data) Regulatory Business Relationships (ie. PCI) Define business rules around private data Identify key data for encryption and utilize multiple keys to segment unrelated data Restrict columns through Field Level Security Restrict rows through Row Set Security Implement policies and procedures Ensure management objectives are followed Follow Incident Response plan in event of a breach

Monitoring Best Practices Utilize SQL Server logs to record login attempts to SQL Monitor use of non-trusted logins (server side trace) Monitor common set of applications (server side trace) Employ external monitoring tools to manage uptime and performance issues For attached storage, utilize windows performance counters to ensure high disk availability for SQL Server For SANs, utilize 3 rd party tools to manage disk availability to the SQL Server; ensure no network collisions

Data Retention Factors Basic Decision: balance between two factors Business benefits of data ownership Storage costs for data retention Consider what regulatory requirements are in place (ie. EU Data Protection Act) Business rules governing data retention: does your organization view paper files equally to electronic ones? What is the impact of privacy and security factors?

Data Retention and Archive Best Practices Conduct a data retention audit: what is the current state of data in my organization? Create or update your data retention policy Categorization of data processed / managed Purpose of retaining the data Maximum retention period Storage location Archival or destruction process Security method Who is responsible for data retention?

Sample Data Retention Schedule Type Purpose Value Risk Storage Costs Live Retention Period Backup Retention Period Archive Location Archive / Destroy Security Method Data Owner Email Historical Backup Med High High 3 years 5 years Offsite Destroy Encrypted Backup IT Committee History Historical Backup High Low Low unlimited unlimited Onsite Archive Backup Membership Customer Information Ongoing engagement High Mediu m Low 10 years unlimited Onsite Archive Encrypted Backup Membership Non-Customer Mediu Encrypted Information Historical Backup Med m Low 3 years 3 years Offsite Destroy Backup Membership Encrypted Purchase History Financial Med High Low 5 years unlimited Offsite Archive Backup Finance Record History Mediu (Change) Historical Backup High Record History (Rollback) Historical Backup Low m Medium 10 years n/a n/a Destroy n/a IT Mediu m High 6 mo n/a n/a Destroy n/a IT Encrypted Backup IT Lists Historical Backup Med Low Low 10 years 10 years Offsite Archive

Data Retention and Archive Methodology Create the Data Retention Schedule Evaluate storage costs important types of data Run queries to determine composition of your data What data costs the most for you to own? Match record history settings to your needs on an Entity by Entity basis Track Versions: defines if record history is stored OmitObjectData entity attribute: defines if the data is stored to allow restore Use the Archive Runs functionality frequently Create a process flow which handles archiving for you!

Data Quality Best Practices Implement manageable duplicate processing rules within duplicate check objects Create views which highlight potential duplicates and assign cleanup to team member (merge permissions) Create processes for finding common org-specific duplicates Develop and schedule reports highlighting data growth by entity and other factors important to the business

Management Reporting Common Reporting Requirements Monthly database file size growth Top 10 table growth by size Top 10 table growth by rows Activity by users Activity by tables

Sample Managed Services Monthly Report

Q & A

Thank You! Please let us know if you have any questions. email: phil.burns@aptify.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback