KuppingerCole Whitepaper. by Dave Kearns February 2013

Similar documents
WHITE PAPER. Meeting GDPR Challenges with Delphix. KuppingerCole Report

EXECUTIVE VIEW. KuppingerCole Report

Keeping It Under Wraps: Personally Identifiable Information (PII)

1 Introduction Product Description Strengths and Challenges Copyright... 6

Information Security Controls Policy

EXECUTIVE VIEW. One Identity SafeGuard 2.0. KuppingerCole Report

HIPAA UPDATE. Michael L. Brody, DPM

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

University of Pittsburgh Security Assessment Questionnaire (v1.7)

10 Hidden IT Risks That Might Threaten Your Business

Security Policies and Procedures Principles and Practices

Jeff Wilbur VP Marketing Iconix

Google Cloud & the General Data Protection Regulation (GDPR)

Cyber Risks in the Boardroom Conference

Digital Risk and Security Awareness Survey

The Common Controls Framework BY ADOBE

INTELLIGENCE DRIVEN GRC FOR SECURITY

Run the business. Not the risks.

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

Big data privacy in Australia

Cybersecurity The Evolving Landscape

Cyber Insurance PROPOSAL FORM. ITOO is an Authorised Financial Services Provider. FSP No

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

THE PROCESS FOR ESTABLISHING DATA CLASSIFICATION. Session #155

Breaches and Remediation

2016 Data Protection & Breach Readiness Webinar Will Start Shortly. please download the guide at

The Insider Threat Center: Thwarting the Evil Insider

ACM Retreat - Today s Topics:

A practical guide to IT security

The CERT Top 10 List for Winning the Battle Against Insider Threats

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Checklist: Credit Union Information Security and Privacy Policies

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

LESSONS LEARNED IN SMART GRID CYBER SECURITY

TEL2813/IS2820 Security Management

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Cyber Security Program

Information Technology General Control Review

Effective Strategies for Managing Cybersecurity Risks

Data Compromise Notice Procedure Summary and Guide

Twilio cloud communications SECURITY

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Information Technology Standards

Security Management Models And Practices Feb 5, 2008

ANNUAL SECURITY AWARENESS TRAINING 2012

Information Security Management Criteria for Our Business Partners

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

DeMystifying Data Breaches and Information Security Compliance

Canada Life Cyber Security Statement 2018

Sage Data Security Services Directory

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

Complying with RBI Guidelines for Wi-Fi Vulnerabilities

Cybersecurity in Higher Ed

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Teradata and Protegrity High-Value Protection for High-Value Data

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

What is a Breach? 8/28/2017

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

LBI Public Information. Please consider the impact to the environment before printing this.

NEN The Education Network

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

Information Security Policy

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

IS-906: Workplace Security Awareness. Visual 1 IS-906: Workplace Security Awareness

Media Protection Program

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

QuickBooks Online Security White Paper July 2017

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

FDIC InTREx What Documentation Are You Expected to Have?

Employee Security Awareness Training Program

WORKSHARE SECURITY OVERVIEW

Data Subject Access Request Form (GDPR)

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

GDPR How to Comply in an HPE NonStop Environment. Steve Tcherchian GTUG Mai 2018

Data Protection. Plugging the gap. Gary Comiskey 26 February 2010

10 FOCUS AREAS FOR BREACH PREVENTION

Two-Factor Authentication over Mobile: Simplifying Security and Authentication

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

Bring Your Own Device (BYOD)

Security Breach Notification Reflections on the U.S. Experience

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Nine Steps to Smart Security for Small Businesses

Education Network Security

Office 365 Buyers Guide: Best Practices for Securing Office 365

Security Communications and Awareness

LTI Security Services. Intelligent & integrated Approach to Cyber & Digital Security

NGN: Carriers and Vendors Must Take Security Seriously

Preventing Corporate Espionage: Investigations, Data Analyses and Business Intelligence

CLOSING IN FEDERAL ENDPOINT SECURITY

IT risks and controls

IT Privacy Certification Outline of the Body of Knowledge (BOK) for the Certified Information Privacy Technologist (CIPT)

Transcription:

KuppingerCole Whitepaper by Dave Kearns February 2013

KuppingerCole Whitepaper Using Information Stewardship within by Dave Kearns dk@kuppingercole.com February 2013 Content 1. Summary... 3 2. Good information governance is fundamental to information stewardship... 5 3. Good information stewardship needs information centric, rather than technology centric security... 6 4. Information stewardship involves the business as well as the IT services group... 7 4.1 Understand the value and sensitivity of the information you hold... 7 4.2 Implement Strong Identity and Access Management... 7 4.3 Encrypt your data... 7 4.4 Train people to understand the value and sensitivity of information... 8 4.5 Adopt best practices to secure information, PII and your IT services... 8 4.6 Implement the technical controls to protect information... 8 4.7 Take steps to mitigate the effect of a loss ahead of time... 8 4.8 Create an information leakage resilience plan... 8 4.9 Coordinated attacks by outsiders are an increasing concern... 8 5. Conclusion... 9 Page 2 of 10

1. Summary Loss and theft of Personally Identifiable Information (PII) from government, military and defense organizations continues to be a significant problem. Given the amount of attention to this area and the wealth of standards and technology available why do these leaks still occur? This document considers the sources of leakage and describes how better information stewardship based on information centric security is essential to manage these risks. According to the National Institute for Standards and Technology (NIST), examples of PII include, but are not limited to: Name, such as full name, maiden name, mother s maiden name, or alias; Personal identification number, such as social security number (SSN), passport number, driver s license number, taxpayer identification number, or financial account or credit card number; Address information, such as street address or email address; Personal characteristics, including photographic image (especially of face or other identifying characteristic), fingerprints, handwriting, or other biometric data (e.g., retina scan, voice signature, facial geometry); Information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, weight, activities, geographical indicators, employment information, medical information, education information, financial information). Information stewardship uses good governance techniques to implement information centric security for all of your data, including PII. Information stewardship involves the business as well as the IT services group. Line of business managers, application owners and everyone who touches information are involved, as well as the IT service providers. It creates a culture where the people in the organization understand the sensitivity of information and the ways in which this information can be put at risk. It applies best practices and uses the most appropriate technologies to protect information. It makes sure that the organization is resilient to loss of data by protecting information against that eventuality. And when the seemingly inevitable leakage/loss occurs, information stewardship provides the resilience necessary to mitigate the damage and restore both the information as well as the trust of users. Page 3 of 10

Figure 1: Information Leakage Risk Points Page 4 of 10

2. Good information governance is fundamental to information stewardship Information governance is a key component of IT governance, and IT governance ensures that the IT services however they are delivered - provide appropriate levels of security for that information. The continuing problem of data leakage, data loss and data theft show that information governance, in itself, has proven inadequate to prevent these issues. Since many of the large organizations that have suffered these problems are both technically sophisticated and well aware of the value of the information lost, it would seem that information governance as currently implemented by these organizations is not sufficient. Information governance consists of a set of policies, procedures, practices and organizational structures that, taken together, are aimed at ensuring the management of information according to defined strategies and controls. The objective of information governance is to meet business needs, manage risk and ensure compliance with laws and regulations. Information governance is also concerned with creating a culture within the organization and it is this aspect that has been lacking. In addition organizations need to implement stronger controls on access to their data and take measures to protect against external threats. Page 5 of 10

3. Good information stewardship needs information centric, rather than technology centric security Organizations can no longer rely on perimeter appliances to protect their proprietary or sensitive information. In today s world information can easily travel outside the physical boundaries of the organization via tablets, mobile phones, and remote access. In order to protect information today, we need to build security into the information itself, and data becomes the new perimeter. The elements of information centric security are shown in the following diagram: Figure 2: Information Centric Security Page 6 of 10

4. Information stewardship involves the business as well as the IT services group Line of business managers, application owners and everyone who touches information are involved along with the IT service providers. Good information stewardship creates a culture where the people in the organization understand the sensitivity of information and the ways in which this information can be put at risk. It applies best practices and uses the most appropriate technologies to protect information. It makes sure that the organization is resilient to loss of data by protecting information against that eventuality. And when the seemingly inevitable leakage/loss occurs, information stewardship provides the resilience necessary to mitigate the damage and restore both the information as well as the trust of users. The following best practices are recommended to ensure proper information stewardship: 4.1 Understand the value and sensitivity of the information you hold You cannot protect what you don t know you have. All structured data, including PII, needs to be formally classified in terms of its business impact and regulatory requirements. However, much of the sensitive information within an organization is now held in unstructured form such as emails, word documents, spread sheets and presentation files. These are created in an ad hoc manner by employees and may contain information which needs to be controlled. This poses a significant problem because it is hard for an organization to protect what it does not know exists. While it is possible for structured application data to be classified by a single part of the organization, often a single person, it is not practical to centrally classify all this unstructured data. Worse still this unstructured data is often held on shared drives, SharePoint systems even cloud services - and is highly mobile. Use of tools designed for non-it personnel to help them to identify and classify unstructured PII data is critical to protecting your information. 4.2 Implement Strong Identity and Access Management Identity Management knowing who is accessing information. Access Management ensuring that access rights are appropriate. Privileged Access Management ensuring privileged users are controlled. Monitoring who has access to and who has accessed what. 4.3 Encrypt your data Valuable and sensitive information, especially PII, should be encrypted whenever possible. At the least, both portable and permanent storage devices should be encrypted but also any information on the wire or in the air needs the strongest encryption possible along with methods to monitor the data flow. Page 7 of 10

4.4 Train people to understand the value and sensitivity of information Mishandling of data by employees and associates is a significant cause of information loss. Everyone in the organization should be trained to understand the value and sensitivity of protected information, including PII, and to treat it in a way that is appropriate. This education requirement should be on-going especially when you expect and require these people to classify unstructured data. 4.5 Adopt best practices to secure information, PII and your IT services Best practices represent the combined knowledge of the best brains in the industry. However be selective not everything will apply to your organization. Require everyone, including outsourced IT services providers, to follow these standards. 4.6 Implement the technical controls to protect information Configure and patch systems and applications to remove well-known vulnerabilities such as SQL injection. Conduct penetration tests to confirm these controls. Make sure that these controls are in place if your IT service is outsourced or you use a cloud service. 4.7 Take steps to mitigate the effect of a loss ahead of time It is vital to formally classify structured and unstructured PII data in terms of its business impact and regulatory requirements. Encrypt valuable and sensitive information on storage devices especially on portable media like USB memory sticks. Encrypt information in motion and monitor information flows. Avoid copying sensitive data onto mobile devices. If this is not possible implement remote wipe technology that can be used when they are lost. Backup business critical information with a recovery plan that matches the business need for its availability. 4.8 Create an information leakage resilience plan This should cover what to do when data is lost or leaked, including: Statutory and legal obligations to inform regulators and individuals. How to manage the business impact of an information loss. This should be part of the business continuity plan. Handling the media when an incident occurs. 4.9 Coordinated attacks by outsiders are an increasing concern A high level of skill and technology is needed to intercept targeted attacks. If your organization holds information that is likely to be subject to this kind of attack and PII is always such a target - you should consider using managed security services. Page 8 of 10

5. Conclusion Information stewardship involves the business as well as the IT services group. Line of business managers, application owners and everyone who touches information are involved as well as the IT service providers. It creates a culture where the people in the organization can understand and identify the sensitivity of information and the ways in which this information can be put at risk. It applies best practices and uses the most appropriate technologies to protect information. It makes sure that the organization is resilient to loss of data by protecting information against that eventuality. 2013 Kuppinger Cole Ltd. All rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. KuppingerCole disclaim all warranties as to the adequacy, accuracy or to the completeness of information contained in this document. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. Page 9 of 10

The Future of Information Security Today. KuppingerCole supports IT professionals with outstanding expertise in defining IT strategies and in relevant decision making processes. As a leading analyst company KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business. Kuppinger Cole Ltd. Headquarters Am Schloßpark 129 D-65203 Wiesbaden Germany Phone +49 (211) 23 70 77 0 Fax +49 (211) 23 70 77 11 www.kuppingercole.com KuppingerCole, founded in 2004, is a leading Europe-based analyst company for identity focused information security, both in classical and in cloud environments. KuppingerCole stands for expertise, thought leadership, and a vendor-neutral view on these information security market segments, covering all relevant aspects like Identity and Access Management (IAM), Governance, Risk Management and Compliance (GRC), IT Risk Management, Authentication and Authorization, Single Sign-On, Federation, User Centric Identity Management, eid cards, Cloud Security and Management, and Virtualization. For further information, please contact clients@kuppingercole.com Page 10 of 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback