To download today s materials (depending on your browser): www.experis.us/materials1108 or www.experis.us/materials1108.pdf Building a Complete Program around Data Loss Prevention Tuesday, November 8, 2011 Presenter s Name Presenter: Duane Baldwin Security Practice Manager Audio and Tech Support This meeting is being broadcast, and you can listen through your computer speakers by choosing Use Mic & Speakers (figure 1) To turn up your computer s volume, please select: Start My Computer Control Panel Sounds and Devices Or Please select Use Telephone option on the GoToMeeting Control Panel and a number and ID will be generated along with a PIN number associated with you. (figure 1) PLEASE NOTE All lines will be muted during this presentation. If you would like to ask a question, please use Questions (figure 2) function and your question will be addressed. Experis Tuesday, November 8, 2011 1 1
Earning CPE Credit To receive 1 CPE credit for this webinar, participants must: Attend the Webinar for at least 60 minutes on individual computers (one person per computer) Answer polling questions asked throughout the webinar At the end of today s presentation, a link to our CPE Learning Event Survey will be posted in the chat box in the control panel Please take a few moments to complete the survey as we appreciate your feedback Experis Tuesday, November 8, 2011 2 To download today s materials (depending on your browser): www.experis.us/materials1108 or www.experis.us/materials1108.pdf Building a Complete Program around Data Loss Prevention Tuesday, November 8, 2011 Presenter s Name Presenter: Duane Baldwin Security Practice Manager 2
Agenda Identify information/data loss risks and high exposure information/data breaches Apply an approach to evaluating and evolving your existing data loss prevention capabilities Describe supporting functions that will add to the success of your data loss prevention program Experis Tuesday, November 8, 2011 4 What is Data Loss Prevention? It is a systematic approach to identifying, monitoring and protecting the confidentiality, integrity and availability of data in motion, at rest or in use Experis Tuesday, November 8, 2011 5 3
Polling Question #1 Where are you in forming a Data Loss Prevention program? A. Full program (strategy, governance, processes, tools, training) in place B. Defined a data classification framework C. Bought a tool D. Just beginning in planning Experis Tuesday, November 8, 2011 6 Risks Posed by Data Loss 4
Types of information at risk Intellectual t l Property/ Trade Secrets Personally Identifiable Information (PII) System Data and Configuration Settings Critical Data Personal Health Information (PHI) Corporate Strategy Unreleased Financial Information Experis Tuesday, November 8, 2011 8 Value and Risk of an Organization s Information Information Value Threat Vulnerability Counter Measures Risk Consolidated financial information HIGH MEDIUM LOW HIGH MEDIUM Customer personal information HIGH HIGH MEDIUM HIGH HIGH Internal office memorandums LOW LOW HIGH LOW LOW (non-confidential) Confidential executive MEDIUM MEDIUM MEDIUM LOW MEDIUM memorandums Experis Tuesday, November 8, 2011 9 5
What is your risk? Data loss can result in: Significant financial penalties Extensive operational impact Increased monitoring costs Adverse publicity Negative effect on your organization s brand and reputation Lost business Experis Tuesday, November 8, 2011 10 How it can happen Intrusion Extrusion Experis Tuesday, November 8, 2011 11 6
The threat to data continues Loss of business critical information is a real threat: 74 percent somewhat or extremely concerned 42 percent have lost confidential/proprietary information in the past 100 percent saw losses (lost revenue, direct financial cost) Lost devices are a huge problem: 62 percent lost devices in last six months 100 percent have some devices that are not password protected Symantec 2010 SMB Information Protection Survey May/June 2010 Experis Tuesday, November 8, 2011 12 High Profile Data Breach Incidents Sony Corporation, PlayStation Network April 26, 2011 77,000,000 records names, addresses, email addresses, birthdates, PlayStation Network/Qriocity passwords and logins, handle/psn online ID, profile data, purchase history and possibly credit cards obtained. No known actual costs $4,620,000,000 Ponemon Institute Direct Costs Estimate Sony Corporation May 2, 2011 24,600,000 customer dates of birth, email addresses and phone numbers, including 12,700 non-u.s. credit or debit card numbers and expiration dates and about 10,700 direct debit records including bank account numbers accessed by hacker No known actual costs $1,476,000,000 Ponemon Institute Direct Costs Estimate Source: Open Security Foundation / DataLossDB.org Experis Tuesday, November 8, 2011 13 7
High Profile Data Breach Incidents (Cont.) TJX Companies January 17, 2007 January 17, 2007 94,000,000 credit card numbers and transactions compromised $64,113,000 total known costs $5,640,000,000 Ponemon Institute Direct Costs Estimate US Department of Veteran Affairs May 22, 2006 May 22, 2006 26,500,000 U.S. military veterans Names, Social Security Numbers, and dates of birth $20,000,000 total known costs $1,590,000,000 Ponemon Institute Direct Costs Estimate Source: Open Security Foundation / DataLossDB.org Experis Tuesday, November 8, 2011 14 Security flaws create risks to your data Information security strategies and objectives not adequately linked to business goals Incomplete governance and leadership involvement Ineffective security policies Irregular or ineffective security risk assessments Lack of awareness regarding location of critical data, how to classify it and how to protect it throughout its lifecycle Inadequate monitoring of security controls Miscommunication with internal and external audiences regarding security requirements and expectations Flawed Web application design common vulnerabilities persist Server and database vulnerabilities Ineffective access definitions Phishing and social engineering Experis Tuesday, November 8, 2011 15 8
What Individuals Would Pay to Protect Their Personal Information Social Security number/government ID: $240/year Credit Card number: $150/year Electronic or Physical Histories: $52 - $59/year Health Industry Medical Records: $38/year On-line buying habits and social profiles: $3 - $5.70/year Contact Information (phone number, e-mail or mailing address): $4.20/year Source: What s Your Personal Data Worth by Tim Money, Jan. 18, 2011, designmind.frogdays.com blog Experis Tuesday, November 8, 2011 16 Common mistakes in approaching a DLP Program Looking for the silver bullet Install a tool and my problem is solved Having an isolated project or team rather than a holistic approach Lack of sponsorship Treating it like a compliance project Not building the appropriate foundation for the program to work Experis Tuesday, November 8, 2011 17 9
Polling Question #2 What priority do you give advancing your DLP program in 2012? A. Top Priority B. In the middle C. Low priority D. No intention to focus on it at all Experis Tuesday, November 8, 2011 18 Building a DLP Program 10
Suggested Steps for a Complete DLP Program Profile Your DLP Needs Characterize Your Current DLP Program Assess Your DLP Program Effectiveness Define a DLP Strategy Create an Action Plan to Achieve the Strategy Experis Tuesday, November 8, 2011 20 Profile Your DLP Needs Goal: Gain a complete understanding of data types and their use Suggested Activities: Understand your data s business environment: Business drivers across the Enterprise Regulatory and customer requirements as tied to the business Existing data retention standards Determine how data is used: Identify data classifications in use across the Enterprise Determine data user groups Profile the extent of data use across all avenues: Data at Rest Data in Motion Data at the Endpoints Experis Tuesday, November 8, 2011 21 11
Characterize Your Current DLP Program Goal: Identify and understand all currently implemented DLP components and ongoing initiatives Activities: Determine maturity levels of processes, procedures and solutions used for a DLP operational framework that includes: Data Classification Data Discovery Data Protection Governance and Risk Management Monitoring, Measurement and Improvement None Progressing Basic Advanced Industry Leading No capability currently exists Current State The Capability capability supports Maturity Scale Elements of a capability exist and meet some of the compliance requirements and business objectives core business processes and compliance requirements The capability incorporates information security solutions that exceed basic compliance requirements and incorporates industry leading practices The capability exceeds industry standards and sets the model for industry to follow Experis Tuesday, November 8, 2011 22 Assess Your DLP Program Effectiveness Goal: Determine if the current DLP program has been effectively executed and identify gaps Activities: Evaluate effectiveness of each implemented component of the DLP program Estimate adoptability and effectiveness of future initiatives Determine gaps and potential risk levels Risk Determination Scale Critical High Moderate Low Extremely weak or nonexistent capabilities to protect critical data; likelihood for exploitation of current state is extremely high; risk of severe adverse impact to company assets is critical and requires immediate attention Limited or poorly implemented capabilities, large gaps exist; likelihood for exploitation of current state is high; risk of serious adverse impact to company assets is high and requires priority attention Capabilities exist, but lack formality and consistency; likelihood for exploitation of current state is moderate to high; risk of adverse impact to company assets is moderate and may require priority attention Consistent, integrated and managed capabilities are employed; likelihood for exploitation of current state is low; even with no priority attention, risk of adverse impact to company assets is low Experis Tuesday, November 8, 2011 23 12
Define a DLP Program Strategy Goal: Define Objectives to implement Vision and Goals and Finalize Strategyt Activities: Create a vision that resonates with all aspects of the business Define goals that encompass Governance, People, Processes and Technology to be effective Work with data owners and stakeholders to identify objectives across the DLP components as aligned with the goals: Data Classification Data Discovery Data Protection Data Handling Governance and Risk Management Monitoring, Measurement and Improvement Validate and Finalize Experis Tuesday, November 8, 2011 24 Data Loss Prevention Strategy Structure 1 2 3 DLP Strategy Framework DLP Vision DLP Goals DLP Objectives Characteristics Sets out a common long-term picture and strategic direction for the Data Loss Prevention program Establishes the core business value to be delivered by the Data Loss Prevention program Identifies common and business specific goals that reflects each aspect of the vision Encompasses both immediate and future direction across the enterprise Integrates measurable targets and procedures for evaluating the progress against specified goals and objectives Experis Tuesday, November 8, 2011 25 13
Governance Considerations An important aspect of executing an effective DLP program is the incorporation of Governance activities Key areas to include: Roles and Responsibilities Responsibilities for all aspects of DLP operations need to be clearly defined within the business units as well as at the Corporate level Processes Processes including decision points that integrate with defined roles and responsibilities should be defined for the DLP program Oversight, Management and Review Oversight structure should be defined that incorporates a combination of centralized and decentralized (Business Unit) responsibilities Experis Tuesday, November 8, 2011 26 Roles and Responsibilities Data Loss Prevention Audit Committee C-Level Executives Business Operations Information Security Officer Information Technology Internal Audit All Users and Vendors Ultimate Accountability Overall Responsibility Data Ownership Guidance and Oversight Data Custodian and Tool Implementation & Operation Monitor Operating Effectiveness Follow policies and guidance and report suspected breaches Experis Tuesday, November 8, 2011 27 14
Develop an Action Plan Goal: Create an Action Plan to close current gaps and implement a DLP strategy t Activities: Develop Action Plan which typically includes: Workstream Overview Quick Win Activities Prioritized Implementation Responsible Parties Resource Estimate Cost Range Execution Timeline Critical Success Factors Experis Tuesday, November 8, 2011 28 Polling Question #3 What kind of information breaches have you encountered in the past? A. No breaches B. Lost or stolen laptops, pdas or computers C. Cyber stolen data externally D. Insider theft of sensitive information E. Employees send out unencrypted data through email Experis Tuesday, November 8, 2011 29 15
Key Supporting Functions for Your DLP Program Employee awareness Employees are critical to a successful data management and data loss prevention program. Employee awareness programs need to include: DLP overall Policy and supporting policies (e.g., Acceptable Use) Initial training Ongoing education and periodic reminders Evolution of employee education aligned with evolving technology Consequences Even with strong policies and training employee s may not understand how to execute in their environment. Specific guidelines with Data Use Cases and examples of exceptions have helped bridge this gap Experis Tuesday, November 8, 2011 31 16
Vendors/Business Partners Vendors and Business Partners play a critical role in protecting your data Service Level Agreements should clearly define your data protection requirements, consequences for failing to provide the proper protection and breach notification requirements Include in your Vendor Management program examination of protections of your data including self-assessments and site inspections Work with vendor to remediate risks identified or choose an alternate vendor preferably before a breach occurs Experis Tuesday, November 8, 2011 32 Incident Response Data breaches can happen! An organization must be prepared Incorporate data breaches into your incident response procedures should include: Reporting any employee discovering a potential breach needs to know who to contact and what information to provide Define an Incident Response Team (members, roles and responsibilities) with the appropriate knowledge to evaluate data breaches Actions to be taken (shutting down, recovery, data scrubbing, retention of data, chain of custody) Communication Protocols (internal, customer, shareholders, authorities, press) Breach Notification Several regulations require notification to the affected parties (understand the different notification triggers) Experis Tuesday, November 8, 2011 33 17
Tools and Technology Technology needs to be aligned with the goals and objectives of fthe DLP program Tools available include: Discovery and fingerprinting Content awareness and filtering Logging, monitoring and alerting when accessed Encryption E-mail content monitoring Mobile device protection Access controls Firewalls, intrusion prevention, intrusion detection Virus protection DLP products Others Experis Tuesday, November 8, 2011 34 Closing Observations Business and personal data will continue to be targets not only from external sources but internal as well Understanding your data is absolutely critical to protecting: what data is important, where your data is located, how it s used, how your data flows during business transactions, etc. Threat profiles and business operations continuously change implementing a strong risk management program to periodically reexamine DLP program effectiveness is important Effective DLP programs go beyond just implementing a tool Data breaches may still happen! Data breach notifications and response are critical to minimize impact and regulatory fines. Experis Tuesday, November 8, 2011 35 18
Questions? For more information please contact: Duane Baldwin Duane.Baldwin@experis.com 614.216.7327 Mobile Experis Tuesday, November 8, 2011 36 Webinar evaluation A link to our CPE Learning Event Survey is now located in the chat box in the control panel Please take a few minutes to provide us with your feedback Experis Tuesday, November 8, 2011 37 19
More information For more information, please visit www.experis.us Experis Tuesday, November 8, 2011 38 20