Building a Complete Program around Data Loss Prevention

Similar documents
Combating Cyber Risk in the Supply Chain

Business continuity management and cyber resiliency

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

Cybersecurity The Evolving Landscape

Information Security Data Classification Procedure

Cybersecurity for Health Care Providers

Healthcare HIPAA and Cybersecurity Update

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Rethinking Information Security Risk Management CRM002

Data Loss Prevention:

Information Technology General Control Review

THE PROCESS FOR ESTABLISHING DATA CLASSIFICATION. Session #155

Securing Your Secured Data

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:

Integrating Information Security Protections In Supplier Agreements: Guidance for Business and Technology Counsel

Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank

Cyber Insurance: What is your bank doing to manage risk? presented by

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Cyber Protections: First Step, Risk Assessment

How to Prepare a Response to Cyber Attack for a Multinational Company.

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

What is Penetration Testing?

Electronic Communication of Personal Health Information

Recommendations for Implementing an Information Security Framework for Life Science Organizations

Managing Cybersecurity Risk

2 The IBM Data Governance Unified Process

PROTECTING BRANDS IN CYBERSPACE

Designing and Building a Cybersecurity Program

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Cyber Risks in the Boardroom Conference

How to Optimize Cyber Defenses through Risk-Based Governance. Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model

Jeff Wilbur VP Marketing Iconix

From Russia With Love

ACM Retreat - Today s Topics:

mhealth SECURITY: STATS AND SOLUTIONS

Ian Speller CISM PCIP MBCS. Head of Corporate Security at Sopra Steria

Department of Management Services REQUEST FOR INFORMATION

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

INTELLIGENCE DRIVEN GRC FOR SECURITY

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

Data Breaches: Is IBM i Really At Risk? All trademarks and registered trademarks are the property of their respective owners.

Building a Resilient Security Posture for Effective Breach Prevention

Continuous protection to reduce risk and maintain production availability

What It Takes to be a CISO in 2017

PCI Compliance. What is it? Who uses it? Why is it important?

Cyber Fraud What can you do about it?

ISE North America Leadership Summit and Awards

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Data Breach Preparedness & Response

Data Breach Preparedness & Response. April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

HEALTH CARE AND CYBER SECURITY:

Cybersecurity Auditing in an Unsecure World

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

Defense in Depth Security in the Enterprise

MIS5206-Section Protecting Information Assets-Exam 1

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

PTLGateway Data Breach Policy

CCISO Blueprint v1. EC-Council

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services

A practical guide to IT security

Risk Assessment. The Heart of Information Security

01.0 Policy Responsibilities and Oversight

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Defense in Depth. Constructing Your Walls for Your Enterprise. Mike D Arezzo Director of Security April 21, 2016

Changing the Game: An HPR Approach to Cyber CRM007

Preparing for a Breach October 14, 2016

SOC for cybersecurity

Privacy Implications Guide. for. the CIS Critical Security Controls (Version 6)

Why you should adopt the NIST Cybersecurity Framework

Information Security Controls Policy

Cybersecurity in Higher Ed

SFC strengthens internet trading regulatory controls

SELLING YOUR ORGANIZATION ON APPLICATION SECURITY. Navigating a new era of cyberthreats

Incident Response. Tony Drewitt Head of Consultancy IT Governance Ltd

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

State of Security Operations

Security and Privacy Governance Program Guidelines

Dissecting Data Breaches. What Keeps Going Wrong?

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

SECURITY & PRIVACY DOCUMENTATION

The Honest Advantage

Data Protection. Plugging the gap. Gary Comiskey 26 February 2010

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

2017 Cyber Incident & Breach Readiness Webinar Will Start Shortly

Privacy Breach Policy

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Going Paperless & Remote File Sharing

Cybersecurity and Nonprofit

How Cyber-Criminals Steal and Profit from your Data

Transcription:

To download today s materials (depending on your browser): www.experis.us/materials1108 or www.experis.us/materials1108.pdf Building a Complete Program around Data Loss Prevention Tuesday, November 8, 2011 Presenter s Name Presenter: Duane Baldwin Security Practice Manager Audio and Tech Support This meeting is being broadcast, and you can listen through your computer speakers by choosing Use Mic & Speakers (figure 1) To turn up your computer s volume, please select: Start My Computer Control Panel Sounds and Devices Or Please select Use Telephone option on the GoToMeeting Control Panel and a number and ID will be generated along with a PIN number associated with you. (figure 1) PLEASE NOTE All lines will be muted during this presentation. If you would like to ask a question, please use Questions (figure 2) function and your question will be addressed. Experis Tuesday, November 8, 2011 1 1

Earning CPE Credit To receive 1 CPE credit for this webinar, participants must: Attend the Webinar for at least 60 minutes on individual computers (one person per computer) Answer polling questions asked throughout the webinar At the end of today s presentation, a link to our CPE Learning Event Survey will be posted in the chat box in the control panel Please take a few moments to complete the survey as we appreciate your feedback Experis Tuesday, November 8, 2011 2 To download today s materials (depending on your browser): www.experis.us/materials1108 or www.experis.us/materials1108.pdf Building a Complete Program around Data Loss Prevention Tuesday, November 8, 2011 Presenter s Name Presenter: Duane Baldwin Security Practice Manager 2

Agenda Identify information/data loss risks and high exposure information/data breaches Apply an approach to evaluating and evolving your existing data loss prevention capabilities Describe supporting functions that will add to the success of your data loss prevention program Experis Tuesday, November 8, 2011 4 What is Data Loss Prevention? It is a systematic approach to identifying, monitoring and protecting the confidentiality, integrity and availability of data in motion, at rest or in use Experis Tuesday, November 8, 2011 5 3

Polling Question #1 Where are you in forming a Data Loss Prevention program? A. Full program (strategy, governance, processes, tools, training) in place B. Defined a data classification framework C. Bought a tool D. Just beginning in planning Experis Tuesday, November 8, 2011 6 Risks Posed by Data Loss 4

Types of information at risk Intellectual t l Property/ Trade Secrets Personally Identifiable Information (PII) System Data and Configuration Settings Critical Data Personal Health Information (PHI) Corporate Strategy Unreleased Financial Information Experis Tuesday, November 8, 2011 8 Value and Risk of an Organization s Information Information Value Threat Vulnerability Counter Measures Risk Consolidated financial information HIGH MEDIUM LOW HIGH MEDIUM Customer personal information HIGH HIGH MEDIUM HIGH HIGH Internal office memorandums LOW LOW HIGH LOW LOW (non-confidential) Confidential executive MEDIUM MEDIUM MEDIUM LOW MEDIUM memorandums Experis Tuesday, November 8, 2011 9 5

What is your risk? Data loss can result in: Significant financial penalties Extensive operational impact Increased monitoring costs Adverse publicity Negative effect on your organization s brand and reputation Lost business Experis Tuesday, November 8, 2011 10 How it can happen Intrusion Extrusion Experis Tuesday, November 8, 2011 11 6

The threat to data continues Loss of business critical information is a real threat: 74 percent somewhat or extremely concerned 42 percent have lost confidential/proprietary information in the past 100 percent saw losses (lost revenue, direct financial cost) Lost devices are a huge problem: 62 percent lost devices in last six months 100 percent have some devices that are not password protected Symantec 2010 SMB Information Protection Survey May/June 2010 Experis Tuesday, November 8, 2011 12 High Profile Data Breach Incidents Sony Corporation, PlayStation Network April 26, 2011 77,000,000 records names, addresses, email addresses, birthdates, PlayStation Network/Qriocity passwords and logins, handle/psn online ID, profile data, purchase history and possibly credit cards obtained. No known actual costs $4,620,000,000 Ponemon Institute Direct Costs Estimate Sony Corporation May 2, 2011 24,600,000 customer dates of birth, email addresses and phone numbers, including 12,700 non-u.s. credit or debit card numbers and expiration dates and about 10,700 direct debit records including bank account numbers accessed by hacker No known actual costs $1,476,000,000 Ponemon Institute Direct Costs Estimate Source: Open Security Foundation / DataLossDB.org Experis Tuesday, November 8, 2011 13 7

High Profile Data Breach Incidents (Cont.) TJX Companies January 17, 2007 January 17, 2007 94,000,000 credit card numbers and transactions compromised $64,113,000 total known costs $5,640,000,000 Ponemon Institute Direct Costs Estimate US Department of Veteran Affairs May 22, 2006 May 22, 2006 26,500,000 U.S. military veterans Names, Social Security Numbers, and dates of birth $20,000,000 total known costs $1,590,000,000 Ponemon Institute Direct Costs Estimate Source: Open Security Foundation / DataLossDB.org Experis Tuesday, November 8, 2011 14 Security flaws create risks to your data Information security strategies and objectives not adequately linked to business goals Incomplete governance and leadership involvement Ineffective security policies Irregular or ineffective security risk assessments Lack of awareness regarding location of critical data, how to classify it and how to protect it throughout its lifecycle Inadequate monitoring of security controls Miscommunication with internal and external audiences regarding security requirements and expectations Flawed Web application design common vulnerabilities persist Server and database vulnerabilities Ineffective access definitions Phishing and social engineering Experis Tuesday, November 8, 2011 15 8

What Individuals Would Pay to Protect Their Personal Information Social Security number/government ID: $240/year Credit Card number: $150/year Electronic or Physical Histories: $52 - $59/year Health Industry Medical Records: $38/year On-line buying habits and social profiles: $3 - $5.70/year Contact Information (phone number, e-mail or mailing address): $4.20/year Source: What s Your Personal Data Worth by Tim Money, Jan. 18, 2011, designmind.frogdays.com blog Experis Tuesday, November 8, 2011 16 Common mistakes in approaching a DLP Program Looking for the silver bullet Install a tool and my problem is solved Having an isolated project or team rather than a holistic approach Lack of sponsorship Treating it like a compliance project Not building the appropriate foundation for the program to work Experis Tuesday, November 8, 2011 17 9

Polling Question #2 What priority do you give advancing your DLP program in 2012? A. Top Priority B. In the middle C. Low priority D. No intention to focus on it at all Experis Tuesday, November 8, 2011 18 Building a DLP Program 10

Suggested Steps for a Complete DLP Program Profile Your DLP Needs Characterize Your Current DLP Program Assess Your DLP Program Effectiveness Define a DLP Strategy Create an Action Plan to Achieve the Strategy Experis Tuesday, November 8, 2011 20 Profile Your DLP Needs Goal: Gain a complete understanding of data types and their use Suggested Activities: Understand your data s business environment: Business drivers across the Enterprise Regulatory and customer requirements as tied to the business Existing data retention standards Determine how data is used: Identify data classifications in use across the Enterprise Determine data user groups Profile the extent of data use across all avenues: Data at Rest Data in Motion Data at the Endpoints Experis Tuesday, November 8, 2011 21 11

Characterize Your Current DLP Program Goal: Identify and understand all currently implemented DLP components and ongoing initiatives Activities: Determine maturity levels of processes, procedures and solutions used for a DLP operational framework that includes: Data Classification Data Discovery Data Protection Governance and Risk Management Monitoring, Measurement and Improvement None Progressing Basic Advanced Industry Leading No capability currently exists Current State The Capability capability supports Maturity Scale Elements of a capability exist and meet some of the compliance requirements and business objectives core business processes and compliance requirements The capability incorporates information security solutions that exceed basic compliance requirements and incorporates industry leading practices The capability exceeds industry standards and sets the model for industry to follow Experis Tuesday, November 8, 2011 22 Assess Your DLP Program Effectiveness Goal: Determine if the current DLP program has been effectively executed and identify gaps Activities: Evaluate effectiveness of each implemented component of the DLP program Estimate adoptability and effectiveness of future initiatives Determine gaps and potential risk levels Risk Determination Scale Critical High Moderate Low Extremely weak or nonexistent capabilities to protect critical data; likelihood for exploitation of current state is extremely high; risk of severe adverse impact to company assets is critical and requires immediate attention Limited or poorly implemented capabilities, large gaps exist; likelihood for exploitation of current state is high; risk of serious adverse impact to company assets is high and requires priority attention Capabilities exist, but lack formality and consistency; likelihood for exploitation of current state is moderate to high; risk of adverse impact to company assets is moderate and may require priority attention Consistent, integrated and managed capabilities are employed; likelihood for exploitation of current state is low; even with no priority attention, risk of adverse impact to company assets is low Experis Tuesday, November 8, 2011 23 12

Define a DLP Program Strategy Goal: Define Objectives to implement Vision and Goals and Finalize Strategyt Activities: Create a vision that resonates with all aspects of the business Define goals that encompass Governance, People, Processes and Technology to be effective Work with data owners and stakeholders to identify objectives across the DLP components as aligned with the goals: Data Classification Data Discovery Data Protection Data Handling Governance and Risk Management Monitoring, Measurement and Improvement Validate and Finalize Experis Tuesday, November 8, 2011 24 Data Loss Prevention Strategy Structure 1 2 3 DLP Strategy Framework DLP Vision DLP Goals DLP Objectives Characteristics Sets out a common long-term picture and strategic direction for the Data Loss Prevention program Establishes the core business value to be delivered by the Data Loss Prevention program Identifies common and business specific goals that reflects each aspect of the vision Encompasses both immediate and future direction across the enterprise Integrates measurable targets and procedures for evaluating the progress against specified goals and objectives Experis Tuesday, November 8, 2011 25 13

Governance Considerations An important aspect of executing an effective DLP program is the incorporation of Governance activities Key areas to include: Roles and Responsibilities Responsibilities for all aspects of DLP operations need to be clearly defined within the business units as well as at the Corporate level Processes Processes including decision points that integrate with defined roles and responsibilities should be defined for the DLP program Oversight, Management and Review Oversight structure should be defined that incorporates a combination of centralized and decentralized (Business Unit) responsibilities Experis Tuesday, November 8, 2011 26 Roles and Responsibilities Data Loss Prevention Audit Committee C-Level Executives Business Operations Information Security Officer Information Technology Internal Audit All Users and Vendors Ultimate Accountability Overall Responsibility Data Ownership Guidance and Oversight Data Custodian and Tool Implementation & Operation Monitor Operating Effectiveness Follow policies and guidance and report suspected breaches Experis Tuesday, November 8, 2011 27 14

Develop an Action Plan Goal: Create an Action Plan to close current gaps and implement a DLP strategy t Activities: Develop Action Plan which typically includes: Workstream Overview Quick Win Activities Prioritized Implementation Responsible Parties Resource Estimate Cost Range Execution Timeline Critical Success Factors Experis Tuesday, November 8, 2011 28 Polling Question #3 What kind of information breaches have you encountered in the past? A. No breaches B. Lost or stolen laptops, pdas or computers C. Cyber stolen data externally D. Insider theft of sensitive information E. Employees send out unencrypted data through email Experis Tuesday, November 8, 2011 29 15

Key Supporting Functions for Your DLP Program Employee awareness Employees are critical to a successful data management and data loss prevention program. Employee awareness programs need to include: DLP overall Policy and supporting policies (e.g., Acceptable Use) Initial training Ongoing education and periodic reminders Evolution of employee education aligned with evolving technology Consequences Even with strong policies and training employee s may not understand how to execute in their environment. Specific guidelines with Data Use Cases and examples of exceptions have helped bridge this gap Experis Tuesday, November 8, 2011 31 16

Vendors/Business Partners Vendors and Business Partners play a critical role in protecting your data Service Level Agreements should clearly define your data protection requirements, consequences for failing to provide the proper protection and breach notification requirements Include in your Vendor Management program examination of protections of your data including self-assessments and site inspections Work with vendor to remediate risks identified or choose an alternate vendor preferably before a breach occurs Experis Tuesday, November 8, 2011 32 Incident Response Data breaches can happen! An organization must be prepared Incorporate data breaches into your incident response procedures should include: Reporting any employee discovering a potential breach needs to know who to contact and what information to provide Define an Incident Response Team (members, roles and responsibilities) with the appropriate knowledge to evaluate data breaches Actions to be taken (shutting down, recovery, data scrubbing, retention of data, chain of custody) Communication Protocols (internal, customer, shareholders, authorities, press) Breach Notification Several regulations require notification to the affected parties (understand the different notification triggers) Experis Tuesday, November 8, 2011 33 17

Tools and Technology Technology needs to be aligned with the goals and objectives of fthe DLP program Tools available include: Discovery and fingerprinting Content awareness and filtering Logging, monitoring and alerting when accessed Encryption E-mail content monitoring Mobile device protection Access controls Firewalls, intrusion prevention, intrusion detection Virus protection DLP products Others Experis Tuesday, November 8, 2011 34 Closing Observations Business and personal data will continue to be targets not only from external sources but internal as well Understanding your data is absolutely critical to protecting: what data is important, where your data is located, how it s used, how your data flows during business transactions, etc. Threat profiles and business operations continuously change implementing a strong risk management program to periodically reexamine DLP program effectiveness is important Effective DLP programs go beyond just implementing a tool Data breaches may still happen! Data breach notifications and response are critical to minimize impact and regulatory fines. Experis Tuesday, November 8, 2011 35 18

Questions? For more information please contact: Duane Baldwin Duane.Baldwin@experis.com 614.216.7327 Mobile Experis Tuesday, November 8, 2011 36 Webinar evaluation A link to our CPE Learning Event Survey is now located in the chat box in the control panel Please take a few minutes to provide us with your feedback Experis Tuesday, November 8, 2011 37 19

More information For more information, please visit www.experis.us Experis Tuesday, November 8, 2011 38 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback