1 / 21

Protecting The Data

Protecting The Data Data security, compliance, disclosure requirements and what can happen if you get it wrong Presented By Brett Moore. Information Loss Costs Money. Recent study by the Ponemon Institute Examined costs incurred by 14 companies in 11 industry sectors

fiona
Download Presentation

Protecting The Data

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Protecting The Data Data security, compliance, disclosure requirements and what can happen if you get it wrong Presented By Brett Moore

  2. Information Loss Costs Money • Recent study by the Ponemon Institute Examined costs incurred by 14 companies in 11 industry sectors • Breaches affecting between 1,500 to 900,000 consumersTangible and intangible costs up to $14 million USD • Related survey of customers20% had terminated their relationship with the companyAnother 40% were considering in doing so • What informationStaggering amount of information stored nowFinancial, health, social, personal, business With the masses amount of data that flows through your organisation, are you taking the appropriate steps to protect what may be your most valuable asset?

  3. The Issue • Many organisations choose to spend their resources identifying and managing information security vulnerabilities instead of managing risk to their information assets. • Vulnerability-centric approaches to organisational security fall short of appropriately characterizing organizational risk because they fail to focus on what is actually at risk, the information and processes they support.

  4. Information Assets • What is an information asset An information asset is any data stored that is used by the organisation for information purposes. • Information value can be calculatedBased on the importance to the organisations continuationThe affect the loss of the information would have • Information risk assessmentThe type of data the information is created from affects the requirement to secure it • Information valueDetermines its importance and criticality to the organisation • Which data is which?What happens when an information asset is a combination of data from different sources?

  5. Where Is The Information Stored • You MUST know where your information is storedHow else are you able to secure it? • Data is stored in containersDrive, tape, cd-rom, dvd, paper, people • Containers are not ‘physical’Stored on multiple serversA collection of databasesA collection of database tables • Containers are not only technicalInformation can be in printed formInformation is stored in peoples heads

  6. Container Security Aspects • The way in which an asset is protectedThrough controls implemented at the container levelie: access checks at the database level • Security control depthThe degree to which an asset is protected is based on how well the control reflect the requirements of the asset • Risk inheritanceAny risk associated with the container is inherited by the assetie: server destruction, tape backup theft • Legal requirementsThere can be different legal requirements dependant on the information asset’s container

  7. Who Owns The Data? • The ownerAre those who have primary responsibility for the viability and survivability of the asset • Security requirementsOwners set the security requirements for an asset and communicate these to the assets’ custodiansEnsuring the security requirements have been implemented • Defining the assetThe owner defines what the information asset consists of, and is responsible for determining the assets valueIt is this value that is used to calculate risk mitigation processes • DelegationThe owner can delegate responsibilities but ultimately remains the owner responsible for the assets protection

  8. Who Looks After The Data? • The custodianManage or are responsible for containers • Accepts responsibilityThe custodian accepts responsibility and protects the data according to the owners defined requirements • Is NOT the ownerDespite common misconception, the custodian is not the owner and therefore not the responsible entity • Information useAny person who makes use of the information asset becomes a custodian during that period

  9. Governance – External Requirements • Legal Sarbanes-Oxley California Disclosure Law Common Law Duty of Care • Industry Imposed PCI Compliance All concerned with information assets, not security breaches

  10. Legal Requirements • Sarbanes-Oxley (USA, July 2002) Requirements for all public companies listed in the US Public companies must evaluate and disclose the effectiveness of their internal controls as they relate to financial reporting Independent auditors for such companies must "attest" (i.e., agree, or qualify) to such disclosure Financial reporting is generally driven by information assets, so the security of those information assets is of primary concern • SB 1386 (California Disclosure Law, September 2002)Requires protection of personally identifiable information Must disclose if this information is reasonably believed to have been compromised Relates to any instance involving a resident of California 23 States now passed and several bills in front of Congress

  11. Impact of Disclosure Requirements • Sarbanes-Oxley Cray Inc (Supercomputer manufacturer) In March 2005, Cray filed a SOX report warning of material weaknesses in internal control over financial reporting Inadequate review of third-party contracts and lack of software application controls and documentation (SoD, and IT auditing issues) Cray's stock price dropped 56%, from $3.15 per share on March 15, 2005, to $1.38 on May 25, 2005 Now faced with a class action suit by shareholders

  12. Impact of Disclosure Requirements • US Disclosure Laws From http://www.privacyrights.org/ar/ChronDataBreaches.htm Over 120 Breaches disclosed so far this year Over 80 million records involved Breaches included: Hacking Dishonest employees Stolen computers Lost backup tapes Accidental online exposure

  13. Impact of Disclosure Requirements • Ponemon Institute Studies Notification Impact 19% of disclosure recipients terminated relationship 40% thinking of terminating 27% concerned regarding organisation Cost of Breach Reviewed 14 breaches Breaches ranged from 1,500 records to 900,000 records from 11 different industry sectors Average losses of $140 per record, or $14 million per company Includes direct ($50), indirect($15), and opportunity costs($75) Does not include implementation of additional controls

  14. Steps To Protect Information Assets • Identify information assets and ownersIAP – Information Asset Profiling • Conduct an information security risk assessmentThis includes identifying the risks to the asset • Develop and implement security policies and proceduresThis drives how and what technology is used • Test, audit, and updatePolicies and processes must workYou need to know when they are been breachedThey need to be kept recent and up to date

  15. Information Asset Risk Assessment • Primary Container May Not Be Primary Risk Other locations where information may be stored includes: • Backups • DR systems • Laptops • Desktops • Once Each Container Has Been Identified, Establish How Each Is Accessed • Thick client applications • Web Applications • Database connections • Direct file access

  16. Information Asset Risk Assessment • Perform a threat assessment of each entry point of each information asset container • Assess each threat using standard risk assessment mechanisms utilising the value of the information asset to determine the impact of the threat occurring • Each container may have multiple risk profiles, use the highest rating to determine the overall risk for that container • Remember to take into account information in transit

  17. Vulnerability versus Information Asset Approaches • Vulnerability Management Usually focused on individual containers or access points (applications) Generally doesn’t take into account the value of information assets Rates vulnerabilities in terms of impact to container, not data • Information Asset Profiling Focuses on risks to data rather than systems or applications Risks directly associated with value of data May not take into account risks not relating to data, such as reputational risk

  18. Common Tools And Techniques To Protect Data • EncryptionDatabase Communication Laptop Backup • Principle Of Least PrivilegeDatabase Server Application • Protect Data Even After Container Has Been RetiredWipe old disks/tapes, or destroy • Log/Audit Trails

  19. Key Questions To Take Away • Do you have an application or vulnerability-centric approach to security rather than focusing on the information itself? • Have you identified where your critical business data resides? Databases Servers Backups Laptops • Have you got mechanisms in place to protect each of those locations?Database/Server protections Laptop encryption Backup encryption

  20. Questions ? http://www.security-assessment.com nick@security-assessment.com

More Related