BT10
Concurrent Session 
11/8/2012 3:45 PM 
 
 
 
 
 
 

 

"Information Obfuscation:
Protecting Corporate Data...
Michael Jay Freer
Quality Business Intelligence
Michael Jay Freer is a consultant specializing in business intelligence so...
Tuesday, September 04, 2012

Information Obfuscation

Information Obfuscation
(Data Masking)
Protecting Corporate Data-Ass...
Tuesday, September 04, 2012

Information Obfuscation

Presentation Ground Rules
Start and Finish on time
Questions at anyt...
Tuesday, September 04, 2012

Information Obfuscation

Agenda
Outlining the Problem
Data Masking Golden Rule
Defining Infor...
Tuesday, September 04, 2012

Information Obfuscation

Outlining the Problem
Problem Statement
Corporate Data breaches are ...
Tuesday, September 04, 2012

Information Obfuscation

Data Masking Golden Rule
To put Information-obfuscation (Data-maskin...
Tuesday, September 04, 2012

Information Obfuscation

Information Classification
Sensitive Data
“Sensitive” is a broad ter...
Tuesday, September 04, 2012

Information Obfuscation

Information Classification
Information Classification Levels
Public ...
Tuesday, September 04, 2012

Information Obfuscation

Who is Responsible
You are!
No matter your role in the organization,...
Tuesday, September 04, 2012

Information Obfuscation

Defining a Common Language
Information Obfuscation
Information Obfus...
Tuesday, September 04, 2012

Information Obfuscation

Defining a Common Language
Communication
The Business-Information Ow...
Tuesday, September 04, 2012

Information Obfuscation

Common Language – Environment Lifecycle
Common Environments
1. Devel...
Tuesday, September 04, 2012

Information Obfuscation

Common Language – Environment Lifecycle
Other Possible Environments
...
Tuesday, September 04, 2012

Information Obfuscation

Common Language – Environment Lifecycle
Other Possible Environments
...
Tuesday, September 04, 2012

Information Obfuscation

Common Language – Environment Lifecycle
Other Possible Environments
...
Tuesday, September 04, 2012

Information Obfuscation

Common Language – Masking Taxonomy
Methods of Obfuscating Informatio...
Tuesday, September 04, 2012

Information Obfuscation

Data Movement
Encrypted

Data Storage

Encrypted
Encrypted

Developm...
Tuesday, September 04, 2012

Information Obfuscation

Data Movement
Encrypted

Data Storage

Encrypted
Encrypted

Developm...
Tuesday, September 04, 2012

Information Obfuscation

Data Movement
Data Storage

Encrypted

Encrypted

Encrypted

Develop...
Tuesday, September 04, 2012

Information Obfuscation

Data Movement
Data Storage

Encrypted

Encrypted

Encrypted

Develop...
Tuesday, September 04, 2012

Information Obfuscation

Data Movement
Data Storage

Encrypted

Encrypted

Encrypted

Develop...
Tuesday, September 04, 2012

Information Obfuscation

Data Movement
Data Storage

Encrypted

Encrypted

Encrypted

Develop...
Tuesday, September 04, 2012

Information Obfuscation

Data Movement
Data Storage

Encrypted

Encrypted

Encrypted

Develop...
Tuesday, September 04, 2012

Information Obfuscation

Data Movement
Encrypted

Data Storage

Encrypted
Encrypted

Developm...
Tuesday, September 04, 2012

Information Obfuscation

Move Sensitive Data
to a Secured Table

Common Language – Separating...
Tuesday, September 04, 2012

Information Obfuscation

Move Sensitive Data
to a Secured Table

Common Language – Separating...
Tuesday, September 04, 2012

Information Obfuscation

Move Sensitive Data
to a Secured Table

Common Language – Separating...
Tuesday, September 04, 2012

Information Obfuscation

Move Sensitive Data
to a Secured Table

Common Language – Separating...
Tuesday, September 04, 2012

Information Obfuscation

Move Sensitive Data
to a Secured Table

Common Language – Separating...
Tuesday, September 04, 2012

Information Obfuscation

Common Language – Masking Taxonomy
Prune – Removes values from non-p...
Tuesday, September 04, 2012

Information Obfuscation

Matrix – Method, Environment, Access

User Groups

Development Staff...
Tuesday, September 04, 2012

Information Obfuscation

Last Four Digits

Development Staff

Quality Assurance

Issue Suppor...
Tuesday, September 04, 2012

Information Obfuscation

Not Acknowledged

Development Staff

Quality Assurance

Issue Suppor...
Tuesday, September 04, 2012

Information Obfuscation

Data-Centric Development
Projects that center around data analysis (...
Tuesday, September 04, 2012

Information Obfuscation

Data-Centric Development
Projects that center around data analysis (...
Tuesday, September 04, 2012

Information Obfuscation

Data-Centric Development
Projects that center around data analysis (...
Tuesday, September 04, 2012

Information Obfuscation

Data-Centric Development
Projects that center around data analysis (...
Tuesday, September 04, 2012

Information Obfuscation

Data-Centric Development
Projects that center around data analysis (...
Tuesday, September 04, 2012

Information Obfuscation

Information Obfuscation Summary
1. Obfuscation occurs throughout the...
Tuesday, September 04, 2012

Information Obfuscation

Information Obfuscation Summary
1. Obfuscation occurs throughout the...
Tuesday, September 04, 2012

Information Obfuscation

Information Obfuscation Summary
1. Obfuscation occurs throughout the...
Tuesday, September 04, 2012

Information Obfuscation

Questions?

MJFreer@QualityBI.com
(954) 249-1530

Michael Jay Freer
...
Tuesday, September 04, 2012

Information Obfuscation

Appendix

Reference Material

MJFreer@QualityBI.com
(954) 249-1530

...
Tuesday, September 04, 2012

Information Obfuscation

Sample Cross Reference Chart
Data Point
Customer - The Fact That an ...
Upcoming SlideShare
Loading in …5
×

Information Obfuscation: Protecting Corporate Data

656 views
504 views

Published on

With corporate data breaches occurring at an ever-alarming rate, all levels of organizations are struggling with ways to protect corporate data assets. Rather than choosing one or two of the many options available, Michael Jay Freer believes that the best approach is a combination of tools and practices to address the specific threats. To get you started, Michael Jay introduces the myriad of information security tools companies are using today: firewalls, virus controls, access and authentication controls, separation of duties, multi-factor authentication, data masking, banning user-developed MS-Access databases, encrypting data (both in-flight and at-rest), encrypting emails and folders, disabling jump drives, limiting web access, and more. Then, he dives deeper into data masking and describes a powerful data-masking language. Explore how to develop standard masking business-rules and the best industry practices for manipulating masked data. You can get started slowly with information obfuscation without attempting to "boil the ocean."

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
656
On SlideShare
0
From Embeds
0
Number of Embeds
16
Actions
Shares
0
Downloads
18
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Information Obfuscation: Protecting Corporate Data

  1. 1.           BT10 Concurrent Session  11/8/2012 3:45 PM                "Information Obfuscation: Protecting Corporate Data"       Presented by: Michael Jay Freer Quality Business Intelligence                 Brought to you by:        340 Corporate Way, Suite 300, Orange Park, FL 32073  888‐268‐8770 ∙ 904‐278‐0524 ∙ sqeinfo@sqe.com ∙ www.sqe.com
  2. 2. Michael Jay Freer Quality Business Intelligence Michael Jay Freer is a consultant specializing in business intelligence solutions. He has provided thought leadership and consulting services to Fortune 500 companies including MetLife, Tyco Safety Products, Capital One, Brinks Home Security, Rite Aid, and Zales. With more than twenty years of experience, Michael Jay has worked with business sponsors to provide solutions in financial, marketing, manufacturing, supply chain management, retail, and hospitality/cruise/tourism industries. A member of the PMI, IIBA, and ASQ, Michael Jay serves on the board of the South Florida Chapter of the Data Warehouse Institute.
  3. 3. Tuesday, September 04, 2012 Information Obfuscation Information Obfuscation (Data Masking) Protecting Corporate Data-Assets Presented by Michael Jay Freer Michael Jay Freer - Presenter Bio Michael Jay Freer, SSGB, ITIL(v3), Information Management professional providing thought leadership to fortune 500 companies including MetLife Bank, Tyco Safety Products, Capital One, Brinks Home Security, and Zales. Over his 25+ years experience he has worked with business executives providing solutions in financial management, manufacturing, supply chain management, retail, marketing, and hospitality industries. As an Enterprise Architect at MetLife Bank, Michael Jay specialized in Information Obfuscation facilitating project solutions for protecting business Confidential and Restricted data. MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 2 All rights reserved 1
  4. 4. Tuesday, September 04, 2012 Information Obfuscation Presentation Ground Rules Start and Finish on time Questions at anytime Parking lot for longer discussion points “Electronics on Stun” Respect your peers No phone calls or email in the room MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer Slide# 3 All rights reserved Information Obfuscation (Data Masking) Protecting Corporate Data-assets Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 2
  5. 5. Tuesday, September 04, 2012 Information Obfuscation Agenda Outlining the Problem Data Masking Golden Rule Defining Information Obfuscation Information Classification Who is Responsible Defining a Common Language Data-Centric Development Governance MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer Slide# 5 All rights reserved Outlining the Problem Problem Statement Corporate Data breaches are occurring at an alarming rate. 1) It is incumbent on organizations to protect the customer, partner, and employee data with which they are entrusted. 2) Ease of access to sensitive information in business systems. 3) Using unmasked Confidential and Restricted data in nonproduction environments exposes risks to company reputation. Business Rationale for Obfuscating Data • Reduce Data Breach Risks • Heightened Legal and Regulatory Scrutiny of Data Protection Services (i.e.: SOX, HIPAA, GLBA, NPPI, FFIEC, PCI-DSS) • Company Policies and Standards • Fundamental assumption on the part of customers that their data is already de-identified in non-production systems MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 6 All rights reserved 3
  6. 6. Tuesday, September 04, 2012 Information Obfuscation Outlining the Problem Problem Statement Corporate Data breaches are occurring at an alarming rate. 1) It is incumbent on organizations to protect the customer, partner, and employee data with which they are entrusted. 2) Ease of access to sensitive information in business systems. 3) Using unmasked Confidential and Restricted data in nonproduction environments exposes risks to company reputation. Business Rationale for Obfuscating Data • Reduce Data Breach Risks • Heightened Legal and Regulatory Scrutiny of Data Protection Services (i.e.: SOX, HIPAA, GLBA, NPPI, FFIEC, PCI-DSS) • Company Policies and Standards • Fundamental assumption on the part of customers that their data is already de-identified in non-production systems MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer Slide# 7 All rights reserved Data Masking Golden Rule To put Information-obfuscation (Data-masking) into perspective simply think about yourself: How many vendors or service-providers have your personal information (banks, mortgage holders physicians, pharmacies, retailers, schools you applied to, utilities, cellular carriers, internet providers, etc.)? Michael Jay’s Data Masking Golden Rule “Do unto your company’s corporate data assets as you would have your banker, healthcare provider, or retailer do unto your personal information.” (Use this as your compass to navigate) MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 8 All rights reserved 4
  7. 7. Tuesday, September 04, 2012 Information Obfuscation Data Masking Golden Rule To put Information-obfuscation (Data-masking) into perspective simply think about yourself: How many vendors or service-providers have your personal information (banks, mortgage holders physicians, pharmacies, retailers, schools you applied to, utilities, cellular carriers, internet providers, etc.)? Michael Jay’s Data Masking Golden Rule “Do unto your company’s corporate data-assets as you would have your banker, healthcare provider, or retailer do unto your personal information.” (Use this as your compass to navigate) MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer Slide# 9 All rights reserved Defining Information Obfuscation Definition Information Obfuscation is the effort in both business operations and non-production systems to protect business confidential and restricted data from easy access or visibility by unauthorized parties. Framework For our purposes, obfuscation includes access management, data masking, encryption of data-at-rest (DAR) and encryption of data-in-transit including principles for protecting business communications. MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 10 All rights reserved 5
  8. 8. Tuesday, September 04, 2012 Information Obfuscation Information Classification Sensitive Data “Sensitive” is a broad term for information considered to be a business trade-secret; or consider “private” by regulatory rule, legal act, or trade association (i.e.: GLBA, HIPAA, FFIEC, PCI, PHI, PII). MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer Slide# 11 All rights reserved Information Classification Information Classification Levels Public – non-sensitive data, disclosure will not violate privacy rights Internal Use Only – generally available to employees and approved non-employees. May require a non-disclosure agreement. Confidential – intended for use only by specified employee groups. Disclosure may compromise an organization, customer, or employee. Restricted – very sensitive, intended for use only by named individuals. Sealed – extremely sensitive, irreparable destruction of confidence in and reputation of the organization MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 12 All rights reserved 6
  9. 9. Tuesday, September 04, 2012 Information Obfuscation Information Classification Information Classification Levels Public – non-sensitive data, disclosure will not violate privacy rights Internal Use Only – generally available to employees and approved non-employees. May require a non-disclosure PII (Personally Identifiable Information) will agreement. vary based on your company, your industry, Confidential – intended for use only by specified employee government regulations, and jurisdiction. groups. Disclosure may compromise an organization, customer, or employee. Restricted – very sensitive, intended for use only by named individuals. Sealed – extremely sensitive, irreparable destruction of confidence in and reputation of the organization MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer Slide# 13 All rights reserved Who is Responsible MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 14 All rights reserved 7
  10. 10. Tuesday, September 04, 2012 Information Obfuscation Who is Responsible You are! No matter your role in the organization, you are responsible for protecting the “corporate data-assets.” MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer Slide# 15 All rights reserved Who is Responsible You are! No matter your role in the organization, you are responsible for protecting the “corporate data-assets.” Everyone else is also Responsible All of your peers are also responsible for protecting the Corporate Data-Assets. However, you don’t have control over your peers, only over your own vigilance and how you make your management aware of any concerns, risk, or issues with the security of the corporate data-assets. MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 16 All rights reserved 8
  11. 11. Tuesday, September 04, 2012 Information Obfuscation Defining a Common Language Information Obfuscation Information Obfuscation (or Data Masking) is the practice of concealing, restricting, fabricating, encrypting, or otherwise obscuring sensitive data. This is usually thought of in the context of non-production systems but it really encompasses the full information management lifecycle from on boarding of data to developing new functionality to archiving and purging historical data. MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer Slide# 17 All rights reserved Defining a Common Language Communication The Business-Information Owner, Project Stakeholders, Development Teams, and Support Teams need to use a common language when discussing the various obfuscation methods and where in the environment lifecycle an action will occur. MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 18 All rights reserved 9
  12. 12. Tuesday, September 04, 2012 Information Obfuscation Defining a Common Language Communication The Business-Information Owner, Project Stakeholders, Development Teams, and Support Teams need to use a common language when discussing the various obfuscation methodssimple phrasethe environment lifecycle an action The and where in ‘Just mask the data’ does will occur. not address what to mask, how to mask, where to mask, or who is responsible for understanding the impact masking will have on business functionality. MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer Slide# 19 All rights reserved Common Language – Environment Lifecycle Common Environments 1. Development – Code is created, modified and unit tested 2. Testing / QA – System, integration, & regression testing 3. User Acceptance (UAT) – Business-user validation Test new business requirements and regression test existing functionality 4. Business Operations – Day-to-day business environment 5. Business Support – Replicate and troubleshoot business issues MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 20 All rights reserved 10
  13. 13. Tuesday, September 04, 2012 Information Obfuscation Common Language – Environment Lifecycle Common Environments 1. Development – Code is created, modified and unit tested 2. Testing / QA – System, integration, & regression testing 3. User Acceptance (UAT) – Business-user validation Question for Another Time Test new business requirements and regression some “Which of these environments will hold test existing functionality level of “sensitive-data” and which are 4. Business Operations – Day-to-day business maintained as “Production Environments?” environment 5. Business Support – Replicate and troubleshoot business issues MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer Slide# 21 All rights reserved Common Language – Environment Lifecycle Other Possible Environments Isolated On-boarding – When data from 3rd party partners are transitioned in, there may requirements for a secured environment to cleanse and prepare data for integration into the business operations environments Isolated Data-Masking – Unmasked Confidential and Restricted Data should not be transferred to nonproduction environments. A separate secure environment allows for standardized data masking in-place MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 22 All rights reserved 11
  14. 14. Tuesday, September 04, 2012 Information Obfuscation Common Language – Environment Lifecycle Other Possible Environments Isolated On-boarding – When data from 3rd party partners are transitioned in, there may requirements for a secured environment to cleanse and prepare data for integration into the business operations environments Isolated Data-Masking – Unmasked Confidential and Restricted Data should not be transferred to nonproduction environments. A separate secure environment allows for standardized data masking in-place MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer Slide# 23 All rights reserved Common Language – Environment Lifecycle Other Possible Environments Isolated On-boarding – When data from 3rd party partners are transitioned in, there may requirements for a secured environment to cleanse and prepare data for Example integration into the business operations environments. Isolated Data-Masking – Unmasked Confidential and A mortgage service provider staging loans when Restricted Data should not be transferred to nonthe servicing responsibility has not officially production environments. A separate secure environment transferred. allows for standardized data masking in-place MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 24 All rights reserved 12
  15. 15. Tuesday, September 04, 2012 Information Obfuscation Common Language – Environment Lifecycle Other Possible Environments Isolated On-boarding – When data from 3rd party partners are transitioned in, there may requirements for a secured environment to cleanse and prepare data for Example integration into the business operations environments. Isolated Data-Masking – Unmasked Confidential and A mortgage service provider staging loans when Restricted Data should not be transferred to nonthe servicing responsibility has not officially production environments. A separate secure environment transferred. allows for standardized data masking in-place Do you consider this to be “production data?” MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer Slide# 25 All rights reserved Common Language – Environment Lifecycle Other Possible Environments Isolated On-boarding – When data from 3rd party partners are transitioned in, there may requirements for a secured environment to cleanse and prepare data for integration into the business operations environments Isolated Data-Masking – Unmasked Confidential and Restricted Data should not be transferred to nonproduction environments. A separate secure environment allows for standardized data masking in-place MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 26 All rights reserved 13
  16. 16. Tuesday, September 04, 2012 Information Obfuscation Common Language – Environment Lifecycle Other Possible Environments Isolated On-boarding – When data from 3rd party partners are transitioned in, there may requirements for a secured environment to cleanse and prepare data for integration into the business operations environments Isolated Data-Masking – Unmasked Example and Confidential Company policies often state sensitive data may Restricted Data should not be transferred to nonnot be stored in non-production environments. production environments. A separate secure environment Moving standardized data masking in-place allows for data to “development” or “test” environments before masking would violate such company policies. MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer Slide# 27 All rights reserved Common Language – Environment Lifecycle Other Possible Environments Isolated On-boarding – When data from 3rd party partners are transitioned in, there may requirements for a secured environment to cleanse and prepare data for integration into the business operations environments Isolated Data-Masking – Unmasked Confidential and Restricted Data should not be transferred to nonproduction environments. A separate secure environment allows for standardized data masking in-place MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 28 All rights reserved 14
  17. 17. Tuesday, September 04, 2012 Information Obfuscation Common Language – Masking Taxonomy Methods of Obfuscating Information Pruning Data Concealing Data Fabricating Data Trimming Data Encrypting Data Separating Data MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer Slide# 29 All rights reserved Common Language – Masking Taxonomy Methods of Obfuscating Information Pruning Data Concealing Data Fabricating Data Trimming Data Encrypting Data Separating Data MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 30 All rights reserved 15
  18. 18. Tuesday, September 04, 2012 Information Obfuscation Data Movement Encrypted Data Storage Encrypted Encrypted Development Environment Common Language – Where to Obfuscate Data Movement – Data can be removed, shorten, or encrypted Data Stores – Data can be encrypted , data-at-rest (DAR) Interactive User Interfaces – Only show required data or portions of attributes for identification (i.e. account#, license#, SS#) Static Reporting – More restrictive than Interactive User Interfaces MJFreer@QualityBI.com (954) 249-1530 Slide# 31 All rights reserved Michael Jay Freer Data Movement Encrypted Data Storage Encrypted Encrypted Development Environment Common Language – Where to Obfuscate Data Movement – Data can be removed, shorten, or encrypted Data Stores – Data can be encrypted , data-at-rest (DAR) Interactive User Interfaces – Only show required data or portions of attributes for identification (i.e. account#, license#, SS#) Static Reporting – More restrictive than Interactive User Interfaces MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 32 All rights reserved 16
  19. 19. Tuesday, September 04, 2012 Information Obfuscation Data Movement Encrypted Data Storage Encrypted Encrypted Development Environment Common Language – Where to Obfuscate Data Movement – Data can be removed, shorten, or encrypted Data Stores – Data can be encrypted , data-at-rest (DAR) Interactive User Interfaces – Only show required data or portions of attributes for identification (i.e. account#, license#, SS#) Static Reporting – More restrictive than Interactive User Interfaces MJFreer@QualityBI.com (954) 249-1530 Slide# 33 All rights reserved Michael Jay Freer Data Movement Encrypted Data Storage Encrypted Encrypted Development Environment Common Language – Where to Obfuscate Data Movement – Data can be removed, shorten, or encrypted Data Stores – Data can be encrypted , data-at-rest (DAR) Interactive User Interfaces – Only show required data or portions of attributes for identification (i.e. account#, license#, SS#) Static Reporting – More restrictive than Interactive User Interfaces MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 34 All rights reserved 17
  20. 20. Tuesday, September 04, 2012 Information Obfuscation Data Movement Data Storage Encrypted Encrypted Encrypted Development Environment Common Language – Where to Obfuscate Data Movement – Data can be removed, shorten, or encrypted Data Stores – Data can be encrypted , data-at-rest (DAR) Interactive User Interfaces – Only show required data or portions of attributes for identification (i.e. account#, license#, SS#) Static Reporting – More restrictive than Interactive User Interfaces MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer Slide# 35 All rights reserved Common Language – Masking Taxonomy Methods of Obfuscating Information Pruning Data Concealing Data Fabricating Data Trimming Data Encrypting Data Separating Data MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 36 All rights reserved 18
  21. 21. Tuesday, September 04, 2012 Information Obfuscation Data Movement Data Storage Encrypted Encrypted Encrypted Development Environment Common Language – Pruning Data Pruning Data: Removes sensitive data from attributes in non-production environments. The attribute will still appear on data entry screens and reporting but be left blank. MJFreer@QualityBI.com (954) 249-1530 Slide# 37 All rights reserved Michael Jay Freer Data Movement Encrypted Example Executive Salaries: Employee personnel records Data Storage Encrypted Encrypted Development Environment Common Language – Pruning Data can de-identify by changing Emp#, SS#, from attributes Pruning Data: Removes sensitive data& names but executive management records are attribute will still in non-production environments. Theeasily tied back to the on data entry hierarchy (e.g., top 10 salaries). appearorganizational screens and reporting but be left blank. MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 38 All rights reserved 19
  22. 22. Tuesday, September 04, 2012 Information Obfuscation Data Movement Data Storage Encrypted Encrypted Encrypted Development Environment Common Language – Concealing Data Concealing Data: Removes sensitive data from user access and visibility. For data entry screens and reports, the attribute does not appear at all versus being Pruned (blank). Concealing data depends on clear rules for Access, Authentication, and Accountability. MJFreer@QualityBI.com (954) 249-1530 Slide# 39 All rights reserved Michael Jay Freer Data Movement Encrypted Example Data Storage Encrypted Encrypted Development Environment Common Language – Concealing Data Bank / Loan Account#: Bank web sites generally Concealing Data: Removes sensitivethe accountuser do not display account numbers even to data from access and visibility. For data entry screens and reports, the holder. attribute does not appear at all versus being Pruned (blank). Concealing data depends on clear rules for Access, Authentication, and Accountability. MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 40 All rights reserved 20
  23. 23. Tuesday, September 04, 2012 Information Obfuscation Data Movement Data Storage Encrypted Encrypted Encrypted Development Environment Common Language – Fabricating Data Fabricating Data: 1) Creating data to replace sensitive data 2) Creating data to facilitate full functional testing 3) Creating date for negative testing (error handling) MJFreer@QualityBI.com (954) 249-1530 Slide# 41 All rights reserved Michael Jay Freer Data Movement Data Storage Encrypted Encrypted Example Contact ame or ID#: Encrypted Development Environment Common Language – Fabricating Data Replacing contact name and ID# is the standard Fabricating de-identifying customer and employee method for Data: records. 1) Creating data to replace sensitive data 2) Creating data to facilitate full functional testing 3) Creating date for negative testing (error handling) MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 42 All rights reserved 21
  24. 24. Tuesday, September 04, 2012 Information Obfuscation Data Movement Data Storage Encrypted Encrypted Encrypted Development Environment Common Language – Trimming Data Trimming Data: Removes part of an attribute’s value versus Pruning which removes the entire attribute value. MJFreer@QualityBI.com (954) 249-1530 Slide# 43 All rights reserved Michael Jay Freer Data Movement Social Security# and Credit Card#: Encrypted Example Data Storage Encrypted Encrypted Development Environment Common Language – Trimming Data Changing TrimmingSSN# from 123-45-6789 toan attribute’s value Data: Removes part of XXX-XX-6789 (or a new attribute = 6789) so that only part of the versus Pruning which removes the entire attribute value. information is available, usually for identification. MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 44 All rights reserved 22
  25. 25. Tuesday, September 04, 2012 Information Obfuscation Data Movement Encrypted Data Storage Encrypted Encrypted Development Environment Common Language – Encrypting Data Encrypting Data: Encryption can be done at the attribute, table, or database levels (Encrypted data can be decrypted back to the original value) MJFreer@QualityBI.com (954) 249-1530 Slide# 45 All rights reserved Michael Jay Freer Example Data Storage Encrypted Credit Card#: Credit card numbers are often encrypted Data Movement Encrypted Development Environment Common Language – Encrypting Data Encrypted for data transmission for PCI DSS compliance. Encrypting credit card numbers at rest (DAR) provides additional security. Credit Card# is Data: Encryption can that often falls Encrypting an example of an attribute be done at theinto multiple Obfuscation Methods. attribute, table, or database levels (Encrypted data can be decrypted back to the original value) MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 46 All rights reserved 23
  26. 26. Tuesday, September 04, 2012 Information Obfuscation Move Sensitive Data to a Secured Table Common Language – Separating Data Data Separation: Moves sensitive data into multiple tables. Data can still be joined but Sensitive and Nonsensitive attributes do not reside in a single record. MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer Slide# 47 All rights reserved Move Sensitive Data to a Secured Table Common Language – Separating Data Data Separation: Moves sensitive data into multiple tables. Data can still be joined but Sensitive and Nonsensitive attributes do not reside in a single record. MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 48 All rights reserved 24
  27. 27. Tuesday, September 04, 2012 Information Obfuscation Move Sensitive Data to a Secured Table Common Language – Separating Data Data Separation: Moves sensitive data into multiple tables. Data can still be joined but Sensitive and Nonsensitive attributes do not reside in a single record. MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer Slide# 49 All rights reserved Move Sensitive Data to a Secured Table Common Language – Separating Data Data Separation: Moves sensitive data into multiple tables. Data can still be joined but Sensitive and Nonsensitive attributes do not reside in a single record. MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 50 All rights reserved 25
  28. 28. Tuesday, September 04, 2012 Information Obfuscation Move Sensitive Data to a Secured Table Common Language – Separating Data Data Separation: Moves sensitive data into multiple tables. Data can still be joined but Sensitive and Nonsensitive attributes do not reside in a single record. MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer Slide# 51 All rights reserved Move Sensitive Data to a Secured Table Common Language – Separating Data Data Separation: Moves sensitive data into multiple tables. Data can still be joined but Sensitive and Nonsensitive attributes do not reside in a single record. MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 52 All rights reserved 26
  29. 29. Tuesday, September 04, 2012 Information Obfuscation Move Sensitive Data to a Secured Table Common Language – Separating Data Data Separation: Moves sensitive data into multiple tables. Data can still be joined but Sensitive and Nonsensitive attributes do not reside in a single record. MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer Slide# 53 All rights reserved Move Sensitive Data to a Secured Table Common Language – Separating Data Data Separation: Moves sensitive data into multiple tables. Data can still be joined but Sensitive and Nonsensitive attributes do not reside in a single record. MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 54 All rights reserved 27
  30. 30. Tuesday, September 04, 2012 Information Obfuscation Move Sensitive Data to a Secured Table Common Language – Separating Data Data Separation: Moves sensitive data into multiple tables. Data can still be joined but Sensitive and Nonsensitive attributes do not reside in a single record. MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer Slide# 55 All rights reserved Move Sensitive Data to a Secured Table Common Language – Separating Data Data Separation: Moves sensitive data into multiple tables. Data can still be joined but Sensitive and Nonsensitive attributes do not reside in a single record. MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 56 All rights reserved 28
  31. 31. Tuesday, September 04, 2012 Information Obfuscation Common Language – Masking Taxonomy Prune – Removes values from non-production systems. Attribute appears on data entry screens and reporting but are blank. Conceal – Removes sensitive data from user access or visibility. For data entry screens and reports, the attribute may not appear at all or be obscured versus being Pruned (blank). Fabricate – Creating data to replace sensitive data and facilitate proper application testing. Trim – Removes part of a data attribute’s value (Pruning removes the entire attribute value) Encrypt – Unlike Fabricated Data, encrypted data can be decrypted back to the original value. Data Separation – Moves specific segments of data or individual datum into separate tables / databases to limit user access or visibility MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer Slide# 57 All rights reserved Development Staff Quality Assurance Issue Support Staff Business End-User Access Matrix – Method, Environment, Access MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 58 All rights reserved 29
  32. 32. Tuesday, September 04, 2012 Information Obfuscation Matrix – Method, Environment, Access User Groups Development Staff Quality Assurance Issue Support Staff Business End-User Access Environments Obfuscation Method MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer Slide# 59 All rights reserved No Access to Data Development Staff Quality Assurance Issue Support Staff Business End-User Access Matrix – Method, Environment, Access MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 60 All rights reserved 30
  33. 33. Tuesday, September 04, 2012 Information Obfuscation Last Four Digits Development Staff Quality Assurance Issue Support Staff Business End-User Access Matrix – Method, Environment, Access MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer Slide# 61 All rights reserved Fabricate Data Development Staff Quality Assurance Issue Support Staff Business End-User Access Matrix – Method, Environment, Access MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 62 All rights reserved 31
  34. 34. Tuesday, September 04, 2012 Information Obfuscation Not Acknowledged Development Staff Quality Assurance Issue Support Staff Business End-User Access Matrix – Method, Environment, Access MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer Slide# 63 All rights reserved Development Staff Quality Assurance Issue Support Staff Business End-User Access Matrix – Method, Environment, Access MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 64 All rights reserved 32
  35. 35. Tuesday, September 04, 2012 Information Obfuscation Data-Centric Development Projects that center around data analysis (i.e.: dashboards, BI, data-marts / warehouses, etc.) often claim that they must have “production data” to develop the solution. It is true that the business will need production data for user acceptance testing (UAT) but let’s consider a few other facts: 1) Negative testing will require fabricated data 2) New functionality will also likely require fabricated data 3) Existing production data may not contain all possible values or permutations of data so full positive testing will also require some level of fabricated data 4) Full regression testing will require a standardized test set including the items above and is likely to be a combination of fabricated and masked data MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer Slide# 65 All rights reserved Data-Centric Development Projects that center around data analysis (i.e.: dashboards, BI, data-marts / warehouses, etc.) often claim that they must have “production data” to develop the solution. It is true that the business will need production data for user acceptance testing (UAT) but let’s consider a few other facts: 1) Negative testing will require fabricated data 2) New functionality will also likely require fabricated data 3) Existing production data may not contain all possible values or permutations of data so full positive testing will also require some level of fabricated data 4) Full regression testing will require a standardized test set including the items above and is likely to be a combination of fabricated and masked data MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 66 All rights reserved 33
  36. 36. Tuesday, September 04, 2012 Information Obfuscation Data-Centric Development Projects that center around data analysis (i.e.: dashboards, BI, data-marts / warehouses, etc.) often claim that they must have “production data” to develop the solution. It is true that the business will need production data for user acceptance testing (UAT) but let’s consider a few other facts: 1) Negative testing will require fabricated data 2) New functionality will also likely require fabricated data 3) Existing production data may not contain all possible values or permutations of data so full positive testing will also require some level of fabricated data 4) Full regression testing will require a standardized test set including the items above and is likely to be a combination of fabricated and masked data MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer Slide# 67 All rights reserved Data-Centric Development Projects that center around data analysis (i.e.: dashboards, BI, data-marts / warehouses, etc.) often claim that they must have “production data” to develop the solution. It is true that the business will need production data for user acceptance testing (UAT) but let’s consider a few other facts: 1) Negative testing will require fabricated data 2) New functionality will also likely require fabricated data If your source data has already been cleansed, how would 3) Existing production data may not contain all possible values youpermutations of data so full positive testing will also test for exceptions (negative testing)? or require some level of fabricated data Based on functional-requirements, negative tests should 4)be created for everything outside a standardized test set Full regression testing will require expected ranges. including the items above and is likely to be a combination of fabricated and masked data MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 68 All rights reserved 34
  37. 37. Tuesday, September 04, 2012 Information Obfuscation Data-Centric Development Projects that center around data analysis (i.e.: dashboards, BI, data-marts / warehouses, etc.) often claim that they must have “production data” to develop the solution. It is true that the business will need production data for user acceptance testing (UAT) but let’s consider a few other facts: 1) Negative testing will require fabricated data 2) New functionality will also likely require fabricated data 3) Existing production data may not contain all possible values or permutations of data so full positive testing will also require some level of fabricated data 4) Full regression testing will require a standardized test set including the items above and is likely to be a combination of fabricated and masked data MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer Slide# 69 All rights reserved Data-Centric Development Projects that center around data analysis (i.e.: dashboards, BI, data-marts / warehouses, etc.) often claim that they must have “production data” to develop the solution. It is true that the business will need production data for user acceptance testing (UAT) but let’s consider a few other facts: 1) Negative testing will require fabricated data 2) New functionality will also likely require fabricated data 3) Existing production data may not contain all possible values or permutations of data so full positive testing will also require some level of fabricated data 4) Full regression testing will require a standardized test set including the items above and is likely to be a combination of fabricated and masked data MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 70 All rights reserved 35
  38. 38. Tuesday, September 04, 2012 Information Obfuscation Data-Centric Development Projects that center around data analysis (i.e.: dashboards, BI, data-marts / warehouses, etc.) often claim that they must have “production data” to develop the solution. It is true that the business will need production data for user acceptance testing (UAT) but let’s consider a few other facts: 1) Negative testing will require fabricated data 2) New functionality will also likely require fabricated data 3) Existing production data may not contain all possible values or permutations of data so full positive and as regulations As systems become more complex testing will also require some level of fabricated datadata sets for situations increase, functional tests require 4) Full regression testing will require a standardized test set not yet present within the production data. including the items above and is likely to be a combination of fabricated and masked data MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer Slide# 71 All rights reserved Data-Centric Development Projects that center around data analysis (i.e.: dashboards, BI, data-marts / warehouses, etc.) often claim that they must have “production data” to develop the solution. It is true that the business will need production data for user acceptance testing (UAT) but let’s consider a few other facts: 1) Negative testing will require fabricated data 2) New functionality will also likely require fabricated data 3) Existing production data may not contain all possible values or permutations of data so full positive testing will also require some level of fabricated data 4) Full regression testing will require a standardized test set, including the items above, and is likely to be a combination of fabricated and masked data (de-identified records) MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 72 All rights reserved 36
  39. 39. Tuesday, September 04, 2012 Information Obfuscation Data-Centric Development Projects that center around data analysis (i.e.: dashboards, BI, data-marts / warehouses, etc.) often claim that they must have “production data” to develop the solution. It is true that the business will need production data for user acceptance testing (UAT) but let’s consider a few other facts: 1) Negative testing will require fabricated data 2) New functionality will also likely require fabricated data 3) Existing production data may not contain all for source Leverage test-datasets already created possible values or permutations of data so full positive testing will also systems. require some level of fabricated data 4) Full regression testing will require a standardized test set, including the items above, and is likely to be a combination of fabricated and masked data (de-identified records) MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer Slide# 73 All rights reserved Governance Data stewardship is a key success factor for good data governance and in this case for good information obfuscation. No one person will be aware of every government regulation, trade association guideline, business functional requirement, or company policy. Include representatives from data stewardship, security, internal audit, and quality assurance teams in your solution planning and project development teams. MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 74 All rights reserved 37
  40. 40. Tuesday, September 04, 2012 Information Obfuscation Information Obfuscation Summary 1. Obfuscation occurs throughout the information lifecycle not just in non-production environments 2. Everyone is responsible for protecting the corporate data assets and the best data security tool is vigilance 3. Use a defined language to communicate who, what, where, when, and how obfuscation will occur 4. Make Information Obfuscation part of your organization’s business-as-usual (BAU) processes 5. Follow Michael Jay’s Data Masking Golden Rule “Do unto your company’s corporate data assets as you would have your banker, healthcare provider, or retailer do unto your personal information.” MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer Slide# 75 All rights reserved Information Obfuscation Summary 1. Obfuscation occurs throughout the information lifecycle not just in non-production environments 2. Everyone is responsible for protecting the corporate data assets and the best data security tool is vigilance 3. Use a defined language to communicate who, what, where, when, and how obfuscation will occur 4. Make Information Obfuscation part of your organization’s business-as-usual (BAU) processes 5. Follow Michael Jay’s Data Masking Golden Rule “Do unto your company’s corporate data assets as you would have your banker, healthcare provider, or retailer do unto your personal information.” MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 76 All rights reserved 38
  41. 41. Tuesday, September 04, 2012 Information Obfuscation Information Obfuscation Summary 1. Obfuscation occurs throughout the information lifecycle not just in non-production environments 2. Everyone is responsible for protecting the corporate data assets and the best data security tool is vigilance 3. Use a defined language to communicate who, what, where, when, and how obfuscation will occur 4. Make Information Obfuscation part of your organization’s business-as-usual (BAU) processes 5. Follow Michael Jay’s Data Masking Golden Rule “Do unto your company’s corporate data assets as you would have your banker, healthcare provider, or retailer do unto your personal information.” MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer Slide# 77 All rights reserved Information Obfuscation Summary 1. Obfuscation occurs throughout the information lifecycle not just in non-production environments 2. Everyone is responsible for protecting the corporate data assets and the best data security tool is vigilance 3. Use a defined language to communicate who, what, where, when, and how obfuscation will occur 4. Make Information Obfuscation part of your organization’s business-as-usual (BAU) processes 5. Follow Michael Jay’s Data Masking Golden Rule “Do unto your company’s corporate data assets as you would have your banker, healthcare provider, or retailer do unto your personal information.” MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 78 All rights reserved 39
  42. 42. Tuesday, September 04, 2012 Information Obfuscation Information Obfuscation Summary 1. Obfuscation occurs throughout the information lifecycle not just in non-production environments 2. Everyone is responsible for protecting the corporate data assets and the best data security tool is vigilance 3. Use a defined language to communicate who, what, where, when, and how obfuscation will occur 4. Make Information Obfuscation part of your organization’s business-as-usual (BAU) processes 5. Follow Michael Jay’s Data Masking Golden Rule “Do unto your company’s corporate data assets as you would have your banker, healthcare provider, or retailer do unto your personal information.” MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer Slide# 79 All rights reserved Information Obfuscation Summary 1. Obfuscation occurs throughout the information lifecycle not just in non-production environments 2. Everyone is responsible for protecting the corporate data assets and the best data security tool is vigilance 3. Use a defined language to communicate who, what, where, when, and how obfuscation will occur 4. Make Information Obfuscation part of your organization’s business-as-usual (BAU) processes 5. Follow Michael Jay’s Data Masking Golden Rule “Do unto your company’s corporate data-assets as you would have your banker, healthcare provider, or retailer do unto your personal information.” MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 80 All rights reserved 40
  43. 43. Tuesday, September 04, 2012 Information Obfuscation Questions? MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer Slide# 81 All rights reserved Thank You! MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 82 All rights reserved 41
  44. 44. Tuesday, September 04, 2012 Information Obfuscation Appendix Reference Material MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer Slide# 83 All rights reserved Legal & Regulatory Alphabet Soup (Sampling) GLBA – The Gramm–Leach–Bliley Act allowed consolidation of commercial & investment banks, securities, & insurance co. PPI – Nonpublic Personal Information - Financial consumer’s personally identifiable information (see GLBA) OCC – Office of the Controller of Currency regulates banks. PCI – Payment Card Industry; defines Data Security Standard (PCI DSS) processing, storage, or transmitting credit card info. PHI – Patient Health Information - Dept of Health & Human Services (“HHS”) Privacy Rule (see HIPAA). PII – Personally Identifiable Information; used to uniquely identify an individual. (Legal definitions vary by jurisdiction.) MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 84 All rights reserved 42
  45. 45. Tuesday, September 04, 2012 Information Obfuscation Sample Cross Reference Chart Data Point Customer - The Fact That an Individual is a Customer ** First, or Last Name *; Mother's Maiden Name Country, State, Or City Of Residence * Telephone# (Home, Cell, Fax) Birthday, Birthplace, Age, Gender, or Race * ++ Social Security#, Account#, Driver's License#, National ID Passport#, Issuing Country Credit Card Numbers, Expiration Date, Credit Card Security Code Credit Card Purchase Grades, Salary, or Job Position * Vehicle Identifiers, Serial Numbers, License Plate Numbers Email - Electronic Mail Addresses; IP Address, Web URLs Biometric Identifiers, Face, Fingerprints, or Handwriting Dates - All Elements of Dates (Except Year +) Medical Record#, Genetic Information, Health Plan Beneficiary# PCI PII PPI PHI X X X X X X X X X X X X X X X X * More likely used in combination with other personal data ** GLBA regulation to fall into the “Restricted” classification + All elements of dates (including year) if age 90 or older ++ Varies by Jurisdiction MJFreer@QualityBI.com (954) 249-1530 Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530 Michael Jay Freer Slide# 85 All rights reserved 43

×