Data Protection and Compliance Automation

Data Protection & Compliance Automation Paul C Dwyer for AIM Ireland – 28 th Jan 2009

TeamInfoSec Background TeamInfoSec was founded in 2003 by Paul C Dwyer CISSP, CISM and ISO 27001 Lead Auditor. The firm provides professional information security consultancy. Paul is an Internationally recognised InfoSec expert with over 18 years experience. Credentials include: CISSP CISM ISO 27001 Lead Auditor BSI BS25999 Consultant IEEE Member of the Computer Society Member of the Business Continuity Institute Member of the Computer Security Institute 3Com Certified Partner ENCASE Trained Forensic Specialist Member of the High Tech Crime Network Microsoft Certified Engineer Novell Certified Engineer Certified Ethical Hacker National Crime Faculty preferred supplier Qualys Certified Specialist Association of Information Managers BSI Associate Consultants

TeamInfoSec Clients

Contents

TeamInfoSec Background & Clients

DPA Overview

DPA Requirement

Determining Measures

DPC Guidance

The Challenge – Technical & Management

Compliance Automation

A Word of Advice

In an Ideal World

Case Study – TeamInfoSec Approach to Compliance Automation

Q&A

The Data Protection Act

Can not be taken in isolation

FOI

PCI

SOX

HIPAA

ISO 27001

Business requirements

Technical constraints

Security requirements

Overlapping, contradictory and subjective

Compliant does not equal secure

DPA - Security obligations background

No specifics

section 2(1)(d) of the 1988 Act places an obligation on you to have “appropriate measures” in place to prevent

" unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction. "

SI 626 of 2001, and later the Data Protection (Amendment) Act, 2003, introduced a new section 2C into the 1988 Act. This section helps interpret the nature of security measures required to demonstrate compliance with 2(1)(d).

Determining the appropriate measures

When you try to determine measures, a number of factors need be taken into account:

Complexity of the technology involved

Cost of implementing

The risk of not implementing

The nature, volume and sensitivity of the data

In 2003 a further obligation of “Security awareness” was introduced, this applies mainly to the organisation’s internal policies and controls.

DPC Guidance

The data protection commissioner’s website brings specific attention to a number of controls that can be implemented in order to comply with the act including:

Access Control

Encryption

Anti-Virus Software

Firewalls

Automatic Screen Savers

Logs and Audit trails

The Human Factor

Remote Access

Wireless Networks

Laptops

Back-up Systems

Physical Security

The Challenge

Determine what level of controls

“ technical” or “management” controls

DPA is vague and subjective

How do you measure compliance?

How do you verify your controls are working?

Management Controls – Attest & Evidence

Technical

Example: Anti Virus & PCI

5.1 Deployed? 5.1.1 (Mal)*ware? 5.2 Current and Running?

Satisfying auditors, managing the appropriate security controls vs. risk.

That was easy.. What about logs?

Logs and Audit Trails – More Complex

1000’s of transactions per second

Multiple protocols, applications & vendors

Data being read, written, spooled to printers, copied and manipulated for genuine business reasons.

All network devices create logs, GB’s of them

If you don’t know what is happening in your environment, how can you react to an incident or handle a case forensically if required.

What about DPA & Logs?

The commissioners website says:

“ It is of course pointless having an access control system and security policy if the system cannot identify any potential abuses. Consequently, a system should be able to identify the user name that accessed a file, as well as the time of the access. A log of alterations made, along with author/editor, should also be created. Not only can this help in the effective administration of the security system, its existence should also act as a deterrent to those staff tempted to abuse the system. ” www.dataprotection.ie

Therefore a log management system is required.

The Business Challenge

The business environment has never been more complex, and it’s moving too fast to understand the impact of changes.

How can you possibly understand if your security controls are protecting your private data and intellectual property?

Moreover, security and compliance cannot be treated independently. Organisations need a solution that provides not only evidence of compliance, but the continual monitoring of the environment that is required in order to also protect private data and intellectual property.

Management Challenges

Compliance is a process, not just an audit. Organisations must consistently protect a broad range of enterprise data – not just periodic testing efforts that are limited to one type of data (e.g., log, configuration, vulnerability, etc.)

Many of the rules continue to be a moving target , causing organisations to struggle with a myriad of regulations, best practices, frameworks, and other compliance drivers – often with overlapping requirements, leading to redundant and ambiguous controls that may not provide appropriate levels of either security or compliance.

Without the proper infrastructure, it is difficult to prove compliance.

What about compliance automation?

Compliance automation is the phrase given to tools that help “automate” the process of achieving compliance to a particular requirement.

The problem is that most tools only do a particular part of a particular regulatory requirement.

For example you might find a tool that simply tells if a server is live, or simply collect logs from specific devices

A word of advice

The main problem with compliance automation solutions in the past, has been that they are point solutions.

They perform specific tasks for specific reasons. So now you have 5 or 6 new systems to learn, support and operate and of course purchase.

The clever thing for an organisation to do is stand back and take a holistic view at their requirements.

Knee jerk projects for compliance add very little value to an organisation and tend to undermine the very thing they set out to do.

To protect an organisation. The answer is to develop an overall information security management system / strategy supported by a holistic toolset.

In an Ideal World

A “single point of access” that would encompass all areas/data silos. It would handle all compliance requirements of the data protection act and enhance your security posture. Correlation between silos of data.

A solution that would provide the relevant data for the relevant audience. Network data for network people, security data for security people and compliance and regulatory information and verification for the relevant auditors.

Case Study – The TeamInfoSec Approach to Compliance Management - ESMS

Point Management ------ ------- Centralised Configuration Management Performance Management Vulnerability Scanners Asset Management Log Management SIM / SEM Solutions NBAD Enterprise Console Integrated Security, Risk and Audit Management Platform – ESMS A Single Platform to Manage ALL DATA Point Management Products

ESMS – Overview Telnet SSH API MIB NetFlow ~ end-to-end correlation ~ Data Archival Monitoring Forensics Reporting Visualization Scanners Syslog Traditional SIM ESMS Log Management Vulnerability Analytics Configuration Analytics Asset Analytics NBAD Performance Analytics SSH API SNMP Syslog Trap Flow MIB API Telnet/SSH Compliance Automation

Security Breach Scenario

Security threats and targeted attacks are growing rapidly. Financial fraud and identity theft are on the rise. To meet evolving challenges you need to correlate log data with vulnerability, configuration, asset, performance and NBAD analytics.

DMZ Mail Server Web Server UTM Branch Office Wireless Transaction Server Firewall IPS Corporate Users HQ Domain Controller Corporate Users Router AV/SPAM/ Spyware Switch Hacker Network Attack Port-Scan Event Failed Log Ins Failed Log Ins Failed Log Ins Log In Success Log In Success Config Changes: Root / Admin Access Config Changes: Root / Admin Access Install Rogue Application Install Rogue Application Data Theft Data Theft