• Like

Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Uploaded on

Enterprises react more often to threats than to vulnerabilities since threats are more visible and frightening. So it seems to go with data protection -- our enterprises seem intent on getting the …

Enterprises react more often to threats than to vulnerabilities since threats are more visible and frightening. So it seems to go with data protection -- our enterprises seem intent on getting the latest gizmos to protect against the most visible threats. We should, instead, be thinking about the overall structure of vulnerabilities and what structure of protections it implies. This presentation shows an enterprise-architectural view of vulnerabilities that can endanger our data and suggests a rational program of protections that can minimize them. It’s not flashy, but it is effective.

David C. Frier, CISSP, Security Practice Leader, CIBER New York

David Frier is the Security Practice Lead for CIBER, Inc. the global IT consultancy with the local presence. Now in the 32nd year of his IT career, he has performed consulting work in the areas of Enterprise Architecture, Disaster Recovery, SOX Audit (as the auditOR), SAS 70 and ISO 17799 Audit (as the auditEE), mission critical operations, enterprise encryption solutions, and Data Leakage Prevention (DLP). David holds the CISSP and CRISC certifications.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
423
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
22
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. It’s All About the Data!
    David C. Frier, CISSP
    Security Practice Lead
    CIBER, Upstate NY
    Oct. 21, 2010
  • 2. CIBER Profile
    CIBER is a $1Billion Global IT Services Company that Builds, Integrates and Supports Business Applications and IT Infrastructures for Business and Government
    • Consistent growth and profitability since 1974
    • 3. More than 8,500 employees
    • 4. NYSE (CBR) - Headquartered in Denver
    • 5. 85 Offices in 18 countries
    • 6. US and Offshore Development Centers
    • 7. Global IT Operations Centers – US & Europe
    • 8. Global practices supported by local resources
    • 9. Fortune 500 and mid-market leaders/challengers
    • 10. Focus on quality: ISO 9001, CPMM, SAS 70
  • Frier Profile
    Frier is a less-than-$1Billion IT Professional who Builds, Integrates and Supports Business Applications and IT Infrastructures for Business and Government
    • Consistent growth since 1957
    • 11. (first up then out)
    • 12. (DCF) - Headquartered in Rochester
    • 13. IT Operations first established in 1979
    • 14. IT Security, Operations, Architecture
    • 15. Project Management and Consulting
    • 16. Training and IT Evangelism
    • 17. CISSP, CRISC (pending)
  • Outline
    What is in scope of Data Protection?
    What Threats exist?
    Who Cares?
    What is included in Data Protection?
    Is Data Protection Effective
    One approach for Data Classification
  • 18. Regulated Data
    HIPAA
    PCI
    GLBA
    PII/SPI
    Under Safe Harbor
    Subject to Breach Disclosure laws
    Strategic Data
    IP
    Sales & Marketing Data
    Financial (SOX)
    M&A, Recruiting, other non-public plans
    Data Protection – what is in scope
  • 19. Lost or Stolen Devices
    Laptops and removable storage most common
    Disposal
    Incorrect disposal of disk and tape media
    Criminal Attacks
    Hacking more than physical theft
    Network Exposure
    Misconfigured web presence
    Email attachments
    Malicious Insiders
    Threats to Data
  • 20. Who cares about Data Protection Programs?
    Source: Business Case for Data Protection, Ponemon Institute, July 2009
  • 21. Data Loss Prevention- Network
    Data Loss Prevention- Endpoint
    Data Loss Prevention- Storage
    Content Discovery (Process)
    Email Filtering
    Database Activity Monitoring
    Full Drive Encryption
    USB/Portable Media Encryption or Device Control
    Enterprise Digital Rights Management
    Database Encryption
    Application Encryption
    Web Application Firewall
    Backup Tape Encryption
    Entitlement Management
    Access Management
    Data Masking
    Network Segregation
    Server/Endpoint Hardening
    Enterprise Data Protection – what is included
  • 22. Perceived Effectiveness ¹
    CEOs: 58%
    Other C-Levels: 48%
    Which Controls are Most Effective²
    Data Loss Prevention- Network
    Data Loss Prevention- Endpoint
    Data Loss Prevention- Storage
    Content Discovery (Process)
    Email Filtering
    Are Corporate Data Protection Programs Effective?
    1 – Source: Business Case for Data Protection, Ponemon Institute, July 2009
    2 – Source: Securosis 2010 Data Security Survey, Securosis, LLC, … 2010
  • 23. Which Controls are Least Effective?
    Email Filtering
    USB/Portable Media Encryption or Device Control
    Database Activity Monitoring
    Backup Tape Encryption
    Content Discovery (Process)
    Notice anything odd?
    Why Are Corporate Data Protection Programs Effective?
    Source: Securosis 2010 Data Security Survey, Securosis, LLC, … 2010
  • 24. Do you know what you are charged to protect?
  • 25. Who recognizes this?
    Kings play chess on finely grained sand
  • 26. Did you take zoology in school?
    Kings play chess on finely grained sand
    Kingdom
    Phylum
    Class
    Order
    Family
    Genus
    Species
  • 27. Use a Taxonomy
    From Kingdoms, the highest level, down to individual reports and documents
    Seven layers may seem like a lot
    …but it’s easy to find pockets where you need more
    Data Classification
  • 28. Start with “Public” and “Non-Public”
    You might add a third for customer-privileged information
    Most Data protection effort will focus on Non-Public
    The point of the taxonomy is to successively sharpen the focus of the enterprise data protection efforts
    Data Classification -- Kingdoms
  • 29. This is a good layer for your data owner organizations
    Yes: All data must have an owner.
    Owners make the decisions about what level of protection is needed
    Typically, data owners are the groups that own the processes that create/update/delete the data
    From here down you will see categories repeated
    This is the way to express the matrix nature of some of these designations across the top-down hierarchy
    Data Classification -- Phyla
  • 30. Data Classification -- Classes
    At the Class level you can apply the levels-of-sensitivity classifications
    Confidential
    Sensitive
    “Company only”
    These are suggestions only… the important thing is to be consistent across all the data with what you do at a given level
  • 31. With Order, start to divide up the data into groups of related business processes
    Example: within the HR phylum,
    Payroll
    Benefits
    Performance Mgt.
    Recruiting
    Each of these may be in different classes for sensitivity
    Class designations will often repeat across phyla but that’s OK
    Data Classification -- Orders
  • 32. For Family, get to the application or system level
    For example, within the Benefits order
    One app manages Health Care
    Another manages PTO
    Another for Tuition Reimbursement
    etc.
    It is also likely that this isolates specific business processes
    “Applications” in this context may be modules within larger enterprise systems
    Data Classification -- Families
  • 33. Genus is a particular data type
    Reports
    Databases
    Feed files
    Species is instances of those types
    “The weekly payroll register”
    “The monthly healthcare claims report”
    Data Classification – Genus & Species
  • 34. Let’s look at that payroll report
    Kingdom – Non-public
    Phylum – HR
    Class – Confidential
    Order – Payroll
    Family – ADP interface
    Genus – Reports
    Species – Payroll report
  • 35. Classification and handling decisions may be made wherever appropriate
    For example, a single massive database may power an enterprise HRIS that is classified at the Order level
    And that database might not be safe to have try to support multiple levels of security, so you decide to take the “worst case” approach.
    You may not need all the levels
    But if you give yourself the room you will get this done to enough detail to make informed decisions
    Data Classification – Put it to use
  • 36. Determine Regulatory Scope
    Prioritize Coverage
    Phase-in Programs
    Get below-C Mgt. Buy-In
    Communicate why you are acting to protect this and not that (yet)
    Data Classification – Put it to use
  • 37. Remember!
    It’s all about the data!
  • 38. Ponemon Reports
    http://www.ponemon.org/data-security
    Securosis Survey
    http://www.imperva.com/resources/analyst.html
    CIBER
    http://www.ciber.com/
    Frier
    dfrier@ciber.com
    More Resources