It’s All About the Data!
David C. Frier, CISSP
Security Practice Lead
CIBER, Upstate NY
Oct. 21, 2010
1/29/2015 | 2 | ©2010 CIBER, Inc.
CIBER Profile
• CIBER is a $1Billion Global IT Services Company that
Builds, Integrates ...
1/29/2015 | 3 | ©2010 CIBER, Inc.
Frier Profile
• Frier is a less-than-$1Billion IT Professional who
Builds, Integrates an...
1/29/2015 | 4 | ©2010 CIBER, Inc.
Outline
• What is in scope of Data Protection?
• What Threats exist?
• Who Cares?
• What...
1/29/2015 | 5 | ©2010 CIBER, Inc.
– Regulated Data
• HIPAA
• PCI
• GLBA
– PII/SPI
• Under Safe Harbor
• Subject to Breach ...
1/29/2015 | 6 | ©2010 CIBER, Inc.
• Lost or Stolen Devices
– Laptops and removable storage most common
• Disposal
– Incorr...
1/29/2015 | 7 | ©2010 CIBER, Inc.
Who cares about Data Protection Programs?
Source: Business Case for Data Protection, Pon...
1/29/2015 | 8 | ©2010 CIBER, Inc.
• Data Loss Prevention-
Network
• Data Loss Prevention-
Endpoint
• Data Loss Prevention-...
1/29/2015 | 9 | ©2010 CIBER, Inc.
• Perceived Effectiveness ¹
– CEOs: 58%
– Other C-Levels: 48%
• Which Controls are Most ...
1/29/2015 | 10 | ©2010 CIBER, Inc.
• Which Controls are Least Effective?
Email Filtering
USB/Portable Media Encryption or ...
1/29/2015 | 11 | ©2010 CIBER, Inc.
Do you know what
you are charged to protect?
1/29/2015 | 12 | ©2010 CIBER, Inc.
Who recognizes this?
Kings play chess on finely grained sand
1/29/2015 | 13 | ©2010 CIBER, Inc.
Did you take zoology in school?
Kings play chess on finely grained sand
• Kingdom
• Phy...
1/29/2015 | 14 | ©2010 CIBER, Inc.
• Use a Taxonomy
• From Kingdoms, the highest level, down to individual
reports and doc...
1/29/2015 | 15 | ©2010 CIBER, Inc.
• Start with “Public” and “Non-Public”
• You might add a third for customer-privileged
...
1/29/2015 | 16 | ©2010 CIBER, Inc.
• This is a good layer for your data owner organizations
– Yes: All data must have an o...
1/29/2015 | 17 | ©2010 CIBER, Inc.
Data Classification -- Classes
• At the Class level you can apply the levels-of-
sensit...
1/29/2015 | 18 | ©2010 CIBER, Inc.
• With Order, start to divide up the data into groups of
related business processes
– E...
1/29/2015 | 19 | ©2010 CIBER, Inc.
• For Family, get to the application or system level
– For example, within the Benefits...
1/29/2015 | 20 | ©2010 CIBER, Inc.
• Genus is a particular data type
– Reports
– Databases
– Feed files
• Species is insta...
1/29/2015 | 21 | ©2010 CIBER, Inc.
Let’s look at that payroll report
• Kingdom – Non-public
• Phylum – HR
• Class – Confid...
1/29/2015 | 22 | ©2010 CIBER, Inc.
• Classification and handling decisions may be made
wherever appropriate
– For example,...
1/29/2015 | 23 | ©2010 CIBER, Inc.
• Determine Regulatory Scope
• Prioritize Coverage
• Phase-in Programs
• Get below-C Mg...
1/29/2015 | 24 | ©2010 CIBER, Inc.
Remember!
It’s all about the data!
1/29/2015 | 25 | ©2010 CIBER, Inc.
• Ponemon Reports
– http://www.ponemon.org/data-security
• Securosis Survey
– http://ww...
It's All About the Data!
Upcoming SlideShare
Loading in...5
×

It's All About the Data!

482

Published on

Enterprises react more often to threats than to vulnerabilities since threats are more visible and frightening. So it seems to go with data protection -- our enterprises seem intent on getting the latest gizmos to protect against the most visible threats. We should, instead, be thinking about the overall structure of vulnerabilities and what structure of protections it implies. This presentation shows an enterprise-architectural view of vulnerabilities that can endanger our data and suggests a rational program of protections that can minimize them. It’s not flashy, but it is effective.

David C. Frier, CISSP, Security Practice Leader, CIBER New York

David Frier is the Security Practice Lead for CIBER, Inc. the global IT consultancy with the local presence. Now in the 32nd year of his IT career, he has performed consulting work in the areas of Enterprise Architecture, Disaster Recovery, SOX Audit (as the auditOR), SAS 70 and ISO 17799 Audit (as the auditEE), mission critical operations, enterprise encryption solutions, and Data Leakage Prevention (DLP). David holds the CISSP and CRISC certifications.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
482
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
22
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

It's All About the Data!

  1. 1. It’s All About the Data! David C. Frier, CISSP Security Practice Lead CIBER, Upstate NY Oct. 21, 2010
  2. 2. 1/29/2015 | 2 | ©2010 CIBER, Inc. CIBER Profile • CIBER is a $1Billion Global IT Services Company that Builds, Integrates and Supports Business Applications and IT Infrastructures for Business and Government  Consistent growth and profitability since 1974  More than 8,500 employees  NYSE (CBR) - Headquartered in Denver  85 Offices in 18 countries  US and Offshore Development Centers  Global IT Operations Centers – US & Europe  Global practices supported by local resources  Fortune 500 and mid-market leaders/challengers  Focus on quality: ISO 9001, CPMM, SAS 70
  3. 3. 1/29/2015 | 3 | ©2010 CIBER, Inc. Frier Profile • Frier is a less-than-$1Billion IT Professional who Builds, Integrates and Supports Business Applications and IT Infrastructures for Business and Government  Consistent growth since 1957  (first up then out)  (DCF) - Headquartered in Rochester  IT Operations first established in 1979  IT Security, Operations, Architecture  Project Management and Consulting  Training and IT Evangelism  CISSP, CRISC (pending)
  4. 4. 1/29/2015 | 4 | ©2010 CIBER, Inc. Outline • What is in scope of Data Protection? • What Threats exist? • Who Cares? • What is included in Data Protection? • Is Data Protection Effective • One approach for Data Classification
  5. 5. 1/29/2015 | 5 | ©2010 CIBER, Inc. – Regulated Data • HIPAA • PCI • GLBA – PII/SPI • Under Safe Harbor • Subject to Breach Disclosure laws – Strategic Data • IP • Sales & Marketing Data • Financial (SOX) • M&A, Recruiting, other non-public plans Data Protection – what is in scope
  6. 6. 1/29/2015 | 6 | ©2010 CIBER, Inc. • Lost or Stolen Devices – Laptops and removable storage most common • Disposal – Incorrect disposal of disk and tape media • Criminal Attacks – Hacking more than physical theft • Network Exposure – Misconfigured web presence – Email attachments • Malicious Insiders Threats to Data
  7. 7. 1/29/2015 | 7 | ©2010 CIBER, Inc. Who cares about Data Protection Programs? Source: Business Case for Data Protection, Ponemon Institute, July 2009
  8. 8. 1/29/2015 | 8 | ©2010 CIBER, Inc. • Data Loss Prevention- Network • Data Loss Prevention- Endpoint • Data Loss Prevention- Storage • Content Discovery (Process) • Email Filtering • Database Activity Monitoring • Full Drive Encryption • USB/Portable Media Encryption or Device Control • Enterprise Digital Rights Management • Database Encryption • Application Encryption • Web Application Firewall • Backup Tape Encryption • Entitlement Management • Access Management • Data Masking • Network Segregation • Server/Endpoint Hardening Enterprise Data Protection – what is included
  9. 9. 1/29/2015 | 9 | ©2010 CIBER, Inc. • Perceived Effectiveness ¹ – CEOs: 58% – Other C-Levels: 48% • Which Controls are Most Effective² Data Loss Prevention- Network Data Loss Prevention- Endpoint Data Loss Prevention- Storage Content Discovery (Process) Email Filtering Are Corporate Data Protection Programs Effective? 2 – Source: Securosis 2010 Data Security Survey, Securosis, LLC, … 2010 1 – Source: Business Case for Data Protection, Ponemon Institute, July 2009
  10. 10. 1/29/2015 | 10 | ©2010 CIBER, Inc. • Which Controls are Least Effective? Email Filtering USB/Portable Media Encryption or Device Control Database Activity Monitoring Backup Tape Encryption Content Discovery (Process) Notice anything odd? Why Are Corporate Data Protection Programs Effective? Source: Securosis 2010 Data Security Survey, Securosis, LLC, … 2010
  11. 11. 1/29/2015 | 11 | ©2010 CIBER, Inc. Do you know what you are charged to protect?
  12. 12. 1/29/2015 | 12 | ©2010 CIBER, Inc. Who recognizes this? Kings play chess on finely grained sand
  13. 13. 1/29/2015 | 13 | ©2010 CIBER, Inc. Did you take zoology in school? Kings play chess on finely grained sand • Kingdom • Phylum • Class • Order • Family • Genus • Species
  14. 14. 1/29/2015 | 14 | ©2010 CIBER, Inc. • Use a Taxonomy • From Kingdoms, the highest level, down to individual reports and documents • Seven layers may seem like a lot – …but it’s easy to find pockets where you need more Data Classification
  15. 15. 1/29/2015 | 15 | ©2010 CIBER, Inc. • Start with “Public” and “Non-Public” • You might add a third for customer-privileged information • Most Data protection effort will focus on Non-Public The point of the taxonomy is to successively sharpen the focus of the enterprise data protection efforts Data Classification -- Kingdoms
  16. 16. 1/29/2015 | 16 | ©2010 CIBER, Inc. • This is a good layer for your data owner organizations – Yes: All data must have an owner. – Owners make the decisions about what level of protection is needed – Typically, data owners are the groups that own the processes that create/update/delete the data • From here down you will see categories repeated – This is the way to express the matrix nature of some of these designations across the top-down hierarchy Data Classification -- Phyla
  17. 17. 1/29/2015 | 17 | ©2010 CIBER, Inc. Data Classification -- Classes • At the Class level you can apply the levels-of- sensitivity classifications – Confidential – Sensitive – “Company only” These are suggestions only… the important thing is to be consistent across all the data with what you do at a given level
  18. 18. 1/29/2015 | 18 | ©2010 CIBER, Inc. • With Order, start to divide up the data into groups of related business processes – Example: within the HR phylum, • Payroll • Benefits • Performance Mgt. • Recruiting – Each of these may be in different classes for sensitivity – Class designations will often repeat across phyla but that’s OK Data Classification -- Orders
  19. 19. 1/29/2015 | 19 | ©2010 CIBER, Inc. • For Family, get to the application or system level – For example, within the Benefits order • One app manages Health Care • Another manages PTO • Another for Tuition Reimbursement • etc. – It is also likely that this isolates specific business processes – “Applications” in this context may be modules within larger enterprise systems Data Classification -- Families
  20. 20. 1/29/2015 | 20 | ©2010 CIBER, Inc. • Genus is a particular data type – Reports – Databases – Feed files • Species is instances of those types – “The weekly payroll register” – “The monthly healthcare claims report” Data Classification – Genus & Species
  21. 21. 1/29/2015 | 21 | ©2010 CIBER, Inc. Let’s look at that payroll report • Kingdom – Non-public • Phylum – HR • Class – Confidential • Order – Payroll • Family – ADP interface • Genus – Reports • Species – Payroll report
  22. 22. 1/29/2015 | 22 | ©2010 CIBER, Inc. • Classification and handling decisions may be made wherever appropriate – For example, a single massive database may power an enterprise HRIS that is classified at the Order level – And that database might not be safe to have try to support multiple levels of security, so you decide to take the “worst case” approach. • You may not need all the levels – But if you give yourself the room you will get this done to enough detail to make informed decisions Data Classification – Put it to use
  23. 23. 1/29/2015 | 23 | ©2010 CIBER, Inc. • Determine Regulatory Scope • Prioritize Coverage • Phase-in Programs • Get below-C Mgt. Buy-In • Communicate why you are acting to protect this and not that (yet) Data Classification – Put it to use
  24. 24. 1/29/2015 | 24 | ©2010 CIBER, Inc. Remember! It’s all about the data!
  25. 25. 1/29/2015 | 25 | ©2010 CIBER, Inc. • Ponemon Reports – http://www.ponemon.org/data-security • Securosis Survey – http://www.imperva.com/resources/analyst.html • CIBER – http://www.ciber.com/ • Frier – dfrier@ciber.com More Resources
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×