Securing Your ESISteven C. Markey, MSIS, PMP, CISSP, CIPP, CISM, CISA, STS-EV, CCSK, CompTIA Cloud                        ...
Securing Your ESI• Presentation Overview  – WI3FM….?  – ESI Overview  – Security Overview  – Security Tips & Tricks
Securing Your ESI• WI3FM  – What is in it for me?     – Why should I care?
Securing Your ESI• Data Breaches & Security Incidents  – Average Cost: $7.2 million     – http://www.networkworld.com/news...
Source: Flickr
Source: Flickr
Source: Flickr
Securing Your ESI• ESI Overview  – Electronically Stored Information (ESI)     • Defined for the federal rules of civil pr...
Securing Your ESI• Security Overview  – CIA Triad     • Confidentiality         –   Categorization / Classification       ...
Source: Flickr
Securing Your ESI• Vendor Selection  – Service-Level Agreements (SLAs)     • Temporal Service Contract          –   Term  ...
Securing Your ESI• Vendor Selection  – Incident Response     • Computer Security Incident Response Team (CSIRT)         – ...
Securing Your ESI• Mobile Device Security Guidance  – Devices     • Not all devices are the same.     • Balancing Act (Dra...
Securing Your ESI• Physical Media Security Guidance  – Laptops / Tablets     • They should be password-protected / encrypt...
Securing Your ESI• Cloud Security Guidance  – Change / Configuration Management, Provisioning  – Matrices     •   CSA Cons...
Securing Your ESI• Big Data Security Guidance  – Information Management     •   Generally Accepted Recordkeeping Principle...
Securing Your ESI• Social Media Security Guidance  – Sites     • Manage (Strategy, Policy, Access, Auditing, e-Discovery) ...
Securing Your ESI• Security Tips & Tricks  – Governance, Risk & Compliance (GRC)  – Encryption / Hashing  – Authentication...
Securing Your ESI• GRC  – Documented controls and safeguards.     • Potential audit findings and remediation actions.  – E...
Securing Your ESI• Encryption / Hashing  – Data at Rest (DAR)     • Object (File, Table, Record, Column), Volume or Block ...
Securing Your ESI• Encryption / Hashing  – Nuances     • Encryption wraps a layer of protection around your       informat...
Securing Your ESI• AAA  – Authentication     • Validating who the user is claiming to be.  – Authorization     • Allocatin...
Securing Your ESI• Identity & Access Management (IAM)  – Single Sign-on (SSO)     • Allows User to Gain Access to Multiple...
Securing Your ESI• IAM Technologies  – Federated Identity     •   OpenID     •   OAuth     •   Security Assertion Markup L...
Securing Your ESI
Securing Your ESI• Password Tips & Tricks  – Use a password.  – Create a strong password / PIN.     • Alphanumeric with at...
Securing Your ESI• Change / Configuration Management  – Process     • Cost, GRC & Quality are huge drivers for:        – S...
Securing Your ESI• Incident Response / e-Discovery / DR Testing  – Practice makes perfect.     • Wash & Repeat  – Crawl  ...
Securing Your ESI• Physical Security  – Privacy Screen  – Physical Location & Office Access  – Dumpster Diving  – Lost Har...
Securing Your ESI• End-user Training  – New-hires     • Especially for milennials (IT consumerization).  – Quarterly Compu...
Securing Your ESI• Take-aways  – Educate Your Ecosystem  – Healthy Dose of Skepticism  – Embrace Change Pragmatically  – S...
• Questions?• Contact  – Email: steve@ncontrol-llc.com  – Twitter: @markes1, @casdelval2011  – LI: http://www.linkedin.com...
Securing your esi_piedmont
Upcoming SlideShare
Loading in...5
×

Securing your esi_piedmont

889

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
889
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Securing your esi_piedmont

  1. 1. Securing Your ESISteven C. Markey, MSIS, PMP, CISSP, CIPP, CISM, CISA, STS-EV, CCSK, CompTIA Cloud Essentials Principal, nControl, LLC Adjunct Professor President, Cloud Security Alliance – Delaware Valley Chapter (CSA-DelVal)
  2. 2. Securing Your ESI• Presentation Overview – WI3FM….? – ESI Overview – Security Overview – Security Tips & Tricks
  3. 3. Securing Your ESI• WI3FM – What is in it for me? – Why should I care?
  4. 4. Securing Your ESI• Data Breaches & Security Incidents – Average Cost: $7.2 million – http://www.networkworld.com/news/2011/030811- ponemon-data-breach.html – Leading Cause: Negligence, 41%; Hacks, 31% – http://www.networkworld.com/news/2011/030811- ponemon-data-breach.html – Responsible Party: Vendors, 39% – http://www.theiia.org/chapters/index.cfm/view.news_detail/ cid/197/newsid/13809 – Increased Frequency: 2010-2011, 58% – http://www.out-law.com/en/articles/2011/october/personal- data-breaches-on-the-increase-in-private-sector-reports-ico/
  5. 5. Source: Flickr
  6. 6. Source: Flickr
  7. 7. Source: Flickr
  8. 8. Securing Your ESI• ESI Overview – Electronically Stored Information (ESI) • Defined for the federal rules of civil procedure (FRCP): – Information created, manipulated, communicated, stored, and best utilized in digital form, requiring the use of computer hardware and software. » http://www.law.northwestern.edu/journals/njtip/v4/n2/3/ • Structured ESI – Stored in database or content management systems. » Examples: Claims, Brokerage / e-Commerce Transactions • Unstructured ESI – Free-form information stored in a manner that is difficult to search within. » Examples: Tweets, Web Site Content, Word Document Content
  9. 9. Securing Your ESI• Security Overview – CIA Triad • Confidentiality – Categorization / Classification – Privacy – Least Privilege – AAA: Authentication, Authorization and Accounting • Integrity – Nonrepudiation – Segregation / Separation of Duties • Availability – Business Continuity (BC) / Disaster Recovery (DR) – Defense-in-Depth
  10. 10. Source: Flickr
  11. 11. Securing Your ESI• Vendor Selection – Service-Level Agreements (SLAs) • Temporal Service Contract – Term – Metrics – Definitions – Cause for X (e.g. Termination / Exit Clause) – Certifications / Attestations • SAS 70 Type II / SSAE 16 (SOC 1 / 2 / 3) / ISAE 3402 • ISO 27001 / 2, 27036, 15489 • BITS Shared Assessments • PCI DSS • HIPAA / HITECH
  12. 12. Securing Your ESI• Vendor Selection – Incident Response • Computer Security Incident Response Team (CSIRT) – Digital Forensics • Legal Hold / Litigation Response / e-Discovery – Electronic Discovery Reference Model (EDRM) – FRCP 30(b)(6) – Right to Audit • Use your internal vendor assessment team or a mutually agreed upon third party.
  13. 13. Securing Your ESI• Mobile Device Security Guidance – Devices • Not all devices are the same. • Balancing Act (Draconian versus Cow-folk) – People lose stuff all the time. • Who owns the device? – Bring Your Own Device (BYOD) = consumerization of IT • Is device content discoverable? • Vicarious Liability – Driving & Texting / Talking – Mobile Device User Acceptance Policy – Applications / Data • Not all applications are the same. • Segment Work & Play – Sandboxing / Data-boxing – Mobile Facebook App Pulls / Pushes Data to Address Book
  14. 14. Securing Your ESI• Physical Media Security Guidance – Laptops / Tablets • They should be password-protected / encrypted. • Wipe / degauss hard disk drive (HDD) before shredding. • Receive a certificate / bill of laden for shredding. – Thumb Drives / External Hard Drives • They should be password-protected / encrypted. • Wipe / degauss before shredding. • Receive a certificate / bill of laden for shredding. – Backup Tapes • They should be in your records retention schedule (RRS). • Information Lifecycle • They should be password-protected / encrypted. • Wipe / degauss before shredding. • Receive a certificate / bill of laden for shredding.
  15. 15. Securing Your ESI• Cloud Security Guidance – Change / Configuration Management, Provisioning – Matrices • CSA Consensus Assessments Initiative Questionnaire • CSA Cloud Controls Matrix • BITS Enterprise Cloud Self-Assessment • BITS Shared Assessments – Guidance Specifically for the Cloud • Cloud Security Alliance (CSA) Guide v3.0 • CSA Security, Trust & Assurance Registry (STAR) • ENISA Cloud Computing Risk Assessment • NIST SP 800-144 Guidelines Security / Privacy for a Public Cloud
  16. 16. Securing Your ESI• Big Data Security Guidance – Information Management • Generally Accepted Recordkeeping Principles (GARP®) • Information Governance Reference Model (IGRM) • Information Lifecycle Management (ILM) • MIKE2.0 • ISO 23081 (Records Metadata) – Known Black Ice • Log Files • Web Metadata • Non-Relational, Distributed Databases (NRDBMS, e.g. NoSQL) • Data Backups (Tapes, Cloud Object Storage) • Social Media
  17. 17. Securing Your ESI• Social Media Security Guidance – Sites • Manage (Strategy, Policy, Access, Auditing, e-Discovery) • Strong Passwords • Change / Configuration Management – Provisioning / De-provisioning • Haters (Competitors, Former Employees / Customers) • Wash & Repeat • Mobile Apps for Approved Personnel? – Applications • Immature • Insecure • Discoverable?
  18. 18. Securing Your ESI• Security Tips & Tricks – Governance, Risk & Compliance (GRC) – Encryption / Hashing – Authentication, Authorization & Accounting (AAA) – Change / Configuration Management – Incident Response / e-Discovery / DR Testing – Physical Access – End User Training
  19. 19. Securing Your ESI• GRC – Documented controls and safeguards. • Potential audit findings and remediation actions. – Enterprise view of compliance. • Potential functional / system / application view as well. – Establish standards, best practices and guidance. • Make users, vendors and partners aware of these.
  20. 20. Securing Your ESI• Encryption / Hashing – Data at Rest (DAR) • Object (File, Table, Record, Column), Volume or Block – Data in Motion (DIM) • ‘Across the Wire’, Data-com Link – Data in Use (DIU) • Object (File, Table, Record, Column), Volume or Block
  21. 21. Securing Your ESI• Encryption / Hashing – Nuances • Encryption wraps a layer of protection around your information. – Public Key Infrastructure (PKI): VPN, TLS / SSL, S / MIME, WPA • Hashing re-arranges the bits per the program. – Database Hashing: HMAC SHA 1 / 2 / 3, MD5 – Key Management • If you lose the encryption key then your data is lost. – Try telling Legal, a judge or an attorney that!
  22. 22. Securing Your ESI• AAA – Authentication • Validating who the user is claiming to be. – Authorization • Allocating the lowest privilege for the user. – Accounting • Tracking the user’s actions.
  23. 23. Securing Your ESI• Identity & Access Management (IAM) – Single Sign-on (SSO) • Allows User to Gain Access to Multiple Systems / Apps – Negates password fatigue. • Implementations – Externally » One-time Password (OTP) / Tokenization » Federated Identity / Tokenization » Smart Card / Two Factor Authentication (2FA) » Remote Access Dial-In User Service (RADIUS) – Internally » Kerberos » Lightweight Directory Access Protocol (LDAP)
  24. 24. Securing Your ESI• IAM Technologies – Federated Identity • OpenID • OAuth • Security Assertion Markup Language (SAML) • Web Services – Trust Language (WS-Trust) • Representational State Transfer (REST) • Active Directory Federation Services (ADFS) – Microsoft Federation Gateway (MFG)
  25. 25. Securing Your ESI
  26. 26. Securing Your ESI• Password Tips & Tricks – Use a password. – Create a strong password / PIN. • Alphanumeric with at least one uppercase letter, one lower-case letter, one number & one special character. • No dictionary words, SSNs, kids, pets, DOBs or address. • No usernames. • Use different passwords for different accounts. – Protect it. • Use a password book if necessary. – Change it. • Semi-annually
  27. 27. Securing Your ESI• Change / Configuration Management – Process • Cost, GRC & Quality are huge drivers for: – Software Development Lifecycle (SDLC) – Project Management Office (PMO), Project Portfolio Mgmt (PPM) – Lean / Six Sigma, ISO 9000, CMMi – Provisioning / De-provisioning • On-loading / Off-loading – Profit Centers / Business Units / Functions – Data – Applications – Vendors / Partners – Customers • Periodic Reviews of Processes & Accounts
  28. 28. Securing Your ESI• Incident Response / e-Discovery / DR Testing – Practice makes perfect. • Wash & Repeat – Crawl  Walk  Run • Crawl: Internal Tabletop Testing • Walk: Internal Exercise, “cause you have nothing better to do on a Saturday”. • Run: Incorporate Vendors, Partners & Customers
  29. 29. Securing Your ESI• Physical Security – Privacy Screen – Physical Location & Office Access – Dumpster Diving – Lost Hard-copy Reports Source: Amazon Source: Flickr Source: Flickr
  30. 30. Securing Your ESI• End-user Training – New-hires • Especially for milennials (IT consumerization). – Quarterly Computer-based Training (CBT) • For heavily regulated industries. – Annual On-site Training • Be liberal with the swag. – Pilot new marketing campaigns (logo, tag, brand). – Educate Your Ecosystem
  31. 31. Securing Your ESI• Take-aways – Educate Your Ecosystem – Healthy Dose of Skepticism – Embrace Change Pragmatically – Secured Technology is an Enabler – Privacy is Important Too
  32. 32. • Questions?• Contact – Email: steve@ncontrol-llc.com – Twitter: @markes1, @casdelval2011 – LI: http://www.linkedin.com/in/smarkey
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×