Information Systems 365/765 Information Systems Security and Strategy                   Lecture 3Data Classification and D...
Today’s Agenda• Discuss Frontline  video,  “Cyberwar” and  assignment #1• Discuss readings,  Cyberwar,  Chinese Hackers,  ...
Readings Are Now Online• We are going to save some trees!• Readings are all at:  mywebspace.wisc.edu/ndavis1/365• Readings...
Cyberwar Video• Overall, what did you think of the  premise that both government  and the private sector are at risk  for ...
The CIA Triad• Confidentiality• Integrity• Availability• The goals of a  secure  information  system
Confidentiality
Confidentiality• Confidentiality is  assurance of data  privacy• Only the intended  and authorized  recipients:  individua...
Ensuring Confidentiality• Encryption of data• Protecting the data with some type  of authentication such as  username/pass...
Integrity• Integrity is assurance of data  and/or source non-alteration.• Data integrity is having  assurance that the inf...
DICOM Example of Data      Integrity
Source Integrity• Source integrity  is the assurance  that the sender  of information is  who it is  supposed to be.• Sour...
Spoofing Data and Source            Integrity• Data integrity can be  compromised when  information has been  corrupted or...
Ensuring Data Integrity• Digitally sign  the document• Digital  signature uses  a checksum to  ensure data  integrity
How a Check Digit/Checksum           Works• A check digit consists of a single  digit computed from the other  digits in t...
Check Digit Example• UW-Madison ID Card• The last digit is a check digit• Let’s use example “524” with a check  digit of “...
Availability• Availability is  assurance in  the timely and  reliable access  to data  services for  authorized  users. It...
C&I Are Nothing Without the A• Confidentiality and integrity  can be protected, but an  attacker causes resources to  beco...
Ensuring Data Availability• Fully redundant network  architectures and system  hardware without any single  points of fail...
CIA Summary• To secure data,  you must  ensure  confidentiality,  integrity and  availability• Be careful not  to compromi...
How Do We Know If Data    Should Be Protected?• Before we build  a system to  protect  business data,  we need to  underst...
Data Classification• Data  Classification is  the conscious  decision to assign  a level of  sensitivity to data  as it is...
Data Classification Levels• Top Secret• Highly Confidential• Proprietary• Internal Use Only• Public Documents• Terminology...
Top Secret• Highly sensitive internal  documents e.g. pending mergers  or acquisitions; investment  strategies; plans or d...
Top Secret - Handling• Must sign in to gain access to  the data• Must be supervised while  viewing the data• Must not remo...
Highly Confidential• Information that, if made  public or even shared around  the organization, could  seriously impede th...
Highly Confidential – Handling• May only be shared with a  specific list of people• May not be copied• May not leave the c...
Proprietary• Information of a proprietary  nature; procedures,  operational work routines,  project plans, designs and  sp...
Proprietary - Handling• May only be shared with a  specific list of people• Copying is permitted but not  encouraged• May ...
Internal Use Only• Information not approved for  general circulation outside the  organization where its loss  would incon...
Internal Use Only - Handling• Does not necessitate an  authorization list• May be copied without  reservation• May be take...
Public Documents• Information in the public  domain; annual reports, press  statements etc.; which has  been approved for ...
Public Documents - Handling• No distribution list required• May be copied at will• May be taken off-site• May be shared wi...
Data Loss Prevention (DLP)         Technologies• First classify your data• Now, protect it appropriately• Control the envi...
Next Generation Compliance           Filters• Content filters for HIPAA, GLB,  SOX and other regulations  automatically sc...
ApplianceAnti SPAMAnti SpywareAnti Virus
Host Based Software• Virus Scanning on your  workstation• Personal software firewalls
Appliances vs. Host Based DLP• Both provide some protection• Host based is usually more  configurable, but harder to  mana...
Encryption• Protects confidentiality• Ensures recipient  authentication (Only the  intended recipient can decrypt  the mes...
Content Scanning• Can be hardware or software  based• HTTP traffic, viruses, malware• Phishing attempts• Peer to Peer appl...
Enterprise Management Tools• The ability to know exactly  what your users have been  doing, in a form which can be  audite...
Upcoming SlideShare
Loading in...5
×

Lecture data classification_and_data_loss_prevention

326

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
326
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
28
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Lecture data classification_and_data_loss_prevention

  1. 1. Information Systems 365/765 Information Systems Security and Strategy Lecture 3Data Classification and Data Loss Prevention
  2. 2. Today’s Agenda• Discuss Frontline video, “Cyberwar” and assignment #1• Discuss readings, Cyberwar, Chinese Hackers, Vendor Liability• Lecture, Data Classification and Data Loss Prevention
  3. 3. Readings Are Now Online• We are going to save some trees!• Readings are all at: mywebspace.wisc.edu/ndavis1/365• Readings are placed in the folders for each class session. For example, readings for Thursday, September 11, are in the September 11 folder• Link to Cyberwar video is in September 4 folder
  4. 4. Cyberwar Video• Overall, what did you think of the premise that both government and the private sector are at risk for cyber-attack?• Can you think of specific businesses which should be concerned about cyber-attack?
  5. 5. The CIA Triad• Confidentiality• Integrity• Availability• The goals of a secure information system
  6. 6. Confidentiality
  7. 7. Confidentiality• Confidentiality is assurance of data privacy• Only the intended and authorized recipients: individuals, processes or devices, may read the data• Disclosure to unauthorized entities must be avoided• Examples - Rayovac
  8. 8. Ensuring Confidentiality• Encryption of data• Protecting the data with some type of authentication such as username/password• Data handling policies• Data storage policies• Data retention policies• Which of these are technical controls? Which are administrative controls?
  9. 9. Integrity• Integrity is assurance of data and/or source non-alteration.• Data integrity is having assurance that the information has not been altered in transmission, from origin to reception.
  10. 10. DICOM Example of Data Integrity
  11. 11. Source Integrity• Source integrity is the assurance that the sender of information is who it is supposed to be.• Source integrity is compromised when an agent spoofs its identity and supplies incorrect information to a recipient.
  12. 12. Spoofing Data and Source Integrity• Data integrity can be compromised when information has been corrupted or altered, willfully or accidentally, before it is read by its intended recipient.• We will study ways to avoid such spoofing
  13. 13. Ensuring Data Integrity• Digitally sign the document• Digital signature uses a checksum to ensure data integrity
  14. 14. How a Check Digit/Checksum Works• A check digit consists of a single digit computed from the other digits in the message.• This is accomplished with a simple formula• More complex messages require the use of a checksum
  15. 15. Check Digit Example• UW-Madison ID Card• The last digit is a check digit• Let’s use example “524” with a check digit of “3”, so your student ID might be “524 3”• Formula example, check digit = first digit + second digit – third digit. In this case, 5 + 2 – 4 = check digit of 3• Equipment reading your card can be programmed to make use of the check digit if it knows the formula for computing the check digit
  16. 16. Availability• Availability is assurance in the timely and reliable access to data services for authorized users. It ensures that information or resources are available when required.
  17. 17. C&I Are Nothing Without the A• Confidentiality and integrity can be protected, but an attacker causes resources to become less available than required, or not available at all.• Denial of Service (DoS)• Do you remember the DoS discussion on the video?
  18. 18. Ensuring Data Availability• Fully redundant network architectures and system hardware without any single points of failure ensure system reliability and robustness.• Virus scanning / malware scanning• Striping of data across hot swappable disks, mirroring data, remote live site.
  19. 19. CIA Summary• To secure data, you must ensure confidentiality, integrity and availability• Be careful not to compromise confidentiality and integrity as you seek to provide availability
  20. 20. How Do We Know If Data Should Be Protected?• Before we build a system to protect business data, we need to understand how to rate the sensitivity of business data• This is done through data classification
  21. 21. Data Classification• Data Classification is the conscious decision to assign a level of sensitivity to data as it is being created, amended, enhanced, stored, or transmitted.
  22. 22. Data Classification Levels• Top Secret• Highly Confidential• Proprietary• Internal Use Only• Public Documents• Terminology varies by organization
  23. 23. Top Secret• Highly sensitive internal documents e.g. pending mergers or acquisitions; investment strategies; plans or designs• Information classified as Top Secret has very restricted distribution and must be protected at all times. Security at this level is the highest possible.
  24. 24. Top Secret - Handling• Must sign in to gain access to the data• Must be supervised while viewing the data• Must not remove the materials from the secure viewing area• May not copy the data or even be in possession of devices which could copy the data, including pens and paper
  25. 25. Highly Confidential• Information that, if made public or even shared around the organization, could seriously impede the organization’s operations and is considered critical to its ongoing operations.
  26. 26. Highly Confidential – Handling• May only be shared with a specific list of people• May not be copied• May not leave the company’s physical location• More administrative control here than with Top Secret
  27. 27. Proprietary• Information of a proprietary nature; procedures, operational work routines, project plans, designs and specifications that define the way in which the organization operates.
  28. 28. Proprietary - Handling• May only be shared with a specific list of people• Copying is permitted but not encouraged• May be taken off-site• May not be shared with anyone outside the company
  29. 29. Internal Use Only• Information not approved for general circulation outside the organization where its loss would inconvenience the organization or management but where disclosure is unlikely to result in financial loss or serious damage to credibility.
  30. 30. Internal Use Only - Handling• Does not necessitate an authorization list• May be copied without reservation• May be taken off-site• May not be shared with the public
  31. 31. Public Documents• Information in the public domain; annual reports, press statements etc.; which has been approved for public use. Security at this level is minimal.
  32. 32. Public Documents - Handling• No distribution list required• May be copied at will• May be taken off-site• May be shared with anyone and even promoted
  33. 33. Data Loss Prevention (DLP) Technologies• First classify your data• Now, protect it appropriately• Control the environment• Control access to the data• Protect while in transit• Protect while in storage
  34. 34. Next Generation Compliance Filters• Content filters for HIPAA, GLB, SOX and other regulations automatically scan emails for protected financial and health information. Easily extensible lexicons allow companies to customize these rules to meet specific requirements.
  35. 35. ApplianceAnti SPAMAnti SpywareAnti Virus
  36. 36. Host Based Software• Virus Scanning on your workstation• Personal software firewalls
  37. 37. Appliances vs. Host Based DLP• Both provide some protection• Host based is usually more configurable, but harder to manage, especially at remote locations• Appliances are more rigid
  38. 38. Encryption• Protects confidentiality• Ensures recipient authentication (Only the intended recipient can decrypt the message)• We will spend an entire lecture on email encryption and YOU will send encrypted email
  39. 39. Content Scanning• Can be hardware or software based• HTTP traffic, viruses, malware• Phishing attempts• Peer to Peer applications• Instant Messaging• Key loggers
  40. 40. Enterprise Management Tools• The ability to know exactly what your users have been doing, in a form which can be audited. Web, email, etc.• The ability to control the sending and receiving of specific content.• Websense
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×