• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
PowerPoint-Präsentation
 

PowerPoint-Präsentation

on

  • 608 views

 

Statistics

Views

Total Views
608
Views on SlideShare
607
Embed Views
1

Actions

Likes
0
Downloads
9
Comments
0

1 Embed 1

http://www.slideshare.net 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • The data breach notification law requires companies to notify authorities of any data breach involving personal information.The law does not recommend specific technologies or processes that companies must use.
  • The govt. issued a report on the responses to the notification law. The report contained very interesting findings. In about a year, 318 breaches were reported and in 75% of the breaches the data was not protected. Only in 3% of the incidents was encryption used and much of the data was not even password protected. This is a staggering statistic that shows that a number of companies have yet to deploy basic security controls.
  • A majority of the breaches – 75% -- have been reported by the financial services sector. Obviously, the data thieves think that this would give them direct access to money. Other sectors too should be equally vigilant because hackers go after the low hanging fruit where ever they may be.
  • 60% of the data breaches were malicious in nature. Laptop/ hard disk theft was a prominent feature. This is not a surprise since today’s hard disks are highly portable and can contain 100s of gigabytes of information.The remaining 40% of the breaches were the result of “employee error and sloppy internal handling”.The conclusions are that the focus has to be both on protecting against intentional threats and on better employee training and policies.
  • As a follow up to the data breach notification regulation, MA will be enforcing the data security regulation – 201 CMR 17 -- from May 1 of 2009.Its purpose is to protect MA residents from identity theft and fraud.The regulation also aims to set minimum standards for information protection – for its security, confidentiality and integrity.The scope of the regulation is broad. It covers all businesses, large or small, that use or have personal information of MA residents. The regulation applies to all forms of information including paper and electronic.
  • The regulation defines personal information as a combination of the following:A first name and last name or a first initial and last name with one of the following:Social security numberor, state ID/drivers licenseOr, a financial account number including a credit or debit card numberFor example any business that even accepts a credit card could potentially be affected by the regulation.
  • Encryption is an important technology that finds strong mention in the regulation.A couple of more definitions are useful to note. Unlike some of the previous regulations that simply mentioned encryption, this regulation defines encryption as a algorithmic process and also mentions the encryption key.Similarly, a breach of security is defined as one where data is not encrypted or in cases where data is encrypted, the encryption key gets compromised.
  • One of the central features of the regulation is the requirement for a written information security plan. Every business is required to have one. At least one employee is designated to maintain the plan.It has to include disciplinary measures for violations. It must be reviewed at least once a year. All incident responses and security issues are expected to be documented.
  • The next couple of slides describe the system requirements as required by the regulation.Secure authentication protocols are required. Passwords are expected to be used. Note the earlier slide on data breaches where only 22% of the incidents had password protection.Access to data must be controlled with people accessing information only on a need to know basis. For example if people have to access only a couple of records, there is no need to download the entire database just because one has a large capacity hard disk or a memory stick.Data in motion must be encrypted. All data on public networks and all wireless data must be encrypted. One could suppose that external email could also be included. It is interesting to note that the TJX breach is said to have started with a hack into the wireless network at a store.All data on laptops and portable devices is also expected to be encrypted.While most operating systems and applications have provisions for some kind of password and access control, encryption often requires specialized software or hardware to be installed.
  • Firewall protection and up to date anti-malware protection is also required. The controls are not expected to be “set and forget”. Reasonable monitoring, on an ongoing basis, for unauthorized access is also expected. The last point but certainly very important is that proper training and education of employees on data security is expected. The MA data breach regulation report mentioned that 40% of the data breaches were the result of employee error or sloppy handling of sensitive information.
  • According to the regulation, businesses would be judged for compliance using several factors – including size, type and scope of business. For example small businesses may not have the resources that a large business may have. Also the volume of data held by smaller businesses could be lower than a typical large business. Both employee and customer information are expected to be protected. The regulation is has been amended and clarified . It would be useful to periodically check the Mass. govt. website for updates. The website is shown on the bottom of the screen.
  • Here is a snapshot of the key dates with regard to the Mass. Regulations:The data breach notification law has been in effect since Oct 2007 The 201 CMR 17 data security regulation becomes effective on May 1 2009 (postponed from Jan 1, 2009) Businesses have until Jan 2010 to encrypt portable devices other than laptops,And to get written certification from 3rd parties with whom they share sensitive data, that they have a written data security plan.
  • While the focus on this presentation is portable devices, it is important to understand the big picture and map out the interconnected risks. A typical IT infrastructure can be quite porous where confidential data or personally identifiable information can be lost or stolen from many points. These include file shares, local user PCs, email, portable media and remote user devices.When data thieves see data the see cash.In this complex environment, security administrators face several challenges. These include:Increasing sophistication of threatsOpen enterprise w/ powerful endpointsMany compliance regulationsAssortment of point solutionsBudgets and resources
  • When it comes to choosing and implementing a data security solution, security officers have requirements that go beyond just encryption. These include the ability to:Define security roles and responsibilities to ensure that information is accessed only on a as needed basis.Enforce consistent polices to ensure compliance in complex, mixed environments with a variety of endpoints and users.Provide transparent security to end-users to ensure no productivity loss and reduce relying on end users for security.Enable secure data sharing and recovery to allow businesses to function without interruption.Allow easy deployment and administration – especially important in large complex environments.Facilitate quick, on-demand audits if there is a security related incident. If a laptop was lost it is important to quickly show that it was encrypted.
  • Here is a that same network where data can be lost or stolen from many points.Data protection can be applied all the wayfrom the core of your network, to the edge and beyond.<<>>
  • Here is a solution example of transparent full disk encryption. Pre-boot authentication provides a greater level of security. The login dialog can be customized with your own graphics and text.After the hard disk is encrypted a green key appears next to it.
  • Here is a solution example that encrypts removable media include USB keys and CD/DVDs.Authorized employees can transparently save, exchange and read encrypted data.If the media is lost or stolen, it cannot be read.
  • SafeGuard Enterprise Configuration can prevent data leakage via PC ports by blocking or restricting access by using whitelists.
  • SafeGuard Enterprise is a modular security data security solution that enforces policy-based encryption security for PCs and mobile devices across multiple platforms, easy to use for the end user and centrally managed by a single console. It also provides security for non-centrally managed users and endpoints.
  • Here are 4 key benefits provided by the SafeGuard Enterprise data security solution.
  • SafeGuard Enterprise has won several awards recently.

PowerPoint-Präsentation PowerPoint-Präsentation Presentation Transcript

  • Massachusetts State Data Security Regulations
  • Agenda
    Introduction
    Massachusetts Data Security Regulations
    Compliance Best Practices
    Utimaco data security solution
  • Utimaco – The Data Security Company25 Years of Security Experience
    Founded in 1983
    Member - Sophos Group
    350+ Employees
    US HQ – Boston, MA
    Global HQ – Frankfurt (Germany)
    Over 6 million licenses
    Revenue US$ 96m (Rolling 12-mths Q1 FY’08/’09)
  • Data Breach Headlines to be Avoided
    TJX
    • In store communications intercepted?
    • Data for 94 million customers lost
    • Reported on October 24, 2007
    Source: www.msnbc.com
    261 Million Data Records of U.S. Residents Exposed Since 2005
    Source: www.privacyrights.org
  • Massachusetts Data Security Regulations
    M.G.L Chapter 93H (Oct ‘07)
    Regulation to Safeguard Personal Information of Commonwealth Residents
    Requires companies to notify data owners & regulators if a breach occurs
    201 CMR 17.00 Regulation (June‘10)
    Specifies Standards for The Protection of Personal Information of Residents of the Commonwealth
    Requires preventive data security controls including encryption
  • M.G.L Chapter 93H: Regulations to Safeguard Personal Information of Commonwealth Residents
    Effective Oct 2007
    “Duty to report known security breach or unauthorized use of personal information”
    Defines personal information and requires companies to notify authorities upon data security breaches
    Does not specify technologies or processes
    Source: http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm
  • No Encryption in 308 of 318 BreachesM.G.L Data Breach Notifications Report (Sep. ’08)
    Source: http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm
  • 75% of Breaches: Financial Services SectorOf 33 Breaches Affecting More Than 500 MA Residents
    Source: http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm
  • Causes of Data BreachesHigh Number of Laptops or Hard disks Were Lost or Stolen
    40%
    “Employee Error / Sloppy Internal Handling”
    60%
    “Criminal / Unauthorized Acts”
    Source: http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm
  • 201 CMR 17.00 Regulation: Standards for The Protection of Personal Information of Residents of the Commonwealth
    Purpose
    Implements provisions of M.G.L. c. 93H to protect against ID theft, fraud
    Set minimum standards for information protection -- security, confidentiality and integrity
    Protect against unauthorized access and use
    Scope
    All businesses using/having MA residents personal information
    Applies to all forms of information (paper, electronic. Etc.)
    Source: http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm
  • 201 CMR 17.00 Defines “Personal Information”
    Social Security #
    First name, Last name
    or
    +
    State ID # / Drivers License #
    or
    First initial, Last name
    or
    Financial Acct # / Credit/Debit Card #
    Source: http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm
  • 201 CMR 17.00: More Definitions
    “Encrypted”
    “the transformation of data through the use of an algorithmic process, or an alternative method at least as secure, into a form in which meaning cannot be assigned without the use of a confidential process or key…”
    “Breach of security”
    “unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security…”
    Source: http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm
  • 201 CMR 17.00:Mandatory Written Information Security Plan
    Designated employee(s) maintain plan
    Includes disciplinary measures
    3rd party service provider must also have plan
    Limit information access, time, amount to what's needed
    Review plan at least annually
    Document incident responses
    Source: http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm
  • 201 CMR 17.00:Computer System Security Requirements 1
    Secure authentication protocols
    IDs, passwords, active users, blocking
    Secure access control
    Information access on need to know basis
    Control IDs, passwords, no “vendor default passwords”
    Encrypt data in motion
    On public networks and all wireless data
    Encrypt data at rest
    Laptops, other portable devices (USB sticks, CD/DVDs, PDAs, etc)
    Source: http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm
  • 201 CMR 17.00:Computer System Security Requirements 2
    Firewall, anti-malware protection
    up to date patches, “virus definitions”
    Reasonable monitoring for unauthorized access
    Education and training of employees
    Source: http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm
  • 201 CMR 17.00:Compliance Evaluation Criteria
    Size, type and scope of business
    Amount of resources available
    Amount of stored data
    Need for security and confidentiality of both consumer and employee information
    Source: http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm
  • Regulations -- Key Dates
  • Porous Infrastructure > Data Loss
    Central Management Server
    File Share
    Partners, Customers
    Email Gateway
    Local Users
    Remote Users
    Email Encryption
    Removable Media
    Security Admins.
    Internet
    Email gateway
    Data Thieves
  • Data Security Solution RequirementsEncryption & More…
    Defined roles and responsibilities
    Consistent polices
    Transparent security
    Secure sharing and recovery
    Easy deployment and administration
    Fast response to audits
  • Comprehensive Plan - Data Security
    Email Security Gateway
    Removable Media Encryption
    H/W Security Module
    Partners, Customers
    File Share
    Central Mgmt. Server
    Email Gateway
    Full Disk Encryption, PDA Security, DLP
    Full Disk Encryption, PDA Security, DLP
    Local Users
    Remote Users
    Encrypted File Shares
    Removable Media
    Email Encryption
    Email gateway
    Internet
    Full Disk Encryption, PDA Security, DLP
    Mgmt. Center
    Security Admins.
  • Full Disk EncryptionProtects Lost Laptops
    << Your Company logo / Graphics / Messages >>
  • Encrypted Removable MediaUnreadable If Lost or Stolen
  • USB
    PC Port ControlPreventing Data Leakage Via Ports
  • Print, Export, Save
    Auditable Proof of Encryption
  • SafeGuard EnterpriseYour Central Key to Data Security
    2.Encrypt laptops, desktops, servers
    1. Consistent policies, mgmt. of keys & certificates
    SafeGuard
    Config. Protection
    SafeGuard
    FileShare
    SafeGuard
    Device Encryption
    3. Encrypt removable media
    7. Content inspection
    SafeGuardManagement Center
    4. PC port control & DLP
    SafeGuard
    CMF/DLP
    SafeGuard
    Data Exchange
    6.Secure network file shares
    SafeGuardPartner Connect
    5. Manage external security products
    (In Process)
  • SafeGuard Enterprise Data Security Benefits
  • Recent Proof Points
    SC Magazine Finalist (April 2009):
    Best Mobile Device Security Solution
    Gartner Ranked Leader
    Top Marks for Vision
    2008-’09 Magic Quadrant for Mobile Data Protection
    (4 Years Running)
    Utimaco in Champion’s Sector – Multiple Categories
    Bloor Research
    Encryption, Data Protection & DLP