Your SlideShare is downloading. ×
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply



Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • The data breach notification law requires companies to notify authorities of any data breach involving personal information.The law does not recommend specific technologies or processes that companies must use.
  • The govt. issued a report on the responses to the notification law. The report contained very interesting findings. In about a year, 318 breaches were reported and in 75% of the breaches the data was not protected. Only in 3% of the incidents was encryption used and much of the data was not even password protected. This is a staggering statistic that shows that a number of companies have yet to deploy basic security controls.
  • A majority of the breaches – 75% -- have been reported by the financial services sector. Obviously, the data thieves think that this would give them direct access to money. Other sectors too should be equally vigilant because hackers go after the low hanging fruit where ever they may be.
  • 60% of the data breaches were malicious in nature. Laptop/ hard disk theft was a prominent feature. This is not a surprise since today’s hard disks are highly portable and can contain 100s of gigabytes of information.The remaining 40% of the breaches were the result of “employee error and sloppy internal handling”.The conclusions are that the focus has to be both on protecting against intentional threats and on better employee training and policies.
  • As a follow up to the data breach notification regulation, MA will be enforcing the data security regulation – 201 CMR 17 -- from May 1 of 2009.Its purpose is to protect MA residents from identity theft and fraud.The regulation also aims to set minimum standards for information protection – for its security, confidentiality and integrity.The scope of the regulation is broad. It covers all businesses, large or small, that use or have personal information of MA residents. The regulation applies to all forms of information including paper and electronic.
  • The regulation defines personal information as a combination of the following:A first name and last name or a first initial and last name with one of the following:Social security numberor, state ID/drivers licenseOr, a financial account number including a credit or debit card numberFor example any business that even accepts a credit card could potentially be affected by the regulation.
  • Encryption is an important technology that finds strong mention in the regulation.A couple of more definitions are useful to note. Unlike some of the previous regulations that simply mentioned encryption, this regulation defines encryption as a algorithmic process and also mentions the encryption key.Similarly, a breach of security is defined as one where data is not encrypted or in cases where data is encrypted, the encryption key gets compromised.
  • One of the central features of the regulation is the requirement for a written information security plan. Every business is required to have one. At least one employee is designated to maintain the plan.It has to include disciplinary measures for violations. It must be reviewed at least once a year. All incident responses and security issues are expected to be documented.
  • The next couple of slides describe the system requirements as required by the regulation.Secure authentication protocols are required. Passwords are expected to be used. Note the earlier slide on data breaches where only 22% of the incidents had password protection.Access to data must be controlled with people accessing information only on a need to know basis. For example if people have to access only a couple of records, there is no need to download the entire database just because one has a large capacity hard disk or a memory stick.Data in motion must be encrypted. All data on public networks and all wireless data must be encrypted. One could suppose that external email could also be included. It is interesting to note that the TJX breach is said to have started with a hack into the wireless network at a store.All data on laptops and portable devices is also expected to be encrypted.While most operating systems and applications have provisions for some kind of password and access control, encryption often requires specialized software or hardware to be installed.
  • Firewall protection and up to date anti-malware protection is also required. The controls are not expected to be “set and forget”. Reasonable monitoring, on an ongoing basis, for unauthorized access is also expected. The last point but certainly very important is that proper training and education of employees on data security is expected. The MA data breach regulation report mentioned that 40% of the data breaches were the result of employee error or sloppy handling of sensitive information.
  • According to the regulation, businesses would be judged for compliance using several factors – including size, type and scope of business. For example small businesses may not have the resources that a large business may have. Also the volume of data held by smaller businesses could be lower than a typical large business. Both employee and customer information are expected to be protected. The regulation is has been amended and clarified . It would be useful to periodically check the Mass. govt. website for updates. The website is shown on the bottom of the screen.
  • Here is a snapshot of the key dates with regard to the Mass. Regulations:The data breach notification law has been in effect since Oct 2007 The 201 CMR 17 data security regulation becomes effective on May 1 2009 (postponed from Jan 1, 2009) Businesses have until Jan 2010 to encrypt portable devices other than laptops,And to get written certification from 3rd parties with whom they share sensitive data, that they have a written data security plan.
  • While the focus on this presentation is portable devices, it is important to understand the big picture and map out the interconnected risks. A typical IT infrastructure can be quite porous where confidential data or personally identifiable information can be lost or stolen from many points. These include file shares, local user PCs, email, portable media and remote user devices.When data thieves see data the see cash.In this complex environment, security administrators face several challenges. These include:Increasing sophistication of threatsOpen enterprise w/ powerful endpointsMany compliance regulationsAssortment of point solutionsBudgets and resources
  • When it comes to choosing and implementing a data security solution, security officers have requirements that go beyond just encryption. These include the ability to:Define security roles and responsibilities to ensure that information is accessed only on a as needed basis.Enforce consistent polices to ensure compliance in complex, mixed environments with a variety of endpoints and users.Provide transparent security to end-users to ensure no productivity loss and reduce relying on end users for security.Enable secure data sharing and recovery to allow businesses to function without interruption.Allow easy deployment and administration – especially important in large complex environments.Facilitate quick, on-demand audits if there is a security related incident. If a laptop was lost it is important to quickly show that it was encrypted.
  • Here is a that same network where data can be lost or stolen from many points.Data protection can be applied all the wayfrom the core of your network, to the edge and beyond.<<<step through the animations>>>
  • Here is a solution example of transparent full disk encryption. Pre-boot authentication provides a greater level of security. The login dialog can be customized with your own graphics and text.After the hard disk is encrypted a green key appears next to it.
  • Here is a solution example that encrypts removable media include USB keys and CD/DVDs.Authorized employees can transparently save, exchange and read encrypted data.If the media is lost or stolen, it cannot be read.
  • SafeGuard Enterprise Configuration can prevent data leakage via PC ports by blocking or restricting access by using whitelists.
  • SafeGuard Enterprise is a modular security data security solution that enforces policy-based encryption security for PCs and mobile devices across multiple platforms, easy to use for the end user and centrally managed by a single console. It also provides security for non-centrally managed users and endpoints.
  • Here are 4 key benefits provided by the SafeGuard Enterprise data security solution.
  • SafeGuard Enterprise has won several awards recently.
  • Transcript

    • 1. Massachusetts State Data Security Regulations
    • 2. Agenda
      Massachusetts Data Security Regulations
      Compliance Best Practices
      Utimaco data security solution
    • 3. Utimaco – The Data Security Company25 Years of Security Experience
      Founded in 1983
      Member - Sophos Group
      350+ Employees
      US HQ – Boston, MA
      Global HQ – Frankfurt (Germany)
      Over 6 million licenses
      Revenue US$ 96m (Rolling 12-mths Q1 FY’08/’09)
    • 4. Data Breach Headlines to be Avoided
      • In store communications intercepted?
      • 5. Data for 94 million customers lost
      • 6. Reported on October 24, 2007
      261 Million Data Records of U.S. Residents Exposed Since 2005
    • 7. Massachusetts Data Security Regulations
      M.G.L Chapter 93H (Oct ‘07)
      Regulation to Safeguard Personal Information of Commonwealth Residents
      Requires companies to notify data owners & regulators if a breach occurs
      201 CMR 17.00 Regulation (June‘10)
      Specifies Standards for The Protection of Personal Information of Residents of the Commonwealth
      Requires preventive data security controls including encryption
    • 8. M.G.L Chapter 93H: Regulations to Safeguard Personal Information of Commonwealth Residents
      Effective Oct 2007
      “Duty to report known security breach or unauthorized use of personal information”
      Defines personal information and requires companies to notify authorities upon data security breaches
      Does not specify technologies or processes
    • 9. No Encryption in 308 of 318 BreachesM.G.L Data Breach Notifications Report (Sep. ’08)
    • 10. 75% of Breaches: Financial Services SectorOf 33 Breaches Affecting More Than 500 MA Residents
    • 11. Causes of Data BreachesHigh Number of Laptops or Hard disks Were Lost or Stolen
      “Employee Error / Sloppy Internal Handling”
      “Criminal / Unauthorized Acts”
    • 12. 201 CMR 17.00 Regulation: Standards for The Protection of Personal Information of Residents of the Commonwealth
      Implements provisions of M.G.L. c. 93H to protect against ID theft, fraud
      Set minimum standards for information protection -- security, confidentiality and integrity
      Protect against unauthorized access and use
      All businesses using/having MA residents personal information
      Applies to all forms of information (paper, electronic. Etc.)
    • 13. 201 CMR 17.00 Defines “Personal Information”
      Social Security #
      First name, Last name
      State ID # / Drivers License #
      First initial, Last name
      Financial Acct # / Credit/Debit Card #
    • 14. 201 CMR 17.00: More Definitions
      “the transformation of data through the use of an algorithmic process, or an alternative method at least as secure, into a form in which meaning cannot be assigned without the use of a confidential process or key…”
      “Breach of security”
      “unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security…”
    • 15. 201 CMR 17.00:Mandatory Written Information Security Plan
      Designated employee(s) maintain plan
      Includes disciplinary measures
      3rd party service provider must also have plan
      Limit information access, time, amount to what's needed
      Review plan at least annually
      Document incident responses
    • 16. 201 CMR 17.00:Computer System Security Requirements 1
      Secure authentication protocols
      IDs, passwords, active users, blocking
      Secure access control
      Information access on need to know basis
      Control IDs, passwords, no “vendor default passwords”
      Encrypt data in motion
      On public networks and all wireless data
      Encrypt data at rest
      Laptops, other portable devices (USB sticks, CD/DVDs, PDAs, etc)
    • 17. 201 CMR 17.00:Computer System Security Requirements 2
      Firewall, anti-malware protection
      up to date patches, “virus definitions”
      Reasonable monitoring for unauthorized access
      Education and training of employees
    • 18. 201 CMR 17.00:Compliance Evaluation Criteria
      Size, type and scope of business
      Amount of resources available
      Amount of stored data
      Need for security and confidentiality of both consumer and employee information
    • 19. Regulations -- Key Dates
    • 20. Porous Infrastructure > Data Loss
      Central Management Server
      File Share
      Partners, Customers
      Email Gateway
      Local Users
      Remote Users
      Email Encryption
      Removable Media
      Security Admins.
      Email gateway
      Data Thieves
    • 21. Data Security Solution RequirementsEncryption & More…
      Defined roles and responsibilities
      Consistent polices
      Transparent security
      Secure sharing and recovery
      Easy deployment and administration
      Fast response to audits
    • 22. Comprehensive Plan - Data Security
      Email Security Gateway
      Removable Media Encryption
      H/W Security Module
      Partners, Customers
      File Share
      Central Mgmt. Server
      Email Gateway
      Full Disk Encryption, PDA Security, DLP
      Full Disk Encryption, PDA Security, DLP
      Local Users
      Remote Users
      Encrypted File Shares
      Removable Media
      Email Encryption
      Email gateway
      Full Disk Encryption, PDA Security, DLP
      Mgmt. Center
      Security Admins.
    • 23. Full Disk EncryptionProtects Lost Laptops
      << Your Company logo / Graphics / Messages >>
    • 24. Encrypted Removable MediaUnreadable If Lost or Stolen
    • 25. USB
      PC Port ControlPreventing Data Leakage Via Ports
    • 26. Print, Export, Save
      Auditable Proof of Encryption
    • 27. SafeGuard EnterpriseYour Central Key to Data Security
      2.Encrypt laptops, desktops, servers
      1. Consistent policies, mgmt. of keys & certificates
      Config. Protection
      Device Encryption
      3. Encrypt removable media
      7. Content inspection
      SafeGuardManagement Center
      4. PC port control & DLP
      Data Exchange
      6.Secure network file shares
      SafeGuardPartner Connect
      5. Manage external security products
      (In Process)
    • 28. SafeGuard Enterprise Data Security Benefits
    • 29. Recent Proof Points
      SC Magazine Finalist (April 2009):
      Best Mobile Device Security Solution
      Gartner Ranked Leader
      Top Marks for Vision
      2008-’09 Magic Quadrant for Mobile Data Protection
      (4 Years Running)
      Utimaco in Champion’s Sector – Multiple Categories
      Bloor Research
      Encryption, Data Protection & DLP