MICHAEL ILM & ICM?ILM – Information Lifecycle Management is a sustainable storage strategy that balances the cost of storing and managing information with its business value. A well-executed ILM strategy will result in a more agile organization, reduce business risk and drive down both storage unit and storage management costs.ICM – Information Classification and Management – Implementing an information classification scheme is valuable for a number of reasons as it allows enterprises to utilize content-based access policies, apply appropriate retention intervals to data, demonstrate comprehensive adherence to policy for compliance purposes, and potentially protect sensitive content when it leaves the enterprise. Tools offer advanced features such as file-path metadata parsing, in-file content visibility, context category classification, file-classification tagging and policy-based management and tracking (Bill Reed, Data-classification best practices”, 1/18/2007).THE GLOBAL STATE OF INFORMATION SECURITY BY CIO AND CSO Magazines in partnership with PWC, 2008Mark Lobel of PWC says referring to security and data classification, “Doing this project is a lot of effort and unless there’s a regulatory need for it, many don’t do it.” The survey goes on to only 24% report that classifying the business value of data is part of their security policies, 68% classify their data by risk level at least periodically and 30% don’t ever classify their data.Continental Airlines has a three tier classification scheme, Tier One is anything that keeps planes aloft or money coming in, Tiers Two and Three is data that is still important, but not critical to revenue or safety.JEFF- FRCP
JEFF WILL TAKE PII/PHIMICHAEL – FISMA AND MDM – FISMA – Federal Information Security Management Act – The FISMA Implementation Project was established in January 2003 to produce several key security standards and guidelines required by Congressional legislation.MDM – Master Data Management – Organizations must understand that improving their data—and building the foundation for MDM—requires them to address internal disagreements and broken processes. Staff must agree on exactly what constitutes a \"customer\" or a \"partner,\" and how to resolve any disagreements across business units. Departments and divisions need to agree on hierarchies of customers and products and how to resolve duplicate records across sources. Rather than a technology-focused effort, the project becomes one of political strategy and consensus building (Tony Fisher, “Demystifying Data Management”, CIO Magazine, April 2007)A key element of data management is tiered storage, placing the more current, valuable data on highend, highly accessible storage solutions, while storing the lower value, older data on lower cost storage solutions:Operational – Documents used for daily transactionsReference – Information occasionally checked for reference.Archive – Info you don’t need regularly.
JEFFDISS standards for destruction
JEFFYES, this is definitely applicable to eDiscovery, but is the basis for all information management and applicable to any business. Reduce costs through proper management of your information and its relevance to your business. This is public domain tool
JEFFFocus on trust and how data has been misused. From predicting weather events, with massive amount of data and trust storm will not hit but does to the Market and Services and daily movement of information.
MICHAELFlawed decision support brought about by the exclusion of certain data or information such as from system or applications at newly acquired organizations or duplication of data or information.Legal exposure resulting from a opponent attorney uncovering email that should have been deleted and of whose existence your General Counsel had no knowledgeWhat is the performance impact of not archiving data on your primary system? How about the duration and cost of the daily backup process? How do the cost of the different storage options differ and do you have a strategy of storing the less frequently accessed data on the least costly storage medium?Regulatory compliance – are you monitoring access to your sensitive data to be able to identify a breach. California now has a 5 Day Breach Disclosure requirement and Massachusetts requirements include; Encryption of personal data stored on portable devices and while transmitted, conducting reasonable monitoring of systems in an effort to spot unauthorized activities; install firewalls, operating system patches and client level security tools that are reasonably up to date on all system; Develop a comprehensive data-security program that sets internal policies and specifies disciplinary measures for employees who violate them; Inventory all electronic and paper records to identify the ones that contain personal data.Has your organization classified its data, including the sensitive and critical data. Have provisions been made for resilience of the systems containing the critical data such as provided by a DRP and have standards and policies been enacted to ensure the protection of data classified as ‘sensitive’? Is there a Security Policy that more broadly requires and provides the resources for said standards, policies and associated procedures?
MICHAELOrigins of master data management were the single computer resource known as the mainframe, supporting all the applications and data files. Then came relational databases and associated data redundancy predated data normalization. This was fairly minor until the introduction of the personal computer and distributed computing – the client server environment. Everyone was their own administrator of their computer and frequently a relational database management system or RDBMS as it was known. Multiple RDBMS in multiple lines of business resulted in multiple instances of the same piece of data called by different names.The first driver of MDM – the ability to rationalize the definitions and meanings of commonly used business terms and concepts, while needing to be able to differentiate when two seemingly similar terms mean different things. The move to ERP applications such as SAP r/3 seems to be a move back towards the centralized model that was represented by the mainframe in the 1980s.Mis-configured data marts and warehouses.Improperly constructed Crystal reports and SQL QuerieseBOMs- Labor rates for labels on CD lead to misstatement of cost
MICHAELComputerworld article “Wall Street crisis brings lax e-discovery law enforcement to light” by Lucas Mearin, January 14, 2009This slide basically tell us that the laws are on the books, they just need to be enforced. This will change as organizations continue to lose private and proprietary data.
MICHAELAddressing data at rest is frequently involving encryptionFRCP: INTELL/AMD – If you put a policy in place you had better be able to demonstrate compliance and enforcement when the policy is not followed. Let Jeff step in with more details. Cost of none compliance is significant, averaging $50 per record by some estimate and up to $60 per record by others.
MICHAELHere are just a sample of the various regulations with which many of our organization must comply. Consider each state seems to have their own disclosure laws beyond the national and international regulations. While enforcement may have been lax in the past, recent system breaches and the economic crisis will likely lead to tougher enforcement of the existing laws.How can any organization accomplished compliance with the 44+ state and federal regulations/statutes without a data classification scheme that identifies where personal or private data resides, data on customers, vendors and employees?
MICHAELAn example of evolving regulatory landscape, no longer just talking about generalities. Now talking specific techniques and controls to managing these information systems. Periods of disclosure are shortening. Disclosure can lead to business closure.Massachusetts Law requirements include,Review Scope of security measures at least annuallyRegularly monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or use of personal information.Immediately terminating both the physical and electronic access of terminated employeesTaking all reasonable steps to verify that any third party service provider with access to personal information has the capacity to protect such personal information in the manner proved for n 201 CMR 17:00; and taking all reasonable steps to ensure that such third party service providers is applying to such personal information protective security measures at least as stringent as those required to be applied to personal information under 201 CMR 17:00
JEFFSystem performance slowed by the vast amounts of data that have to be parsed to respond to queriesHigh availability storage media such as the kind used to store your most current and valuable data is also the most expensive medium. Costs can be reduced by archiving ‘older” data to the less expensive medium such as tape
JEFFStorage containers and mediaStorage media – Is it write once only? Federal requirements or FISMA for moderate and high impact federal systemsSecurity of data at rest?Security of data backed up onto tapeEnvironmental security of storage media both in the data center and at the offsite storage facility – do you assess these controls at the offsite facility?How are tapes secured while in transit to the offsite? Is it a carrier that specializes in tape transport? Annual inventory of offsite tapes?How are tapes controlled between locations?What are the risks of employees transporting tapes to offsite? Tapes and laptops stolen from employee vehicles…
MICHAELIntrinsic value of dataGarbage IN, Garbage OUT – GIGOData mgmt can establish data standards, valid value sthat reduce GIGOWhat about the reliability of your storage media?How do you monitor and ensure you have a good backup, periodic testing of backups? Replacement of tapes periodically?How do you manage flash memory, thumb drives: Protecting data in case of loss Preventing viruses
MICHAELSo we’ve talked abut protecting your data, just in case there are any questins about the vulnerability of yours or any organization’s data to a breach, take a look at the link on this pageYet more disclosure laws – 44+FISMAHIPAAETC.
POLL THE AUDIENCE ON WHO HAS CLASSIFIED DATA AND THE CLASSIFICATIONS THEY ARE USING
MICHAEL/JEFFDocument / Data Classification Description – Bring up template-Information System Categorization (formula for creating the classifications)Organization CriticalHighly sensitive internal documents e.g. pending mergers or acquisitions; investment strategies; plans or designs; that could seriously damage the organization if such information were lost or made public. Has very restricted distribution and must be protected at all times. Security at this level is the highest possible. Highly Confidential Information that, if made public or even shared around the organization, could seriously impede the organization’s operations and is considered critical to its ongoing operations (accounting information, business plans, sensitive customer information of banks, solicitors and accountants etc., patient's medical records and similar highly sensitive data). Such information should not be copied or removed from the organization’s operational control without specific authority. Security at this level should be very high. Proprietary Information of a proprietary nature; procedures, operational work routines, project plans, designs and specifications that define the way in which the organization operates. Such information is normally for proprietary use to authorized personnel only. Security at this level is high. Internal Use only Information not approved for general circulation outside the organization where its loss would inconvenience the organization or management but where disclosure is unlikely to result in financial loss or serious damage to credibility. Examples would include, internal memos, minutes of meetings, internal project reports. Security at this level is controlled but normal. Public Documents Information in the public domain; annual reports, press statements etc.; which has been approved for public use. Security at this level is minimal.
MICHAELExecutive management must be on board to ensure you receive the support you need from those locations outside of HQBusiness case is productivity improvements realized through the associated initatives and improving the organization’s ability to quick respond to business opportunities.Selling the benefits – Improving data quality, reducing the need to for cross-system reconciliation, reducing operational complexity and simplifying the design and implementation (1) Master metadata simplifies application development. A master metadata repository captures the whole story of a data element’s use, instead how it is used in a single application, such as how data elements are used for different business purposes. (2) Simplify or otherwise standardize the process for unique identification or uniquely identifying a data record instead of by application. (3) Define and standardize across the enterprise many different kinds of master data servicesIdentification of Stakeholders, which will include senior management, clients, application owners, info architects, data governance and data quality practitioners, Metadata analysts, system developers and operations staff.Understanding the business needs is required to both cost justify MDM as well as integrate it into the existing application centrist data management.RACI –Responsible (those who do the work) , Accountable (signs off on R), Consulted and InformedGovernance of MDM - Oversight of master data involves the testing and where needed re-establishment of data quality.
MICHAELMetadata registry and management – All aspects of determining the need, planning , migration strategy and future state require a clarified view of the information about the data that is used within the organization – its metadata. A metadata registry provides a control mechanism or perhaps even a “clearing house” for unifying a master data view when possible, as well as helping to determine when that unification is not possible.Assessment to Identify data sets, primary & foreign keys, implicit relational structure and embedded business rules.Integration of existing master data such as person names, addresses, telephone numbers, product descriptions, etc. using tools to resolve the variations in representation of specific entities from disparate data sources.Assurance – MDM requires a high degree of confidence in the quality of the master data moving forward. Auditing and monitoring compliance with defined data quality standards coupled with effective issue response and tracking, along with strong stewardship within a consensus based governance model will ensure ongoing compliance with data quality objectives.Project Plan – RACI next step, identify task dependencies, interdependencies and the order of work.
JEFF? DON’T FORGET TO USE HYPERLINKSMultiple perspectives
JEFFMessage Gate is one example of a tool that can be used to manage data leakage.Support tools can be used in determine the classification of data provided at no cost by the federal govt. through NIST.NIST SPECIAL PUBLICATION 800-30 – RISK ASSESSMENT PROCESS DEFINED
MICHAELEach organization knows how to use data required for their business processes, but very few look beyond meeting their day-to-day activities.During the next few slides will examine the requirements referenced here. We’ll talk about things like the Availability of data across the enterprise. Syntax and format in things like context sensitive help or a drop down from which you must select state if the country selected was the United States.
MICHAELWe talked some already about the cost of disclosure of private data and now we want to turn to the value of data itself.Does information empower us to do things differently. You bet you. Data can identify fraud and abuse or un-served or forgotten customers for which profit can be realized.Proper management of data in the form of classification enable us to minimize the cost of compliance through knowing where and in what forms private data is stored as well as transmitted, minimizing the cost of regulatory drivers.
MICHAEL?We talked on the Ten Most Critical Requirements for managing data about the importance of executive management buy-in and sponsorship. We mentioned having a team to establish Information Lifecycle Management or ILM, but also on-going governance of data management.A records coordinator would be a critical member of such as team.Another key aspect of retention schedules is to incorporate those requirements or said schedule into the BCP and DRP to ensure continuance of regulatory and operational compliance.
JEFFPUBLIC SCHOOL EXAMPLE – IDENTITY THEFT VULNERABILITYNASA BY OIG
MICHAELIf there was a disaster on the last day of the month would your organization still be able to report their financials on time to SEC?Does your infrastructure have the capacity to take on additional data such as what might be required to integrate another organization into your own?Do you have a sufficient number of individuals designated as authorized to declare a disaster, so the loss of one does not preclude the company from restoring at the recovery site.The storage or archival of data needs to be in a format that will be readable for at least as long as retentions specifies.
MICHAELViewsof data – Different views for different people based upon their responsibilityOnline – What the users sees online may depend on whether they are a third party order taker, a vendor or a customer. Amazon as an example.Classification – electronic and hardcopy forms of documents and information clearly state how the document or information is classified?
MICHAELDoes your organization have a central data dictionary for data across applications and locatios, specifying its characteristics such as length, type and its classification. What level of security is required, where it can be stored (thmb drives) and does it need to be encrypted when transmitted.Do the above improves both the efficiency and effectiveness of both from an operational and regulator perspective.
JEFFBusiness definitions look at the business terms used across the organizations and the associated meaningsReference metadata – Detail data domains (both conceptual domains and corresponding value domains) as well as reference data and mappings between codes and values.Data element metadata – Focus on data element definitions, structures, nomenclature, and determination of existence along a critical path of a processing streamInformation architecture. Coagulates the representations of data elements into cohesive entity structures, shows how those structures reflect real world objects, and explores how those object interact within business processes.Data Governance management. Concentrates on the data rules governing data quality, data use, access control, and the protocols for rule observance (and processes for remediation of rule violations).Service metadata. Look at the abstract functionality embedded and used by the applications and the degree to which those functions can be described as stand-alone services, along with the mapping from service to client applications and at the top of the stackBusiness metadata. Capture the business policies that drive application design and implementation the corresponding information policies that drive the implementation decisions inherent in the lower levels of the stack and the mgmt and exe schemes for the business rules that embody both business and information policies.
Data Management - NA CACS 2009
Michael Berardi, MS-CIS, CISA
IT Audit Manager
Energizer Holdings, Inc.
Jeffrey Roth, CISA, CGEIT
Director, Technology Risk Management Services
ACRONYMS TO KNOW
ILM – Information
ICM – Information
FRCP – Federal Rules
ACRONYMS TO KNOW
PII/PHI – Personally
FISMA – Federal Information
MDM – Master Data
TERMINOLOGY AND FOUNDATION
FOR RECORDS MANAGEMENT
• DISS Destruction standards
– Degaussing (NIST)
– Physical destruction methods
• Records management
• Business records life cycle
• Active data
• Sedona Conference
THIS IS THE END GAME
It has been said that “information is power,” and they
who control the information control the power.
Whether the information is broadcast on the evening
news, printed in a newspaper, etched on stone
tablets, or published on a USENET newsgroup or
Internet Web page, we rely on information in our daily
lives, and trust that most of the information we
receive and process is accurate.
Information Warfare and Security, Dorothy E. Denning, ISBN 0-201- 43303-6, Addison-
Wesley, 1999 Originally published in Cisco's The Internet Protocol Journal, September,
FLAWED DECISION SUPPORT
Origins of Master Visibility across
Data Management applications and the
• Mainframe organization
• Personal Computer and • Financials
RDBMS • Customers
• ERPs – SAP R/3 • Employees
LEGAL EXPOSURE OR OVER-
“Wall Street Crisis brings lax e-discovery law
enforcement to light”, Jan 14, 2009
• Only 10-15% of US corporations have electronic
records retention systems in place according to
Gartner Inc as quoted
• Debra Logan of Gartner went on to say “We need
to have people in charge of managing information
for the entire company. Today, everyone’s
expected to manage their own data”
• Federal Rules for Civil Procedure or FRCP
How Big is the
• Headlines tout compliance allegations
• FRCP: Intel/AMD
We must address Stanley
• FRCP: Morgan our data at rest and in
• FRCP: General Motors
• SEC: UBS Securities
The time SEC:sitting America side-lines has long
• for Bank of on the
past and HIPAA: Providenceare readily available to
• the solutions Health & Services
both control and monitor data flow from our
• HIPAA: UCLA Health Systems
• SOX: Neworganization
government whistle-blower’s hotline
• Cost = several thousand dollars to millions
– Providence Health & Services: $100,000 settlement
– Morgan Stanley: $15 Million fine
• Massachusetts State Regulations
– Encrypt personal data on portable devices or being
transmitted on public or via wireless networks
– Deploy secure user authentication and access control
measures and conduct “reasonable” monitoring of
systems in an effort to spot unauthorized activities
– Develop a comprehensive data-security program that
sets internal policies and specifies disciplinary action
– Inventory all electronic and paper records to identify
the ones that contain personal data
COST – STORAGE AND
Other costs performance?
• Environmental considerations
– Location – Floods, Hurricanes, Earthquakes
• Storage containers
• Storage media
• Physical and logical security
• At in transit and rest
– Creation of data has intrinsic risks
• Data entry error (yes even hand written documents)
• Data garbling during on-line entry
– Media degradation
– Flash Memory
SECURITY – BREACH AND
• List of security breaches, do you want to see
your company’s name on this list?
• Oregon law for Oregon employers of Oregon
– Designate a security officer
– Conduct a risk assessment
– Assess safeguards to manage risks
• HIPAA – Within 60 days
SO WE NEED IT, NOW WHAT?
FIRST STEP – CLASSIFY DATA
CLASSIFICATION - YOU CAN
NOT MANAGE WHAT YOU
Internal Use Only
TEN MOST CRITICAL
Obtain executive mgmt sponsorship
Identify and interview the stakeholders
Understanding the business requirements
Develop a Project Charter and RACI
Governance of MDM
TEN MOST CRITICAL
Metadata registry and management
Integration of existing data
CONSIDERATIONS IN CREATING
• Multiple perspectives
• Business requirements
– Time to recovery
Advancing Storage & Information Technology – SNIA - Educational
CONSIDERATIONS IN CREATING
DATA CLASSIFICATIONS (CONT.)
• Tagging files by classification name
• Automated classification tools
• Availability, confidentiality, proprietary?
• National Institute of Science and
Technology Federal Information Processing
Standards (FIPS) 199 and Special
Publication SP800-60 volumes I and II
DATA AND YOUR OPERATIONS
• Defined data
– Context of data – Presentation
– Syntax and – Protection
PROTECTION – POWER WITH NO
• If information is power, then do we
treat it as a key asset?
• Based on classification we can
implement incremental security
controls in line with data value.
• Regulatory drivers
(GLBA, HIPAA, EU Privacy
PROTECTION – POWER WITH NO
• What about hardcopy data?
• Locations of output/presentation
devices (printers, CRT/LCD screens,
• Protection in transit and at rest (cover
sheets, encryption, etc.)
• Brakes are what enables a race car
to go fast
• How long is long enough?
– Federal agencies and their contractors
must follow national archives standards
– Corporate regulations require varied
– Investigations and Litigation how ever
long it takes and some. Courts and
lawyers will set these requirements
• Based on classification (internal and
regulatory) a records coordinator
position should be established to train the
management team, maintain policies
related to records management, and
monitor records retention activities
(creation through destruction).
• Part of Business Continuity and Disaster
Many forget that hard drives must
be properly destroyed prior to
disposal (reference National
Association for Information
– Proper EPA permits and certifications
– Hard drives are identified by serial number and are
stored in secure uniquely number containers in a
secure storage area prior to shredding.
– Immediately prior to shredding, the number of hard
drives in each container are counted and matched
against the original physical inventory count.
– The start and finish time of each shredding project
• Expectations (continued)
– The shredded particles are sent through a
powerful degaussing station providing the
ultimate in data destruction security.
– The shredded particles for each destruction project
are weighed. The particles are placed in a
uniquely numbered large recycling container.
– Record the lot and their weights contain in each
– The filled containers are weighed and sent to
metal refineries. We receive a destruction
certificate from the refiners listing the unique
container number and its weight.
• Do not forget shredding of sensitive hard copy
document, photos, and other records must provide
assurance that this data cannot be reconstructed by
• Tapes, CD, Floppies, and flash memory need to be
AVAILABILITY – DAY LATE
A DOLLAR SHORT
• If data can not be accessed in a timely manner it is of little or
• What controls are in place to ensure the following:
– Ability to access required documents and electronic data
feeds for month end closing, sales meetings, customer
– Infrastructure capable of providing data per service level
– Off-site storage services provide adequate access to
archived documents, tapes, and other records
– Legacy system data able to be accessed through software
• This is an often forgotten part of data management.
• During development of data extract programs, end user
considerations are not adequately addressed, resulting in
additional design of proper data formatting and
– Would we give the same Trade Accounts Payable report
to the CFO as the AP clerk?
– How about on-line display for customers and suppliers?
– Electronic and Hardcopy reports have proper
watermarking per data classification requirements?
SYNTAX AND FORMAT
• A corporate data dictionary with the organization’s data
syntax rules, data classification scheme and security
• This process improves the quality of management
decision making by making sure that reliable and secure
information is provided, and it enables rationalizing
information systems resources to appropriately match
PO2 Define the Information Architecture
• Business Definitions
Data element metadata
Data governance management
data • Business metadata
SECURITY AND DATA CENTER
• Do you know where your sensitive data is?
– In SAP R/3
– In Oracle
– In Peoplesoft
– In JD Edwards
– On the backup tape stolen or lost in transit
• What is being stored on laptops, memory
sticks and backup hard drives?
DATA MANAGEMENT SUMMARY
Significant risk factors organizations face daily
Qualitative and quantitative for data management being a
The ten most critical rqmts. for managing data
Considerations for creating data classifications
Regulatory requirements and data availability
Security and environmental data concerns
• MASTER DATA MANAGEMENT by David
Loshin of Knowledge Integrity, Inc., Morgan
Kaufmann OMG Press, copyright 2009
– “Records Retention: Practice What You Preach”
by Andrew Conry-Murray on June 7, 2008
“Wall Street crisis brings lax e-discovery law
enforcement to light” by Lucas
Mearin, January 14, 2009
• Network World
– “Data-classification best practices” by Bill Reed on
January 18, 2007
• CIO Magazine
• CFO Magazine
• Sun Microsystems White Paper, “Best
practices in data classification of information
lifecycle management”, October 2005
QUESTIONS AND COMMENTS?
JEFF ROTH, CGEIT, CISA
Director Technology Risk Management Services
Michael Berardi, MS-CIS, CISA
IT Audit Manager
Energizer Holdings, Inc.