Data Classification Presentation

8,211 views

Published on

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
8,211
On SlideShare
0
From Embeds
0
Number of Embeds
18
Actions
Shares
0
Downloads
286
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • Data Classification Presentation

    1. 1. Data Classification & Monitoring A SOx requirement SECURITY AWARENESS PRESENTATION May 2005 Presented by: Dan Formica, CISM IT Security Services
    2. 2. Data Classification & Monitoring Agenda <ul><li>Data Classification & Monitoring </li></ul><ul><ul><li>WHY </li></ul></ul><ul><ul><ul><li>Drivers, Goals and Benefits </li></ul></ul></ul><ul><ul><li>WHAT </li></ul></ul><ul><ul><ul><li>Process of Data Classification </li></ul></ul></ul><ul><ul><ul><li>Security Considerations </li></ul></ul></ul><ul><ul><li>HOW </li></ul></ul><ul><ul><ul><li>Tools to Help Classify Data </li></ul></ul></ul><ul><ul><ul><li>Monitoring Tools </li></ul></ul></ul><ul><ul><ul><li>Processes </li></ul></ul></ul><ul><li>Q&A </li></ul>
    3. 3. Data Classification & Monitoring Key Terms <ul><li>Data Classification </li></ul><ul><ul><li>The process that groups data that possess similar characteristics into categories </li></ul></ul><ul><ul><li>The value of each sample of data is determined and recorded according to company standards </li></ul></ul>
    4. 4. Data Classification & Monitoring Key Terms cont’d <ul><li>Monitoring </li></ul><ul><ul><li>Managing internal control through continuous and point-in-time assessment processes. </li></ul></ul><ul><ul><li>e.g. </li></ul></ul><ul><ul><ul><li>client access & violations </li></ul></ul></ul><ul><ul><ul><li>who has access and do they still require it </li></ul></ul></ul>
    5. 5. Data Classification & Monitoring - The Why Goals of Data Classification <ul><li>Identify WHAT information exists, and WHO needs it </li></ul><ul><li>Understand how valuable the information is to each of the individuals, groups and business processes that require it </li></ul><ul><li>Provide a system for protecting information critical to the organization </li></ul>
    6. 6. Data Classification & Monitoring - The Why Goals of File Access Monitoring <ul><li>Provide a clear picture of: </li></ul><ul><ul><li>who accessed data </li></ul></ul><ul><ul><li>what data was accessed </li></ul></ul><ul><ul><li>when the data was accessed </li></ul></ul><ul><li>Provide protection to the Access Reports </li></ul><ul><li>Provide adequate log retention </li></ul><ul><li>Minimize the time to create, review and store reports </li></ul>
    7. 7. Data Classification & Monitoring - The Why Benefits of Data Classification <ul><li>Provide a clear picture of the categories of data that exist in the corporation </li></ul><ul><li>Enable the design and development of a shared grouping of clients for each category of data </li></ul>
    8. 8. Data Classification & Monitoring - The Why Benefits of Data Classification cont’d <ul><li>Once Data Classification has been determined, the appropriate control activities can be established </li></ul><ul><li>Control Activities are the policies, procedures and practices that are put into place to ensure that business objectives are achieved and risk mitigation strategies are carried out </li></ul><ul><li>Without reliable information systems and effective IT control activities, public companies would not be able to generate accurate reports </li></ul>
    9. 9. Data Classification & Monitoring - The Why Benefits of Data Classification cont’d <ul><li>Demonstrate economic value of data to the business </li></ul><ul><li>Eliminate misuse or theft of data and reducing associated costs </li></ul><ul><li>Comply with: </li></ul><ul><ul><li>business policies & procedures </li></ul></ul><ul><ul><li>legislation </li></ul></ul>
    10. 10. Data Classification & Monitoring The WHAT - D ata Classification <ul><li>Is the data considered CONFIDENTIAL to the Company? </li></ul><ul><li>Does the data fall under PIPEDA ? </li></ul><ul><li>Does the data fall under the Sarbanes-Oxley Act ? </li></ul><ul><li>Does the data fall under HIPAA ? </li></ul>Answering YES to one of the following questions constitutes a requirement to classify data:
    11. 11. Data Classification & Monitoring The What cont’d <ul><li>Security Considerations </li></ul><ul><ul><li>How important is the information? </li></ul></ul><ul><ul><li>Does it contain personal information? </li></ul></ul><ul><ul><li>Does it contain customer information? </li></ul></ul><ul><ul><li>Is it financial data? </li></ul></ul><ul><ul><li>Who is the data owner? </li></ul></ul><ul><ul><li>Does the business unit and Internal Audit agree with your assessment of the data? </li></ul></ul>
    12. 12. Data Classification & Monitoring The What cont’d <ul><li>Data Protection </li></ul><ul><ul><li>Your data is controlled by granting access to groups </li></ul></ul><ul><ul><li>Your data is only protected by monitoring who are in the groups </li></ul></ul><ul><ul><li>Any logon id with supervisory authority to servers can view and change any data (Security personnel and server technicians) </li></ul></ul>
    13. 13. Data Classification & Monitoring The HOW - D ata Classification <ul><li>WHO </li></ul><ul><ul><li>Requires access to data </li></ul></ul><ul><li>WHAT </li></ul><ul><ul><li>application, folder, directory </li></ul></ul><ul><ul><li>business process & role </li></ul></ul><ul><ul><li>how is the data being used in the organization </li></ul></ul><ul><li>WHEN </li></ul><ul><ul><li>frequency </li></ul></ul><ul><li>WHERE </li></ul><ul><ul><li>physical data location </li></ul></ul><ul><li>WHY </li></ul><ul><ul><li>confidential </li></ul></ul><ul><ul><li>PIPEDA </li></ul></ul><ul><ul><li>SOx </li></ul></ul><ul><ul><li>HIPAA </li></ul></ul>Establish a clear, data access related goal:
    14. 14. Data Classification & Monitoring - The HOW Monitoring Tools <ul><li>Internal Audits </li></ul><ul><li>Software </li></ul><ul><ul><li>Real-time surveillance (monitoring access) </li></ul></ul><ul><ul><li>Monitor Reporting </li></ul></ul><ul><li>Forensic analysis </li></ul><ul><ul><li>Security Services adhoc review </li></ul></ul>
    15. 15. Data Classification & Monitoring - The HOW Monitoring Tools <ul><li>Software Controls </li></ul><ul><ul><li>Establish data to be monitored </li></ul></ul><ul><ul><li>Establish who requires access (need to know basis) </li></ul></ul><ul><ul><li>Arrange for monitoring and reporting </li></ul></ul><ul><ul><li>Establish alert criteria on unauthorized access </li></ul></ul><ul><ul><li>Collect, review and file reports (according to company policies) </li></ul></ul>
    16. 16. Data Classification & Monitoring - The HOW Monitoring example <ul><li>SHARED Folder </li></ul><ul><li>Dan’s data folder - Install monitoring at this level </li></ul><ul><li>Access Reports (create new folder) </li></ul><ul><li>Sensitive doc1 </li></ul><ul><li>Sensitive doc2 </li></ul><ul><li>Sensitive doc3 </li></ul><ul><li>Data access is logged, automatic daily reports are produced, Owner is emailed a copy of the report, a copy of the report is stored in Access Reports. </li></ul><ul><li>Reports are backed up as per server back ups. </li></ul><ul><li>Report retention is under the owners control. </li></ul>
    17. 17. Data Classification & Monitoring - The HOW Monitoring Tools <ul><li>Report on who accessed data </li></ul><ul><ul><li>Date of incident </li></ul></ul><ul><ul><li>Time of incident </li></ul></ul><ul><ul><li>User - who accessed the data </li></ul></ul><ul><ul><li>Operation - Read, Modify, Delete…etc </li></ul></ul><ul><ul><li>Performed on - What data was accessed </li></ul></ul><ul><ul><li>Remarks - Details on the data access </li></ul></ul><ul><ul><li>Save the report in a secure area </li></ul></ul>
    18. 18. Data Classification & Monitoring - The HOW Monitoring Tools <ul><li>Report on who has access to data </li></ul><ul><ul><li>Obtain an automated report on who has access to your data (who is in the security groups) </li></ul></ul><ul><ul><li>Receive report weekly (?) </li></ul></ul><ul><ul><li>Review report </li></ul></ul><ul><ul><li>Scrutinize all access (temporary employees!) </li></ul></ul><ul><ul><li>Take action on all redundant access </li></ul></ul><ul><ul><li>File and protect reports as per standards </li></ul></ul>
    19. 19. Data Classification & Monitoring - The HOW Processes <ul><li>In order to be able to withstand an audit, you must have a documented process that includes: </li></ul><ul><ul><li>Identification of data </li></ul></ul><ul><ul><li>Who will be allowed access to data </li></ul></ul><ul><ul><li>Who must approve a request for access </li></ul></ul><ul><ul><li>Verification that only authorized personnel are accessing data (automated reports & alerts) </li></ul></ul><ul><ul><li>Verification that the authorized list is being monitored </li></ul></ul>
    20. 20. Data Classification & Monitoring Security Considerations <ul><li>Involve IT Security Services and Internal Audit as early in the process as possible </li></ul>
    21. 21. Data Classification & Monitoring Security Considerations cont’d <ul><li>IT Security Requirements </li></ul><ul><ul><li>Authentication </li></ul></ul><ul><ul><ul><li>Example - WEB applications authenticate against LDAP </li></ul></ul></ul><ul><ul><li>Access </li></ul></ul><ul><ul><ul><li>Access to data is on a need-to-know basis </li></ul></ul></ul><ul><ul><ul><li>Access to sensitive data in Development protected the same as Production </li></ul></ul></ul><ul><ul><li>Ids </li></ul></ul><ul><ul><ul><li>Generic Ids are not allowed in Production </li></ul></ul></ul><ul><ul><ul><li>Application Ids must be identified and accounted for </li></ul></ul></ul>
    22. 22. Security Checklist for new applications <ul><li>Documentation </li></ul><ul><li>A brief description of what the application entails. </li></ul><ul><li>How will the application be accessed? </li></ul><ul><li>Define the process for a client to request access. </li></ul><ul><li>Define the components required to grant a client access to the application </li></ul><ul><li>Is the application accessible from the Internet? Does it require SSL? </li></ul><ul><li>Is there an application administrator? If so who? </li></ul>
    23. 23. Security Checklist for new applications <ul><li>Data Classification </li></ul><ul><li>Classify the data as per Data Classification Standards (confidential if financial or personal) </li></ul><ul><li>Description of the data that will be accessed </li></ul>
    24. 24. Security Checklist for new applications <ul><li>Data Ownership </li></ul><ul><li>Identify the owner (department) of the data to be accessed. </li></ul><ul><li>Identify the key contact for data ownership questions. </li></ul><ul><li>Who authorizes or approves access? </li></ul>
    25. 25. Security Checklist for new applications <ul><li>Access Controls </li></ul><ul><li>Clear access groups for different roles </li></ul><ul><li>IT support group must be used by IT support employees only </li></ul><ul><li>All application logon ids must be documented as to the ownership, purpose, and access gained </li></ul><ul><li>All application ids must be password protected. </li></ul>
    26. 26. Security Checklist for new applications <ul><li>Access Controls (cont) </li></ul><ul><li>The effects of changing an application logon id password should be tested and documented. </li></ul><ul><li>The password of application logon ids must be strictly controlled and changed as per security standards (employee termination…etc) </li></ul><ul><li>All access is on a need to know bases </li></ul><ul><li>Define the procedure to follow for unauthorized access </li></ul>
    27. 27. Security Checklist for new applications <ul><li>Monitoring </li></ul><ul><li>Access logs to capture date, time and logon id of access to the application </li></ul><ul><li>Timely reports on security violations </li></ul><ul><li>Define the log retention period and storage of the logs </li></ul><ul><li>Quarterly reviews of clients with access. Is access still required? </li></ul><ul><li>What tools are available to examine the logs </li></ul>
    28. 28. Security Checklist for new applications <ul><li>Processes </li></ul><ul><li>A process must be in place to define all of the above issues. </li></ul>
    29. 29. Data Classification & Monitoring - Considerations Case Study - LAMPS Project <ul><li>Data Classification </li></ul><ul><ul><li>“ LAMPS data is classified as confidential under the Sarbanes-Oxley Act .” </li></ul></ul><ul><li>Access </li></ul><ul><ul><li>Business process & approvals </li></ul></ul><ul><ul><li>Support Team access defined differently for Development and Production </li></ul></ul><ul><ul><li>Client defined roles for access </li></ul></ul>
    30. 30. Data Classification & Monitoring <ul><li>Q & A </li></ul>?

    ×