9. Securing Your ESI
• ESI Overview
– Electronically Stored Information (ESI)
• Defined for the federal rules of civil procedure (FRCP):
– Information created, manipulated, communicated, stored,
and best utilized in digital form, requiring the use of computer
hardware and software.
» http://www.law.northwestern.edu/journals/njtip/v4/n2/3/
• Structured ESI
– Stored in database or content management systems.
» Examples: Claims, Brokerage / e-Commerce Transactions
• Unstructured ESI
– Free-form information stored in a manner that is difficult to
search within.
» Examples: Tweets, Web Site Content, Word Document Content
10. Securing Your ESI
• Security Overview
– CIA Triad
• Confidentiality
– Categorization / Classification
– Privacy
– Least Privilege
– AAA: Authentication, Authorization and Accounting
• Integrity
– Nonrepudiation
– Segregation / Separation of Duties
• Availability
– Business Continuity (BC) / Disaster Recovery (DR)
– Defense-in-Depth
12. Securing Your ESI
• Vendor Selection
– Service-Level Agreements (SLAs)
• Temporal Service Contract
– Term
– Metrics
– Definitions
– Cause for X (e.g. Termination / Exit Clause)
– Certifications / Attestations
• SAS 70 Type II / SSAE 16 (SOC 1 / 2 / 3) / ISAE 3402
• ISO 27001 / 2, 27036, 15489
• BITS Shared Assessments
• PCI DSS
• HIPAA / HITECH
13. Securing Your ESI
• Vendor Selection
– Incident Response
• Computer Security Incident Response Team (CSIRT)
– Digital Forensics
• Legal Hold / Litigation Response / e-Discovery
– Electronic Discovery Reference Model (EDRM)
– FRCP 30(b)(6)
– Right to Audit
• Use your internal vendor assessment team or a mutually
agreed upon third party.
14. Securing Your ESI
• Mobile Device Security Guidance
– Devices
• Not all devices are the same.
• Balancing Act (Draconian versus Cow-folk)
– People lose stuff all the time.
• Who owns the device?
– Bring Your Own Device (BYOD) = consumerization of IT
• Is device content discoverable?
• Vicarious Liability
– Driving & Texting / Talking
– Mobile Device User Acceptance Policy
– Applications / Data
• Not all applications are the same.
• Segment Work & Play
– Sandboxing / Data-boxing
– Mobile Facebook App Pulls / Pushes Data to Address Book
15. Securing Your ESI
• Physical Media Security Guidance
– Laptops / Tablets
• They should be password-protected / encrypted.
• Wipe / degauss hard disk drive (HDD) before shredding.
• Receive a certificate / bill of laden for shredding.
– Thumb Drives / External Hard Drives
• They should be password-protected / encrypted.
• Wipe / degauss before shredding.
• Receive a certificate / bill of laden for shredding.
– Backup Tapes
• They should be in your records retention schedule (RRS).
• Information Lifecycle
• They should be password-protected / encrypted.
• Wipe / degauss before shredding.
• Receive a certificate / bill of laden for shredding.
17. Securing Your ESI
• Big Data Security Guidance
– Information Management
• Generally Accepted Recordkeeping Principles (GARP®)
• Information Governance Reference Model (IGRM)
• Information Lifecycle Management (ILM)
• MIKE2.0
• ISO 23081 (Records Metadata)
– Known Black Ice
• Log Files
• Web Metadata
• Non-Relational, Distributed Databases (NRDBMS, e.g. NoSQL)
• Data Backups (Tapes, Cloud Object Storage)
• Social Media
18. Securing Your ESI
• Social Media Security Guidance
– Sites
• Manage (Strategy, Policy, Access, Auditing, e-Discovery)
• Strong Passwords
• Change / Configuration Management
– Provisioning / De-provisioning
• Haters (Competitors, Former Employees / Customers)
• Wash & Repeat
• Mobile Apps for Approved Personnel?
– Applications
• Immature
• Insecure
• Discoverable?
19. Securing Your ESI
• Security Tips & Tricks
– Governance, Risk & Compliance (GRC)
– Encryption / Hashing
– Authentication, Authorization & Accounting (AAA)
– Change / Configuration Management
– Incident Response / e-Discovery / DR Testing
– Physical Access
– End User Training
20. Securing Your ESI
• GRC
– Documented controls and safeguards.
• Potential audit findings and remediation actions.
– Enterprise view of compliance.
• Potential functional / system / application view as well.
– Establish standards, best practices and guidance.
• Make users, vendors and partners aware of these.
21. Securing Your ESI
• Encryption / Hashing
– Data at Rest (DAR)
• Object (File, Table, Record, Column), Volume or Block
– Data in Motion (DIM)
• ‘Across the Wire’, Data-com Link
– Data in Use (DIU)
• Object (File, Table, Record, Column), Volume or Block
22. Securing Your ESI
• Encryption / Hashing
– Nuances
• Encryption wraps a layer of protection around your
information.
– Public Key Infrastructure (PKI): VPN, TLS / SSL, S / MIME, WPA
• Hashing re-arranges the bits per the program.
– Database Hashing: HMAC SHA 1 / 2 / 3, MD5
– Key Management
• If you lose the encryption key then your data is lost.
– Try telling Legal, a judge or an attorney that!
23. Securing Your ESI
• AAA
– Authentication
• Validating who the user is claiming to be.
– Authorization
• Allocating the lowest privilege for the user.
– Accounting
• Tracking the user’s actions.
24. Securing Your ESI
• Identity & Access Management (IAM)
– Single Sign-on (SSO)
• Allows User to Gain Access to Multiple Systems / Apps
– Negates password fatigue.
• Implementations
– Externally
» One-time Password (OTP) / Tokenization
» Federated Identity / Tokenization
» Smart Card / Two Factor Authentication (2FA)
» Remote Access Dial-In User Service (RADIUS)
– Internally
» Kerberos
» Lightweight Directory Access Protocol (LDAP)
25. Securing Your ESI
• IAM Technologies
– Federated Identity
• OpenID
• OAuth
• Security Assertion Markup Language (SAML)
• Web Services – Trust Language (WS-Trust)
• Representational State Transfer (REST)
• Active Directory Federation Services (ADFS)
– Microsoft Federation Gateway (MFG)
27. Securing Your ESI
• Password Tips & Tricks
– Use a password.
– Create a strong password / PIN.
• Alphanumeric with at least one uppercase letter, one
lower-case letter, one number & one special character.
• No dictionary words, SSNs, kids, pets, DOBs or address.
• No usernames.
• Use different passwords for different accounts.
– Protect it.
• Use a password book if necessary.
– Change it.
• Semi-annually
28. Securing Your ESI
• Change / Configuration Management
– Process
• Cost, GRC & Quality are huge drivers for:
– Software Development Lifecycle (SDLC)
– Project Management Office (PMO), Project Portfolio Mgmt (PPM)
– Lean / Six Sigma, ISO 9000, CMMi
– Provisioning / De-provisioning
• On-loading / Off-loading
– Profit Centers / Business Units / Functions
– Data
– Applications
– Vendors / Partners
– Customers
• Periodic Reviews of Processes & Accounts
29. Securing Your ESI
• Incident Response / e-Discovery / DR Testing
– Practice makes perfect.
• Wash & Repeat
– Crawl Walk Run
• Crawl: Internal Tabletop Testing
• Walk: Internal Exercise, “cause you have nothing better
to do on a Saturday”.
• Run: Incorporate Vendors, Partners & Customers
30. Securing Your ESI
• Physical Security
– Privacy Screen
– Physical Location & Office Access
– Dumpster Diving
– Lost Hard-copy Reports Source: Amazon
Source: Flickr Source: Flickr
31. Securing Your ESI
• End-user Training
– New-hires
• Especially for milennials (IT consumerization).
– Quarterly Computer-based Training (CBT)
• For heavily regulated industries.
– Annual On-site Training
• Be liberal with the swag.
– Pilot new marketing campaigns (logo, tag, brand).
– Educate Your Ecosystem
32. Securing Your ESI
• Take-aways
– Educate Your Ecosystem
– Healthy Dose of Skepticism
– Embrace Change Pragmatically
– Secured Technology is an Enabler
– Privacy is Important Too