This document provides an overview and guidance on securing electronically stored information (ESI). It discusses the importance of ESI security due to increasing data breaches and costs. It then covers ESI and security overview topics like the CIA triad and vendor selection. The document concludes with security tips and guidance on topics like encryption, identity and access management, change management, and incident response. The overall document aims to educate readers on securing ESI and provides high-level summaries of best practices.

1. Securing Your ESI
Steven C. Markey, MSIS, PMP, CISSP, CIPP, CISM, CISA, STS-EV, CCSK, CompTIA Cloud
Essentials
Principal, nControl, LLC
Adjunct Professor
President, Cloud Security Alliance – Delaware Valley Chapter (CSA-DelVal)

2. Securing Your ESI
• Presentation Overview
– WI3FM….?
– ESI Overview
– Security Overview
– Security Tips & Tricks

3. Securing Your ESI
• WI3FM
– What is in it for me?
– Why should I care?

4. Securing Your ESI
• Data Breaches & Security Incidents
– Average Cost: $7.2 million
– http://www.networkworld.com/news/2011/030811-
ponemon-data-breach.html
– Leading Cause: Negligence, 41%; Hacks, 31%
– http://www.networkworld.com/news/2011/030811-
ponemon-data-breach.html
– Responsible Party: Vendors, 39%
– http://www.theiia.org/chapters/index.cfm/view.news_detail/
cid/197/newsid/13809
– Increased Frequency: 2010-2011, 58%
– http://www.out-law.com/en/articles/2011/october/personal-
data-breaches-on-the-increase-in-private-sector-reports-ico/

5. Source: Flickr

6. Source: Flickr

7. Source: Flickr

9. Securing Your ESI
• ESI Overview
– Electronically Stored Information (ESI)
• Defined for the federal rules of civil procedure (FRCP):
– Information created, manipulated, communicated, stored,
and best utilized in digital form, requiring the use of computer
hardware and software.
» http://www.law.northwestern.edu/journals/njtip/v4/n2/3/
• Structured ESI
– Stored in database or content management systems.
» Examples: Claims, Brokerage / e-Commerce Transactions
• Unstructured ESI
– Free-form information stored in a manner that is difficult to
search within.
» Examples: Tweets, Web Site Content, Word Document Content

10. Securing Your ESI
• Security Overview
– CIA Triad
• Confidentiality
– Categorization / Classification
– Privacy
– Least Privilege
– AAA: Authentication, Authorization and Accounting
• Integrity
– Nonrepudiation
– Segregation / Separation of Duties
• Availability
– Business Continuity (BC) / Disaster Recovery (DR)
– Defense-in-Depth

11. Source: Flickr

12. Securing Your ESI
• Vendor Selection
– Service-Level Agreements (SLAs)
• Temporal Service Contract
– Term
– Metrics
– Definitions
– Cause for X (e.g. Termination / Exit Clause)
– Certifications / Attestations
• SAS 70 Type II / SSAE 16 (SOC 1 / 2 / 3) / ISAE 3402
• ISO 27001 / 2, 27036, 15489
• BITS Shared Assessments
• PCI DSS
• HIPAA / HITECH

13. Securing Your ESI
• Vendor Selection
– Incident Response
• Computer Security Incident Response Team (CSIRT)
– Digital Forensics
• Legal Hold / Litigation Response / e-Discovery
– Electronic Discovery Reference Model (EDRM)
– FRCP 30(b)(6)
– Right to Audit
• Use your internal vendor assessment team or a mutually
agreed upon third party.

14. Securing Your ESI
• Mobile Device Security Guidance
– Devices
• Not all devices are the same.
• Balancing Act (Draconian versus Cow-folk)
– People lose stuff all the time.
• Who owns the device?
– Bring Your Own Device (BYOD) = consumerization of IT
• Is device content discoverable?
• Vicarious Liability
– Driving & Texting / Talking
– Mobile Device User Acceptance Policy
– Applications / Data
• Not all applications are the same.
• Segment Work & Play
– Sandboxing / Data-boxing
– Mobile Facebook App Pulls / Pushes Data to Address Book

15. Securing Your ESI
• Physical Media Security Guidance
– Laptops / Tablets
• They should be password-protected / encrypted.
• Wipe / degauss hard disk drive (HDD) before shredding.
• Receive a certificate / bill of laden for shredding.
– Thumb Drives / External Hard Drives
• They should be password-protected / encrypted.
• Wipe / degauss before shredding.
• Receive a certificate / bill of laden for shredding.
– Backup Tapes
• They should be in your records retention schedule (RRS).
• Information Lifecycle
• They should be password-protected / encrypted.
• Wipe / degauss before shredding.
• Receive a certificate / bill of laden for shredding.

16. Securing Your ESI
• Cloud Security Guidance
– Change / Configuration Management, Provisioning
– Matrices
• CSA Consensus Assessments Initiative Questionnaire
• CSA Cloud Controls Matrix
• BITS Enterprise Cloud Self-Assessment
• BITS Shared Assessments
– Guidance Specifically for the Cloud
• Cloud Security Alliance (CSA) Guide v3.0
• CSA Security, Trust & Assurance Registry (STAR)
• ENISA Cloud Computing Risk Assessment
• NIST SP 800-144 Guidelines Security / Privacy for a Public Cloud

17. Securing Your ESI
• Big Data Security Guidance
– Information Management
• Generally Accepted Recordkeeping Principles (GARP®)
• Information Governance Reference Model (IGRM)
• Information Lifecycle Management (ILM)
• MIKE2.0
• ISO 23081 (Records Metadata)
– Known Black Ice
• Log Files
• Web Metadata
• Non-Relational, Distributed Databases (NRDBMS, e.g. NoSQL)
• Data Backups (Tapes, Cloud Object Storage)
• Social Media

18. Securing Your ESI
• Social Media Security Guidance
– Sites
• Manage (Strategy, Policy, Access, Auditing, e-Discovery)
• Strong Passwords
• Change / Configuration Management
– Provisioning / De-provisioning
• Haters (Competitors, Former Employees / Customers)
• Wash & Repeat
• Mobile Apps for Approved Personnel?
– Applications
• Immature
• Insecure
• Discoverable?

19. Securing Your ESI
• Security Tips & Tricks
– Governance, Risk & Compliance (GRC)
– Encryption / Hashing
– Authentication, Authorization & Accounting (AAA)
– Change / Configuration Management
– Incident Response / e-Discovery / DR Testing
– Physical Access
– End User Training

20. Securing Your ESI
• GRC
– Documented controls and safeguards.
• Potential audit findings and remediation actions.
– Enterprise view of compliance.
• Potential functional / system / application view as well.
– Establish standards, best practices and guidance.
• Make users, vendors and partners aware of these.

21. Securing Your ESI
• Encryption / Hashing
– Data at Rest (DAR)
• Object (File, Table, Record, Column), Volume or Block
– Data in Motion (DIM)
• ‘Across the Wire’, Data-com Link
– Data in Use (DIU)
• Object (File, Table, Record, Column), Volume or Block

22. Securing Your ESI
• Encryption / Hashing
– Nuances
• Encryption wraps a layer of protection around your
information.
– Public Key Infrastructure (PKI): VPN, TLS / SSL, S / MIME, WPA
• Hashing re-arranges the bits per the program.
– Database Hashing: HMAC SHA 1 / 2 / 3, MD5
– Key Management
• If you lose the encryption key then your data is lost.
– Try telling Legal, a judge or an attorney that!

23. Securing Your ESI
• AAA
– Authentication
• Validating who the user is claiming to be.
– Authorization
• Allocating the lowest privilege for the user.
– Accounting
• Tracking the user’s actions.

24. Securing Your ESI
• Identity & Access Management (IAM)
– Single Sign-on (SSO)
• Allows User to Gain Access to Multiple Systems / Apps
– Negates password fatigue.
• Implementations
– Externally
» One-time Password (OTP) / Tokenization
» Federated Identity / Tokenization
» Smart Card / Two Factor Authentication (2FA)
» Remote Access Dial-In User Service (RADIUS)
– Internally
» Kerberos
» Lightweight Directory Access Protocol (LDAP)

25. Securing Your ESI
• IAM Technologies
– Federated Identity
• OpenID
• OAuth
• Security Assertion Markup Language (SAML)
• Web Services – Trust Language (WS-Trust)
• Representational State Transfer (REST)
• Active Directory Federation Services (ADFS)
– Microsoft Federation Gateway (MFG)

26. Securing Your ESI

27. Securing Your ESI
• Password Tips & Tricks
– Use a password.
– Create a strong password / PIN.
• Alphanumeric with at least one uppercase letter, one
lower-case letter, one number & one special character.
• No dictionary words, SSNs, kids, pets, DOBs or address.
• No usernames.
• Use different passwords for different accounts.
– Protect it.
• Use a password book if necessary.
– Change it.
• Semi-annually

28. Securing Your ESI
• Change / Configuration Management
– Process
• Cost, GRC & Quality are huge drivers for:
– Software Development Lifecycle (SDLC)
– Project Management Office (PMO), Project Portfolio Mgmt (PPM)
– Lean / Six Sigma, ISO 9000, CMMi
– Provisioning / De-provisioning
• On-loading / Off-loading
– Profit Centers / Business Units / Functions
– Data
– Applications
– Vendors / Partners
– Customers
• Periodic Reviews of Processes & Accounts

29. Securing Your ESI
• Incident Response / e-Discovery / DR Testing
– Practice makes perfect.
• Wash & Repeat
– Crawl  Walk  Run
• Crawl: Internal Tabletop Testing
• Walk: Internal Exercise, “cause you have nothing better
to do on a Saturday”.
• Run: Incorporate Vendors, Partners & Customers

30. Securing Your ESI
• Physical Security
– Privacy Screen
– Physical Location & Office Access
– Dumpster Diving
– Lost Hard-copy Reports Source: Amazon
Source: Flickr Source: Flickr

31. Securing Your ESI
• End-user Training
– New-hires
• Especially for milennials (IT consumerization).
– Quarterly Computer-based Training (CBT)
• For heavily regulated industries.
– Annual On-site Training
• Be liberal with the swag.
– Pilot new marketing campaigns (logo, tag, brand).
– Educate Your Ecosystem

32. Securing Your ESI
• Take-aways
– Educate Your Ecosystem
– Healthy Dose of Skepticism
– Embrace Change Pragmatically
– Secured Technology is an Enabler
– Privacy is Important Too

33. • Questions?
• Contact
– Email: steve@ncontrol-llc.com
– Twitter: @markes1, @casdelval2011
– LI: http://www.linkedin.com/in/smarkey