Sensitive Data Protection Planning

RIGHT. FROM THE START. Better information, smarter business decisions.

Page 1 © Copyright 2005 Knightsbridge Solutions LLC

Tutorial T1A Developing a Data Protection Plan for Your Organization

Satya Sachdeva Senior Principal, Information Management PracticeHewlett-Packard

March 12, 2008


Tutorial T1A – Developing a Data Protection Plan for Your Organization

AGENDA - am

• 9:00 – 9:30 am Satya Sachdeva, HP, “Introduction to Developing Your Data Protection Plan”

• 9:30 – 10:00 am Kevin Bocek, PGP, “Developing a Business Case for Enterprise Data Protection”

• 10:00 – 10:15 am Morning Break

• 10:15 – 10:45 am Dave Drab, Principal Info and Content Security, Xerox Global Services “Seven Steps to More Effective Information Security”

• 10:45 – 11:15 am David Hill, Principal, Mesabi Group “Data Protection: Fitting the Pieces of the Puzzle Together”

• 11:15 – 11:45 am Dan Bailey , Principal Solns Architect and Ros Schulman, Dir Data Protection Hitachi Data Systems, “Data Protection…It’s Not Your Father’s DR”

• 11:45 am – Noon Final Questions and Answers with Morning Speakers. Chairperson: Satya Sachdeva, HP


Tutorial T1A – Making Your Data Protection Plan Work

AGENDA - pm

• 2:30 – 3 pm Jim Russ, VP Enterprise Technology, Nth Generation Computing , “Local and Remote Data Protection: Leveraging the Latest Backup and Data Replication Techniques”

• 3 – 3:30 pm George Symons, CEO, Yosemite Technologies “Mobile User Data Protection – From Obstacles to Best Practices”

• 3:30 – 4 pm Subra Kumaraswamy, Dir Info Security and Brennan Baybeck, Dir IT Security, Sun Microsystems, “Case Study of a Major Protection Initiative”

• 4 – 4:30 pm Breakout Sessions– Data Protection Methods - David Hill– Security Management - Subra Kumaraswamy and Brennan Baybeck – Threat Analysis - Jim Szafranski

• 4:30 – 5:00 pm Breakout Session Report Panel Discussion


INTRODUCTION TO DEVELOPING YOUR DATA PROTECTION PLAN

• Background on sensitive data– The issue facing businesses today– What is customer sensitive data?– Why protect sensitive data?– Imperatives of current and upcoming legislation

• Challenges in protecting sensitive data

• Overall framework to develop your data protection plan– Need for a framework?– Components of the framework


Premise of Today’s Workshop

• Identity theft is a real threat – 218 million records have been involved in data breaches

– 2007 was a record year with more than 80 million stolen records

• Impact on businesses is huge. Risks include – Direct loses as a result of fraudulent charges

– Loss of stock value, brand equity, and customer trust

– Class action lawsuits if stolen data leads to cases of identity theft

THE ISSUE

Information is now used as a currency for committing crimes


• Customer sensitive data is information used by identity thieves to steal identity (and rates are increasing faster than ever)

• Any combination of the following pieces of information that uniquely identify you:

– Name and address– SSN– Drivers license #– Name, address and mothers’ maiden name– Credit card #– Account #– User ID and password

• Also known as “Personally Identifiable Information” (PII)

WHAT CONSTITUTES CUSTOMER SENSITIVE DATA?


• As per industry statistics compromised firms could lose an average of 2% in market capitalization per incident

– ChoicePoint shares fell 11% after security breach– paid $15 million to settle charges

– Extreme case: DoubleClick lost $5B of market cap due to concerns of privacy plans

• Impairment of brand equity

• Loss of consumer trust

• Compliance with national and international laws

• Class action law suits could be a killer

• Opportunity– Privacy as a differentiator

– Trust is not a commodity

– Brand elevation – alternative to price leadership

WHY PROTECTING CUSTOMER SENSITIVE DATA IS ESSENTIAL


IMPERATIVES OF CURRENT AND FUTURE LAWS

• California’s Database Security Breach Notification Act, SB 1386 and CA Civil Code 1798.85-86 and 1786-6

– Inform people whose identify information might have been compromised

– Can’t use SSN as account #, ID # or employee #

– 20 states have joined California in requiring organizations to notify individuals if their SSN, driver's license numbers, financial account numbers or other sensitive information is exposed to unauthorized people

• Gramm-Leach-Bliley Act (GLBA) comprehensive guidelines for safeguarding consumer data

– Ensure security/confidentiality of customer nonpublic financial information records (privacy)

– Protect against any anticipated threats or hazards to the security or integrity of such records (safeguarding)

– Protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to customers (pretexting)

• The Safe Harbor Framework developed by the U.S. Department of Commerce, compliance in response to EU laws

– Effective since 2003 and voluntary in nature

– Multinational organizations which received PII data from EU

– Covers data privacy, data security and data integrity


IMPERATIVES OF CANADIAN AND EUROPEAN LAWS

• Unlike U.S. laws that are focused on a specific vertical, these are all-encompassing

• Canada’s Personal Information Protection and Document Act (PIPEDA)

– Impacts U.S. businesses if they buy or collect information on Canadian consumers via a Canadian business entity (i.e. subsidiary or partner)

– U.S. entity must ensure the sensitive information will receive the protection level required by PIPEDA

• European Union Data Protection Directive (95/46/ED)

– Information should be collected for specific, legitimate purposes only, and be stored in individually identifiable form no longer than necessary

– EU data can flow freely to U.S. companies if they are in compliance with Safe Harbor Framework

CANADAPIPEDA

EUROPE

USA

Do you collect information aboutCanadian Customers through a

Canadian entity?

Are you in complaint with SAFEHARBOR Framwork?

In these regions, laws are more comprehensive and are often on consumer’s side


CHALLENGES IN PROTECTING SENSITIVE DATA BY BUSINESSES

• Ubiquitous nature– Where does it live? Where is it processed? How it is used?

– What are all the touch points?

• Structured and unstructured

• Different types of media

• Organizational challenges– Accountability

– Awareness across depth and breadth of the organization

• Ever changing methods of attack

2005 worldwide study: "Unknown" showed up in survey responses as the 2nd most prevalent attack type, 4th most common attack method, and 3rd highest attack source

Source for the study: CIO Magazine - 09/15/20005


CHALLENGES IN PROTECTING SENSITIVE DATA BY BUSINESSES

Attacker needs to understand only one vulnerability

Defender needs to secure all entry points

Attackers have unlimited time

Businesses have to work within time and cost constraintsAttackers vs. Defenders

Security vs. Usability

Secure systems are more difficult to use

Performance Impact

Complex and strong passwords are difficult to remember

Do I need security

…

Security as an afterthought

Developers and management think that security does not add any business value

Addressing vulnerabilities just before software is released is very expensive and ineffective


• Companies are spending $30b on IT security but expensive breaches continue

– Most efforts focus on network and application security

• At least 25% of all breaches are carried out by internal staff

• Major categories of breaches reported in the last 12 months– Hacking– Stolen laptops / computers– Lost tapes or media– Malicious insiders– Business processes with leakages

• Businesses must—– Proactively identify all the touch points and vulnerabilities of sensitive data – Take appropriate measures in mitigating risks associated with each touch point

• This requires a systematic approach

NEED FOR A FRAMEWORK


• The principles and approach will apply to any organizational unit that touches information

– Could be big or small – macro or micro level – Information could be stored on any media paper, tape, disk– Could represent a partner organization i.e. supplier, processor, customer– Could apply to any kind of information i.e. customer information, employee

information or other classified information

Capture/Collect/Create

Information

ProcessInformation

TransportInformation

StoreInformation

Distribute Information

Destroy/RetainInformation

Other Organiization

INFORMATION LIFECYCLE-BASED FRAMEWORK


ACCOUNTABILITY

• An organization is responsible for personal data in its possession or custody

• The organization should designate a person or team to be accountable for the organization’s compliance with the the best practices and/or applicable Federal and State laws


• Questions an organization should consider—– Does it have at least one individual responsible for data collected,

used, maintained, or stored by the organization? – Is the individual accountable for protecting all information held by the

organization or transferred to another organization for processing?– Does the person have authority, the support of senior management?– Does the accountable person have in-depth knowledge of

information management techniques, computer and telecommunications?

– Does the organization have documented information policies and practices?

– Does the organization have a detailed process flow for sharing or distributing various categories information?

Accountability must be deep rooted in a corporation – a CPO or CSO is not enough.

Every organization within the corporation MUST have an accountable person.

ACCOUNTABILITY


INVENTORY AND CATEGORIZE

• For an organization to follow the best practices and comply with federal and state laws, a comprehensive up-to-date inventory of all sensitive data is critical

– Categorize information by type, purpose and sensitivity level

– Define a policy for each sub category

– Implement a process to keep information current


IDENTIFY ALL TOUCHPOINTS

• Human-machine interfaces– BI accesses – remote or local

– Operational system interfaces

– Web interfaces

• Machine-machine interfaces

• Developers, DBAs accessing data applications, SQL or any other means, in development, test, QA or production environments

• Data hand-offs in business work flow processes

– Internal and external

VPN

Web Server Web Server

Application Server

Application Server

OLTP Database/File System

EAI Mainframe CICS application

IMSDB2 UDB v7.2l OLAP/Analytical Database)

ETL Server

F5 loadbalancers

1

2

3

4

5

7

6

7

Client Desktop located in multiple

locataions

ETL Server

ETL Server

Trilegiant

RCI.com

Email

Resonate loadbalancers

Analytics Application

Server

7

Site 1 Site 2

External Data

Other Data Sources

95 Computer Printer

Web Server

VPN

9

10

11

12

12

77

7

3

11


IDENTIFY VULNERABILITIES

• For each touch point – Identify and assign accountable organizational unit

– Document threat assessment

– Define and communicate security policy

– Define risk assessment

– Define strategy for safeguards

External Internal

NonHostileHostile

StructuredUn

Structured

NonHostileHostile

StructuredUn

StructuredStructured

UnStructured

StructuredUn

Structured

External


RISK ASSESSMENT

• What is the impact if a DBA or developer with access to production data copies customer data on to a CD and walks away?

– Max number of customers potentially impacted

– Estimated cost per customer

– Total potential impact

• What is the impact if someone breaks into HR and walks away with sensitive information about employees?

• What is the impact if call center employee is able to print screens and copy them to a flash drive?

• What if a tape being sent over to a partner vendor is lost on the way?

Total Number of potential entities impacted: 1.5 millionEstimated cost per entity $250GBL Act Fine $100,000Any Canadian entities involved? YAny EU entities involved? NPotential of a mass law suit Possible

Impact analysis on business when a touch point is compromised


SECURITY SAFEGUARDS

• The nature and extent of the safeguards will vary depending on:– Sensitivity of the data that have been collected– Amount, distribution, and format of the data – Method of storage– Method of transportation– State of technological development– Cost and reasonableness of implementation of the safeguards– Level of Risk

• The security safeguards should protect data against accidental or unlawful loss, as well as unauthorized access, disclosure, copying, use, or modification as per the policy laid out

• Organizations should protect personal data regardless offormat or media


ONGOING MONITORING SYSTEM

Questions to ask—

• Does your organization have have a monitoring organization and program?

• Does your organization have a metrics system in place to track various aspects of information privacy and security?

• Does your organization have processes in place to monitor overall threat environment?

Establishing an ongoing monitoring system is necessary not only to track the progress of compliance of various privacy/security requirements, but also to keep abreast of the changes in federal, state and international laws

The monitoring system should also keep abreast of changing threats and organizational/technological responses

Compliance monitoring system is often the most overlooked part of Information Security Lifecycle


ONGOING MONITORING SYSTEM

• Privacy and security audit organization

• Metrics system to monitor– Computed risk level– Compliance level– Encryption compliance level– Various components of computed risk level– Authorization metrics– Access metrics– Various data store counts– Data transportation metrics– Destination data store metrics– Improvement status– Percentage inventory completion status

• Processes– Educational and communication– Policy review– Enforcement


General BankWealth Mgt.

Small Business

Account

Customer

Relationship

Activity

Inte

rnal V

end

or Ou

tsou

rce

Hie

rarc

hie

s

Sources & Stores

Reg

ulat

or

Capital Mgt.

DIVIDING AND PRIORITIZING

• Break the problem into manageable pieces

– Relate to the businesses– Must be data/information relevant– Must be contained

• Prioritize the pieces– Must be a risk-based process

(impact, exposure, threats)– Driven by a Stakeholder Group– Process must be based upon

metrics

• Mitigation – Define acceptable risk at a high-

level – Action plan (alternatives) for each

prioritized piece

LOB

s


SUMMARY

• Identity theft through businesses is on the rise through different touch points

• Protecting sensitive data for all stakeholders is critical to protect people likely to be impacted

– Acts as a differentiator as a trustworthy partner– Protects against law suits and fines

• Organizations need a systematic approach and planning due to ubiquitous nature of the problem

• Start with the basics, develop a plan – Accountability – Inventory/Categorization– Identify Touch points and Vulnerabilities– Assess Risk – Apply Safeguards

• Remember – this is not a one time exercise!

RIGHT. FROM THE START. Better information, smarter business decisions.


Questions?

Satya SachdevaSenior Principal, Financial [email protected]

Thank you

Documents

Sensitive Data Protection Planning