Protecting the Crown Jewels – Enlist the Beefeaters In the wake of a constant stream of high-profile breaches, data is not only becoming a highly valued commodity, it’s becoming an organization’s crown jewels. Who better to protect your crown jewels than the Beefeaters? Tapping into the iconic London Guard’s reputation, Jack Nichelson, with the support of the FBI and PwC, has developed an elite force to defend his organization’s most valuable assets from even trusted insiders. Providing insights into his companies data identification, classification and security initiative, sharing best practices for creating consensus, and engaging and aligning multiple business units to better protect the organization's crown jewels.
Text of Protecting the Crown Jewels – Enlist the Beefeaters
1. Are you a Beefeater? Title Layout GET FOCUSED ON PROTECTING YOUR CROWN JEWELS
2. Introduction Solving Problems, is my Passion I defend my companies competitive advantage by helping solve business problems through technology to work faster and safer. Who is Jack Nichelson? Global Information Security Manager at large manufacturing company 15 years of experience in IT Security & Risk Management Active in the security community (DefCon, ShmooCon, DerbyCon) Teach Network Security and advise the Baldwin Wallace CCDC team
3. Problem Statement No More Borders Most security failures can be traced back to failures of decision making and not failures of technology. Key Challenges: A need for information everywhere and on everything. What is a Crown Jewel, where is it, who needs it, and how is it protected? Traditional classification policies and handling guidelines have failed and are not consistently applied or used for decision making. The culture inside the organization is not ready to do anything about sensitive data. Vendor Management is not part of the Data Classification process. For too long, compliance has tested physical assets and ignored the thing that matters most - Chris Nickerson
4. Beefeaters Change of the Guard Once you have the basics covered, it time to start focusing on protecting your most imported data. Who better to protect your Crown Jewels than the Beefeaters? Tap into the iconic London Guards reputation, to develop an elite force to defend your organizations most valuable assets from even trusted insiders. Empower the Data Handlers and hold the Data Owners responsible Data GovernanceA Team Effort, But An Individual Responsibility!
5. Solution Approach Security Spending is out of Balance The Power of Three: FBI Counterintelligence for Corporate America Establish a new mental model in leadership about the threats PWC Data Governance Data Classification Criteria, Ranking & Inventory of Data Elements SANS 20 Critical Controls Align Security Controls with Key Threats to Data Elements Big increase in IT security spending - Gartner Time to stop the unfocused spending on security and find the right balance of people, process & technology.
6. Counterintelligence Lead through Awareness Mission is to protect the companys classified & proprietary technologies from theft & protect its most valuable asset Its People. Essential Elements of a Counterintelligence Program: Create an organization-wide Data Privacy & CI Steering Committee Recognition of the Insider & Foreign threat potential Internal and external partnerships embedded within the company at key decision points Integration of CI and Information Technology Security & CI Awareness program & communication channel
7. Data Governance The first step in protecting your data is knowing its value, so you have a reason to find it. Data Classification Process: Gather & Assess Data Elements Can't protect what you dont understand o Conduct detailed working sessions to identify & define sensitive data o Define levels of confidentiality (Public, Internal, Confidential, Restricted) o Identify data elements, applications, data flows, and create data inventory Weight & Heat Map Data Elements o Assign weighting to identified data elements o Ensure operational activities are aligned with classification o Create heat map across each functional area of data classifications and risks o Get management agreement of classification scoring & threats of data loss
8. Security Framework Focusing your Resources The 20 Critical Security Controls focus on prioritizing security on What Works for immediate high-value action. Guiding Principles: Start from thinking you have been breached and work backwards Defenses should focus on most common & damaging attacks Ensure consistent controls are applied for the right level of impact Defenses should be automated, measured, and audited Measurements & metrics that everyone agrees on Dont prioritize too many priorities James Tarala
9. Defining Your Critical Data How to get started: Process Framework: DEFINE your critical data assets DISCOVER critical data security environment BASELINE critical data security processes and controls SECURE critical data MONITOR with proper governance and metrics Key Steps to Get Started: Define what is your critical data & how to score it Define your Data Classification Criteria & Ranking Create an Inventory of your Data Elements Establish Process & Controls to protect your data
10. 10 Information Security Maturity Plan Milestone Accomplishments Monthly Security Awareness Training Patching most systems within 15 days Removed Java from 85% of workstations Hard Drive Encryption for Laptops Web Security with Egress Filtering Network perimeter-Monitored Firewalls Minimum Security Baselines Achieved basic security compliance Achieved basic blocking & tackling security
11. Data Governance Roadmap
12. 12 Classification Criteria CATEGORY DESCRIPTION SAMPLE DOCUMENTS/RECORDS MARKING REPRODUCTION DISTRIBUTION STORAGE DESTRUCTION/ DISPOSAL Public Information that can be publicly disclosed. Marketing materials authorized for public release such as advertisements, brochures, published financial reports, Internet Web pages, catalogues, external public presentations and technical publications None, except copyright notice if applicable Unlimited Not restricted Not restricted Recycling/trash Internal Information whose unauthorized disclosure outside the organization would be inappropriate and inconvenient. Intranet web pages, internal contact information, newsletters, certain corporate policies and procedures, town hall presentations, benefit options, postings on internal bulletin boards, internal SDS databases None required, but can be marked "FOR INTERNAL DISTRIBUTION ONLY" if needed Unrestricted internally Internal distribution only Not restricted Paper: shred, Electronic: erase or degauss magnetic media. Send CDs, DVDs, dead hard drives, laptops, printers etc. to IT for appropriate disposal Confidential Information that will have a moderate* negative material impact on the organization. This information will negatively impact the organization if disclosed. *Less than $** million loss Best Practices, job manuals, R&D technical documents, QA information including test data, Idea Records, engineering drawings and documentation, PLC programs, certain agreements, customer lists, cost information, personal identifiable information, personal health information Company CONFIDENTIAL, ljk CONFIDENTIAL, ;ldkfj;ljd CONFIDENTIAL (Company CONFIDENTIAL is the umbrella statement for data can be shared between companies; sdfsdf and sdf Confidential is for the given businesses). Marking is mandatory on first page. Only for legitimate business purposes and to limited audience. Secure print only. Internal: Distribute to a limited audience to those who need to know. Link to document if possible when emailing. Limit printing. External: Need appropriate agreement in place or by manager approval only. Encrypted network file share, encrypted USB (company owned), no local storage on hard drive, no storage on personal devices or personal email. Paper confidential documents must be stored under lock and key when not in use. Paper: shred, Electronic: erase or degauss magnetic media. Send CDs, DVDs, dead hard drives, laptops, printers etc. to IT for appropriate disposal Restricted Information that will have a significant* negative material impact on the organization and can provide significant third party personal or competitive financial gain. *Greater than $** million loss Restricted information includes export controlled data, ITAR controlled data, lkjhlk Customer Confidential, sakjhalskfjh Supplier Confidential information, communications marked attorney-client priviledge, and M&A information. Information deemed as "crown jewels" by the business team. Company RESTRICTED, FMI RESTRICTED, SEADRIFT RESTRICTED. Mark