• 210 likes • 322 Views
Protecting The Data Data security, compliance, disclosure requirements and what can happen if you get it wrong Presented By Brett Moore. Information Loss Costs Money. Recent study by the Ponemon Institute Examined costs incurred by 14 companies in 11 industry sectors
E N D
Protecting The Data Data security, compliance, disclosure requirements and what can happen if you get it wrong Presented By Brett Moore
Information Loss Costs Money • Recent study by the Ponemon Institute Examined costs incurred by 14 companies in 11 industry sectors • Breaches affecting between 1,500 to 900,000 consumersTangible and intangible costs up to $14 million USD • Related survey of customers20% had terminated their relationship with the companyAnother 40% were considering in doing so • What informationStaggering amount of information stored nowFinancial, health, social, personal, business With the masses amount of data that flows through your organisation, are you taking the appropriate steps to protect what may be your most valuable asset?
The Issue • Many organisations choose to spend their resources identifying and managing information security vulnerabilities instead of managing risk to their information assets. • Vulnerability-centric approaches to organisational security fall short of appropriately characterizing organizational risk because they fail to focus on what is actually at risk, the information and processes they support.
Information Assets • What is an information asset An information asset is any data stored that is used by the organisation for information purposes. • Information value can be calculatedBased on the importance to the organisations continuationThe affect the loss of the information would have • Information risk assessmentThe type of data the information is created from affects the requirement to secure it • Information valueDetermines its importance and criticality to the organisation • Which data is which?What happens when an information asset is a combination of data from different sources?
Where Is The Information Stored • You MUST know where your information is storedHow else are you able to secure it? • Data is stored in containersDrive, tape, cd-rom, dvd, paper, people • Containers are not ‘physical’Stored on multiple serversA collection of databasesA collection of database tables • Containers are not only technicalInformation can be in printed formInformation is stored in peoples heads
Container Security Aspects • The way in which an asset is protectedThrough controls implemented at the container levelie: access checks at the database level • Security control depthThe degree to which an asset is protected is based on how well the control reflect the requirements of the asset • Risk inheritanceAny risk associated with the container is inherited by the assetie: server destruction, tape backup theft • Legal requirementsThere can be different legal requirements dependant on the information asset’s container
Who Owns The Data? • The ownerAre those who have primary responsibility for the viability and survivability of the asset • Security requirementsOwners set the security requirements for an asset and communicate these to the assets’ custodiansEnsuring the security requirements have been implemented • Defining the assetThe owner defines what the information asset consists of, and is responsible for determining the assets valueIt is this value that is used to calculate risk mitigation processes • DelegationThe owner can delegate responsibilities but ultimately remains the owner responsible for the assets protection
Who Looks After The Data? • The custodianManage or are responsible for containers • Accepts responsibilityThe custodian accepts responsibility and protects the data according to the owners defined requirements • Is NOT the ownerDespite common misconception, the custodian is not the owner and therefore not the responsible entity • Information useAny person who makes use of the information asset becomes a custodian during that period
Governance – External Requirements • Legal Sarbanes-Oxley California Disclosure Law Common Law Duty of Care • Industry Imposed PCI Compliance All concerned with information assets, not security breaches
Legal Requirements • Sarbanes-Oxley (USA, July 2002) Requirements for all public companies listed in the US Public companies must evaluate and disclose the effectiveness of their internal controls as they relate to financial reporting Independent auditors for such companies must "attest" (i.e., agree, or qualify) to such disclosure Financial reporting is generally driven by information assets, so the security of those information assets is of primary concern • SB 1386 (California Disclosure Law, September 2002)Requires protection of personally identifiable information Must disclose if this information is reasonably believed to have been compromised Relates to any instance involving a resident of California 23 States now passed and several bills in front of Congress
Impact of Disclosure Requirements • Sarbanes-Oxley Cray Inc (Supercomputer manufacturer) In March 2005, Cray filed a SOX report warning of material weaknesses in internal control over financial reporting Inadequate review of third-party contracts and lack of software application controls and documentation (SoD, and IT auditing issues) Cray's stock price dropped 56%, from $3.15 per share on March 15, 2005, to $1.38 on May 25, 2005 Now faced with a class action suit by shareholders
Impact of Disclosure Requirements • US Disclosure Laws From http://www.privacyrights.org/ar/ChronDataBreaches.htm Over 120 Breaches disclosed so far this year Over 80 million records involved Breaches included: Hacking Dishonest employees Stolen computers Lost backup tapes Accidental online exposure
Impact of Disclosure Requirements • Ponemon Institute Studies Notification Impact 19% of disclosure recipients terminated relationship 40% thinking of terminating 27% concerned regarding organisation Cost of Breach Reviewed 14 breaches Breaches ranged from 1,500 records to 900,000 records from 11 different industry sectors Average losses of $140 per record, or $14 million per company Includes direct ($50), indirect($15), and opportunity costs($75) Does not include implementation of additional controls
Steps To Protect Information Assets • Identify information assets and ownersIAP – Information Asset Profiling • Conduct an information security risk assessmentThis includes identifying the risks to the asset • Develop and implement security policies and proceduresThis drives how and what technology is used • Test, audit, and updatePolicies and processes must workYou need to know when they are been breachedThey need to be kept recent and up to date
Information Asset Risk Assessment • Primary Container May Not Be Primary Risk Other locations where information may be stored includes: • Backups • DR systems • Laptops • Desktops • Once Each Container Has Been Identified, Establish How Each Is Accessed • Thick client applications • Web Applications • Database connections • Direct file access
Information Asset Risk Assessment • Perform a threat assessment of each entry point of each information asset container • Assess each threat using standard risk assessment mechanisms utilising the value of the information asset to determine the impact of the threat occurring • Each container may have multiple risk profiles, use the highest rating to determine the overall risk for that container • Remember to take into account information in transit
Vulnerability versus Information Asset Approaches • Vulnerability Management Usually focused on individual containers or access points (applications) Generally doesn’t take into account the value of information assets Rates vulnerabilities in terms of impact to container, not data • Information Asset Profiling Focuses on risks to data rather than systems or applications Risks directly associated with value of data May not take into account risks not relating to data, such as reputational risk
Common Tools And Techniques To Protect Data • EncryptionDatabase Communication Laptop Backup • Principle Of Least PrivilegeDatabase Server Application • Protect Data Even After Container Has Been RetiredWipe old disks/tapes, or destroy • Log/Audit Trails
Key Questions To Take Away • Do you have an application or vulnerability-centric approach to security rather than focusing on the information itself? • Have you identified where your critical business data resides? Databases Servers Backups Laptops • Have you got mechanisms in place to protect each of those locations?Database/Server protections Laptop encryption Backup encryption
Questions ? http://www.security-assessment.com nick@security-assessment.com