1 / 31

What Is Sensitive Data?

What Is Sensitive Data?. What’s the Risk and What Do We Do About It?. Weston Nelson Steve Fineberg Steven Gin. Disclosure Statement.

Download Presentation

What Is Sensitive Data?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. What Is Sensitive Data? What’s the Risk and What Do We Do About It? Weston Nelson Steve Fineberg Steven Gin

  2. Disclosure Statement The material appearing in this presentation is for informational purposes only and is not legal or accounting advice. Communication of this information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant-client relationship. Although these materials may have been prepared by professionals, they should not be used as a substitute for professional services. If legal, accounting, or other professional advice is required, the services of a professional should be sought.

  3. Moss Adams LLP • Moss Adams is one of the 15 largest accounting and consulting firms in the U.S. • 21 locations; 1,800 personnel • Industry-focused service groups • IT consulting specialists

  4. Agenda • What is sensitive data? Why do we care? • Define the states of data in the data lifecycle • How is your data at risk? • Discuss what your organization is doing • Review possible controls to protect your sensitive data • Questions and Answers

  5. What is Sensitive Data? • What is important to your organization? • Who owns or is responsible for sensitive data? • Where does your sensitive data reside? • Are there multiple versions of your sensitive data? • Where does your date go and how is it protected?

  6. What is Sensitive Data? (cont.) • What is important to your organization? • Student records • Employee records • Payment transactions • Grades and examinations • Faculty research • Grant and donor data • Other data?

  7. What is Sensitive Data? (cont.) • How are these data classified? • Student records (PII, ePHI) • Employee records (PII, ePHI) • Payment transactions (PCI) • Grades and examinations (operational data) • Faculty research (intellectual property) • Grant and donor data (competitive information) • Other data?

  8. What is Sensitive Data? (cont.) • Who owns or is responsible for sensitive data? • Administration • Enrollment • Test centers • Research personnel • Grants and funding departments • Medical staff • Professors

  9. What is Sensitive Data? (cont.) • Where does your sensitive data reside? • Internal • Campus Network • Local workstations • External • Hosted co-location • Cloud • ??? (Do you really know?) • Mobile devices

  10. What is Sensitive Data? (cont.) • Are there multiple versions of your data? • Network file shares • Workstations, laptops • Third-party vendors • Removable media • E-mail • Cloud • Mobile devices • Hard copies

  11. What is Sensitive Data? (cont.) • Where does your data go and how is it protected? • Where is your data? • Data Marts • File shares/servers • How is it transmitted? • Encrypted • Trusted Recipient

  12. What is Sensitive Data? (cont.) • Where does your data go and how is it protected? • Who can access it? • Appropriate Access • Authorized User

  13. The Data Lifecycle • From a data loss perspective, the industry has adopted three standard terms to describe the states of data in the data lifecycle: • Data at rest • Data in motion • Data in use

  14. The Data Lifecycle (cont.) • Data at rest • Data that is in storage and accessible by your organization. These data may be in disparate locations and stored on various types of media. • Examples include: • Spreadsheets, databases, application configuration files

  15. The Data Lifecycle (cont.) • Data in motion • Data that is in transit, flowing across internal networks and to the outside world • Includes data on wired and wireless networks • Examples • File being opened from a network drive on a workstation, network packet data

  16. The Data Lifecycle (cont.) • Data in use • Data that is being accessed or used by a system at a point in time • Examples • Data in temporary memory on a local machine • File being copied to a USB drive • Data being copied and pasted from one file to another

  17. How Is Your Data At Risk? • Risks related to data states • Inappropriate access, theft (data at rest) • Interception (data in motion) • Misuse, abuse of access (data in use) • Risks related to data location • Unintentional transmission (mobile devices)

  18. Establishing an Understanding of the Data • Education and communication as to what is critical to the organization • Protocols or procedures for data usage • What is internal use only? • What is public? • What is restricted or used only be a few groups or individuals? • Security protocols around data classes

  19. What is your organization doing? • Policies and procedures • IT general controls • Third-party vendor controls • Education of users

  20. Sensitive Data Controls • To adequately protect against data loss, you should consider both systematic and manual controls, to be applied at each data state • Data state-specific controls • Data at rest • Data in motion • Data in use • Supporting controls

  21. Sensitive Data Controls (cont.) • Data at rest • Encryption • Physical security • Physical media security and destruction • Mobile device protection • Endpoint security • Continuous discovery

  22. Sensitive Data Controls (cont.) • Data in motion • Perimeter security • Network monitoring • Internet access controls • Messaging • Remote access controls • Data collection and exchange

  23. Sensitive Data Controls (cont.) • Data in use • Access controls and monitoring • Privileged user monitoring • Export/save controls • Use of test data • Change and version controls • Data anonymization

  24. Sensitive Data Controls (cont.) • Supporting Controls • Disaster recovery plan / business continuity plan • Training and awareness • Third-party management • Change management / SDLC • Identity / access management

  25. Sensitive Data Controls (cont.) • Supporting Controls • Security information / event monitoring • Physical security • Employee screening • Regulatory compliance management

  26. Other Control Considerations • Tailor controls to each specific set of data • Data location • Breadth of access • Frequency of use or access • Organizational risk

  27. What else can be done by Internal Audit? • Annual risk assessments • A major overhaul of your risk assessment process isn’t required • Consider asking the following questions for each area of the audit universe: • What is the associated data? • Is it sensitive data? • How frequently is sensitive data created for this area? • Where does is reside? (data at rest) • Who can access it? (data in use) • What is its vulnerability to theft, abuse, and misuse? (data in motion)

  28. What else can be done by Internal Audit? • Full Organizational Involvement • Administration • Enrollment • Test centers • Research personnel • Grants and funding departments • Medical staff • Professors

  29. Key Points • Sensitive data exists throughout and externally to your organization • Different states of data have different risks and controls • Specific controls can be implemented to address the varying states of data • Everyone in your organization has a responsibility for protecting sensitive data • By asking the right questions, your organization can ensure that sensitive data is identified and properly controlled

  30. Questions and Answers

  31. Thank You For Attending! Weston Nelson Director, Business Risk Management Weston.Nelson@mossadams.com Office: (503) 478-2144 Steve Fineberg Manager, Business Risk Management Stephen.Fineberg@mossadams.com Office: (916) 503-8175 Steven Gin Manager, Business Risk Management Steven.Gin@mossadams.com Office: (310) 295-3780

More Related