Post on 03-Jun-2018
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 1/27
Strategies in the
Game of
Keith Hartranft, CISSPInformation Security and Policy Officer
Library and Technology Services
Sara RodgersChief Information Security Officer
Library and Technology Services
Data Stewards vs. Data Hoarders
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 2/27
Playing the Wrong Game
• Prioritize initiatives
• Classify data
• Analyze risk
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 3/27
A Three Pronged Approach
SANS 20 Critical Controls
Objectives:
• Implement controlsproven to block knownattacks
• Map specific actions to
implement the controls• Associate activitieswith NIST & NSAnetwork security tasks
• Utilize procedures &tools for implementationand automation.
• Assess through provenmetrics & testing
ISO 27002 Policy Administration
Objectives:
To provide Managementdirection and supportfor information securityin accordance withbusiness requirementsand relevant laws andregulations throughInformation SecurityPolicy.
Security Awareness
Objectives of SETA:
• Integrate skills and
competencies into acommon body ofknowledge
• Produce relevant andneeded security skillsand competencies
• Change behavior orreinforce good securitypractices
Security Framework
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 4/27
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 5/27
Measuring Risk
Severity/Impact
L i k e l i h o o d / P r
o b a b i l i t y
Collecting/storing restricted
data on a large population
with multiple copies and/or
accessible by a large
number of people
Reducing number of people
records with restricted data
Reducing
storage
locations
or limiting
accessRemoving or redacting
restricted data
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 6/27
Knowing the Board and the Rules
• Laws• Regulations
• Asset Valuation
& Risk• The Players
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 7/27
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 8/27
Risk Reduct ion
Restrict
Redact
Remove
Executives
Risk Management
Legal
Information Security
Data User
Data Custodians
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 9/27
The Strategy of the 3 R’s
• Remove
– Do we evenneed to collect it? Or can
we dispose of?
• Redact – If we store it,
can we redact or
obfuscate?
• Restr ict – Who should
see it? Access it? What
views?
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 10/27
Security as the Ambassador
Be the liaisonin the process
of Data Risk
Reduction
Risk Reduct ion
Restrict
Redact
Remove
Data Stewards
Data Hoarder
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 11/27
ROCK - The Process
R. – Recruit the appropriateteam(s) members
O. – Organize Assets,
Policies, and Possible
Solutions
C. – Communicate with the
Data Users
K. – Kickstart the process
with Quick Wins!
Data Stewards
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 12/27
Recruit - Build Your Armies
Executives
Risk Management
LegalData Users
Data Custodians
GovernanceRegulationComplianceCommittee (GRC)
Data E-Security
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 13/27
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 14/27
Organize - Arm Yourself With Policies
• Data Classification
• Retention Policies
• Other?
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 15/27
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 16/27
Data Retention Policy
Attributes of a Good Retention Policy:• Value Based
• Clear goals for retention and
accountabilities
• Defined Categories of Data• Properly vetted with cross functional buy-
in by the community
• Directs technology to support lifecycle
sustainability• Includes monitoring and compliance
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 17/27
Communicate - the Strategy of the 3 R’s
• Remove
– Do we evenneed to collect it? Or can
we dispose of?
• Redact – If we store it,
can we redact or
obfuscate?
• Restr ict – Who should
see it? Access it? What
views?
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 18/27
Communicate - AND I MEAN IT!!!
• Remove – Can simply
remove it or do without?• Redact – Who should be
able to view it?
• Restr ict – Who shouldaccess it? And HOW?
Examine a “Fountain” effect. What are some consequences?
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 19/27
Communicate – How to Comply With Data
Retention
• Bring Strategies forStorage solutions
• Being a GOOD Steward –
Disposing of Data Properly• Know your Retention
times• Treat E-records like paper
records
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 20/27
Communicate – Once We Reach Restrict,Protecting Access Controls
• 76% of breaches were theresult of weak or stolenaccount credentials
• What’s the cost? Approx.
$200 per record.
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 21/27
Communicate with the Leaders and Troops
• Meet with the Data Stewards and Users andpitch the steps and the consequences and
results of each step
• Do your homework for proposals regardingwhat you think are “Quick Wins” and ask
others to identify other “Quick Win” areas.
• Explain that greater Access Controls
implemented by InfoSec are often the result
of exhaustion of the first 2 R’s
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 22/27
KICKSTART! - Go for QUICK WINS!!!
• Propose some key
targets for data
removal
• Ask your Stewards
to identify “Quick
Wins” or Gains
• Monitor and maintain
momentum forproposed projects
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 23/27
KICKSTART! - QUICK WIN Stories!
• F&A Review of DataRepositories
• PII in more globally
viewable locations
removed
• Duplicated Data in
Test instances
reduced
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 24/27
Deploy the Custodians - Technology
• Automating scans and
searches for records
dates
• Automated purges
• Provide end user tools
• Deploying data redaction
or access control
limitations
• MFA
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 25/27
Sustain Your Strategy – ROCK(S)?
• Repeatable processes• Review technology
tools for process
automation
• Revist timelines and
record schedules
• Report annual recordscounts and reductions
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 26/27
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 27/27
WIN!!! With Strategies in the
Game of