Protecting The Data

Copyright Security-Assessment.com 2006

Protecting The Data

Data security, compliance, disclosure requirements and what can happen if you get it wrong

Presented By Brett Moore


• Recent study by the Ponemon Institute Examined costs incurred by 14 companies in 11 industry sectors

• Breaches affecting between 1,500 to 900,000 consumersTangible and intangible costs up to $14 million USD

• Related survey of customers20% had terminated their relationship with the companyAnother 40% were considering in doing so

• What information Staggering amount of information stored nowFinancial, health, social, personal, business

With the masses amount of data that flows through your organisation, are you taking the appropriate steps to protect

what may be your most valuable asset?

Information Loss Costs Money


The Issue• Many organisations choose to spend their resources

identifying and managing information security vulnerabilities instead of managing risk to their information assets.

• Vulnerability-centric approaches to organisational security fall short of appropriately characterizing organizational risk because they fail to focus on what is actually at risk, the information and processes they support.


• What is an information asset An information asset is any data stored that is used by the organisation for information purposes.

• Information value can be calculatedBased on the importance to the organisations continuationThe affect the loss of the information would have

• Information risk assessment The type of data the information is created from affects the requirement to secure it

• Information valueDetermines its importance and criticality to the organisation

• Which data is which?What happens when an information asset is a combination of data from different sources?

Information Assets


Where Is The Information Stored• You MUST know where your information is stored

How else are you able to secure it?• Data is stored in containers

Drive, tape, cd-rom, dvd, paper, people• Containers are not ‘physical’

Stored on multiple serversA collection of databasesA collection of database tables

• Containers are not only technicalInformation can be in printed formInformation is stored in peoples heads


Container Security Aspects• The way in which an asset is protected

Through controls implemented at the container levelie: access checks at the database level

• Security control depthThe degree to which an asset is protected is based on how well the control reflect the requirements of the asset

• Risk inheritanceAny risk associated with the container is inherited by the assetie: server destruction, tape backup theft

• Legal requirementsThere can be different legal requirements dependant on the information asset’s container


Who Owns The Data?• The owner

Are those who have primary responsibility for the viability and survivability of the asset

• Security requirementsOwners set the security requirements for an asset and communicate these to the assets’ custodiansEnsuring the security requirements have been implemented

• Defining the assetThe owner defines what the information asset consists of, and is responsible for determining the assets valueIt is this value that is used to calculate risk mitigation processes

• DelegationThe owner can delegate responsibilities but ultimately remains the owner responsible for the assets protection


Who Looks After The Data?• The custodian

Manage or are responsible for containers• Accepts responsibility

The custodian accepts responsibility and protects the data according to the owners defined requirements

• Is NOT the ownerDespite common misconception, the custodian is not the owner and therefore not the responsible entity

• Information useAny person who makes use of the information asset becomes a custodian during that period


Governance – External Requirements• Legal

Sarbanes-OxleyCalifornia Disclosure LawCommon Law Duty of Care

• Industry ImposedPCI Compliance

All concerned with information assets, not security breaches


• Sarbanes-Oxley (USA, July 2002)Requirements for all public companies listed in the USPublic companies must evaluate and disclose the effectiveness of their internal controls as they relate to financial reportingIndependent auditors for such companies must "attest" (i.e., agree, or qualify) to such disclosureFinancial reporting is generally driven by information assets, so the security of those information assets is of primary concern

• SB 1386 (California Disclosure Law, September 2002)Requires protection of personally identifiable informationMust disclose if this information is reasonably believed to have been compromisedRelates to any instance involving a resident of California23 States now passed and several bills in front of Congress

Legal Requirements


Impact of Disclosure Requirements• Sarbanes-Oxley

Cray Inc (Supercomputer manufacturer)In March 2005, Cray filed a SOX report warning of material weaknesses in internal control over financial reportingInadequate review of third-party contracts and lack of software application controls and documentation (SoD, and IT auditing issues)Cray's stock price dropped 56%, from $3.15 per share on March 15, 2005, to $1.38 on May 25, 2005Now faced with a class action suit by shareholders


Impact of Disclosure Requirements• US Disclosure LawsFrom http://www.privacyrights.org/ar/ChronDataBreaches.htm

Over 120 Breaches disclosed so far this yearOver 80 million records involvedBreaches included:

HackingDishonest employeesStolen computersLost backup tapesAccidental online exposure


Impact of Disclosure Requirements• Ponemon Institute Studies

Notification Impact19% of disclosure recipients terminated relationship40% thinking of terminating27% concerned regarding organisation

Cost of BreachReviewed 14 breachesBreaches ranged from 1,500 records to 900,000 records from 11 different industry sectorsAverage losses of $140 per record, or $14 million per

companyIncludes direct ($50), indirect($15), and opportunity

costs($75)Does not include implementation of additional controls


• Identify information assets and ownersIAP – Information Asset Profiling

• Conduct an information security risk assessmentThis includes identifying the risks to the asset

• Develop and implement security policies and proceduresThis drives how and what technology is used

• Test, audit, and updatePolicies and processes must workYou need to know when they are been breachedThey need to be kept recent and up to date

Steps To Protect Information Assets


Information Asset Risk Assessment• Primary Container May Not Be Primary Risk

Other locations where information may be stored includes:– Backups– DR systems– Laptops– Desktops

• Once Each Container Has Been Identified, Establish How Each Is Accessed– Thick client applications– Web Applications– Database connections– Direct file access


Information Asset Risk Assessment• Perform a threat assessment of each entry point of each

information asset container

• Assess each threat using standard risk assessment mechanisms utilising the value of the information asset to determine the impact of the threat occurring

• Each container may have multiple risk profiles, use the highest rating to determine the overall risk for that container

• Remember to take into account information in transit


Vulnerability versus Information Asset Approaches• Vulnerability Management

Usually focused on individual containers or access points (applications)Generally doesn’t take into account the value of information assetsRates vulnerabilities in terms of impact to container, not data

• Information Asset ProfilingFocuses on risks to data rather than systems or applicationsRisks directly associated with value of dataMay not take into account risks not relating to data, such as reputational risk


• EncryptionDatabaseCommunicationLaptopBackup

• Principle Of Least PrivilegeDatabaseServerApplication

• Protect Data Even After Container Has Been RetiredWipe old disks/tapes, or destroy

• Log/Audit Trails

Common Tools And Techniques To Protect Data


• Do you have an application or vulnerability-centric approach to security rather than focusing on the information itself?

• Have you identified where your critical business data resides?DatabasesServersBackupsLaptops

• Have you got mechanisms in place to protect each of those locations?Database/Server protections Laptop encryptionBackup encryption

Key Questions To Take Away


Questions ?

http://www.security-assessment.com

[email protected]

Protecting The Data

Documents

Transcript of Protecting The Data