SlideShare a Scribd company logo
1 of 26
Download to read offline
It’s All About the Data!
David C. Frier, CISSP
Security Practice Lead
CIBER, Upstate NY
Oct. 21, 2010
1/29/2015 | 2 | ©2010 CIBER, Inc.
CIBER Profile
• CIBER is a $1Billion Global IT Services Company that
Builds, Integrates and Supports Business Applications
and IT Infrastructures for Business and Government
 Consistent growth and profitability since 1974
 More than 8,500 employees
 NYSE (CBR) - Headquartered in Denver
 85 Offices in 18 countries
 US and Offshore Development Centers
 Global IT Operations Centers – US & Europe
 Global practices supported by local resources
 Fortune 500 and mid-market leaders/challengers
 Focus on quality: ISO 9001, CPMM, SAS 70
1/29/2015 | 3 | ©2010 CIBER, Inc.
Frier Profile
• Frier is a less-than-$1Billion IT Professional who
Builds, Integrates and Supports Business Applications
and IT Infrastructures for Business and Government
 Consistent growth since 1957
 (first up then out)
 (DCF) - Headquartered in Rochester
 IT Operations first established in 1979
 IT Security, Operations, Architecture
 Project Management and Consulting
 Training and IT Evangelism
 CISSP, CRISC (pending)
1/29/2015 | 4 | ©2010 CIBER, Inc.
Outline
• What is in scope of Data Protection?
• What Threats exist?
• Who Cares?
• What is included in Data Protection?
• Is Data Protection Effective
• One approach for Data Classification
1/29/2015 | 5 | ©2010 CIBER, Inc.
– Regulated Data
• HIPAA
• PCI
• GLBA
– PII/SPI
• Under Safe Harbor
• Subject to Breach Disclosure laws
– Strategic Data
• IP
• Sales & Marketing Data
• Financial (SOX)
• M&A, Recruiting, other non-public plans
Data Protection – what is in scope
1/29/2015 | 6 | ©2010 CIBER, Inc.
• Lost or Stolen Devices
– Laptops and removable storage most common
• Disposal
– Incorrect disposal of disk and tape media
• Criminal Attacks
– Hacking more than physical theft
• Network Exposure
– Misconfigured web presence
– Email attachments
• Malicious Insiders
Threats to Data
1/29/2015 | 7 | ©2010 CIBER, Inc.
Who cares about Data Protection Programs?
Source: Business Case for Data Protection, Ponemon Institute, July 2009
1/29/2015 | 8 | ©2010 CIBER, Inc.
• Data Loss Prevention-
Network
• Data Loss Prevention-
Endpoint
• Data Loss Prevention- Storage
• Content Discovery (Process)
• Email Filtering
• Database Activity Monitoring
• Full Drive Encryption
• USB/Portable Media
Encryption or Device Control
• Enterprise Digital Rights
Management
• Database Encryption
• Application Encryption
• Web Application Firewall
• Backup Tape Encryption
• Entitlement Management
• Access Management
• Data Masking
• Network Segregation
• Server/Endpoint Hardening
Enterprise Data Protection – what is included
1/29/2015 | 9 | ©2010 CIBER, Inc.
• Perceived Effectiveness ¹
– CEOs: 58%
– Other C-Levels: 48%
• Which Controls are Most Effective²
Data Loss Prevention- Network
Data Loss Prevention- Endpoint
Data Loss Prevention- Storage
Content Discovery (Process)
Email Filtering
Are Corporate Data Protection Programs Effective?
2 – Source: Securosis 2010 Data Security Survey, Securosis, LLC, … 2010
1 – Source: Business Case for Data Protection, Ponemon Institute, July 2009
1/29/2015 | 10 | ©2010 CIBER, Inc.
• Which Controls are Least Effective?
Email Filtering
USB/Portable Media Encryption or Device Control
Database Activity Monitoring
Backup Tape Encryption
Content Discovery (Process)
Notice anything odd?
Why Are Corporate Data Protection Programs Effective?
Source: Securosis 2010 Data Security Survey, Securosis, LLC, … 2010
1/29/2015 | 11 | ©2010 CIBER, Inc.
Do you know what
you are charged to protect?
1/29/2015 | 12 | ©2010 CIBER, Inc.
Who recognizes this?
Kings play chess on finely grained sand
1/29/2015 | 13 | ©2010 CIBER, Inc.
Did you take zoology in school?
Kings play chess on finely grained sand
• Kingdom
• Phylum
• Class
• Order
• Family
• Genus
• Species
1/29/2015 | 14 | ©2010 CIBER, Inc.
• Use a Taxonomy
• From Kingdoms, the highest level, down to individual
reports and documents
• Seven layers may seem like a lot
– …but it’s easy to find pockets where you need more
Data Classification
1/29/2015 | 15 | ©2010 CIBER, Inc.
• Start with “Public” and “Non-Public”
• You might add a third for customer-privileged
information
• Most Data protection effort will focus on Non-Public
The point of the taxonomy is to successively sharpen the
focus of the enterprise data protection efforts
Data Classification -- Kingdoms
1/29/2015 | 16 | ©2010 CIBER, Inc.
• This is a good layer for your data owner organizations
– Yes: All data must have an owner.
– Owners make the decisions about what level of protection
is needed
– Typically, data owners are the groups that own the
processes that create/update/delete the data
• From here down you will see categories repeated
– This is the way to express the matrix nature of some of
these designations across the top-down hierarchy
Data Classification -- Phyla
1/29/2015 | 17 | ©2010 CIBER, Inc.
Data Classification -- Classes
• At the Class level you can apply the levels-of-
sensitivity classifications
– Confidential
– Sensitive
– “Company only”
These are suggestions only… the important thing is to be
consistent across all the data with what you do at a given
level
1/29/2015 | 18 | ©2010 CIBER, Inc.
• With Order, start to divide up the data into groups of
related business processes
– Example: within the HR phylum,
• Payroll
• Benefits
• Performance Mgt.
• Recruiting
– Each of these may be in different classes for sensitivity
– Class designations will often repeat across phyla but that’s
OK
Data Classification -- Orders
1/29/2015 | 19 | ©2010 CIBER, Inc.
• For Family, get to the application or system level
– For example, within the Benefits order
• One app manages Health Care
• Another manages PTO
• Another for Tuition Reimbursement
• etc.
– It is also likely that this isolates specific business processes
– “Applications” in this context may be modules within larger
enterprise systems
Data Classification -- Families
1/29/2015 | 20 | ©2010 CIBER, Inc.
• Genus is a particular data type
– Reports
– Databases
– Feed files
• Species is instances of those types
– “The weekly payroll register”
– “The monthly healthcare claims report”
Data Classification – Genus & Species
1/29/2015 | 21 | ©2010 CIBER, Inc.
Let’s look at that payroll report
• Kingdom – Non-public
• Phylum – HR
• Class – Confidential
• Order – Payroll
• Family – ADP interface
• Genus – Reports
• Species – Payroll report
1/29/2015 | 22 | ©2010 CIBER, Inc.
• Classification and handling decisions may be made
wherever appropriate
– For example, a single massive database may power an
enterprise HRIS that is classified at the Order level
– And that database might not be safe to have try to support
multiple levels of security, so you decide to take the “worst
case” approach.
• You may not need all the levels
– But if you give yourself the room you will get this done to
enough detail to make informed decisions
Data Classification – Put it to use
1/29/2015 | 23 | ©2010 CIBER, Inc.
• Determine Regulatory Scope
• Prioritize Coverage
• Phase-in Programs
• Get below-C Mgt. Buy-In
• Communicate why you are acting to protect this and
not that (yet)
Data Classification – Put it to use
1/29/2015 | 24 | ©2010 CIBER, Inc.
Remember!
It’s all about the data!
1/29/2015 | 25 | ©2010 CIBER, Inc.
• Ponemon Reports
– http://www.ponemon.org/data-security
• Securosis Survey
– http://www.imperva.com/resources/analyst.html
• CIBER
– http://www.ciber.com/
• Frier
– dfrier@ciber.com
More Resources
It's All About the Data!

More Related Content

What's hot

Alpha & Omega Presentation
Alpha & Omega PresentationAlpha & Omega Presentation
Alpha & Omega PresentationDarryl Santa
 
Amt presentation 2016-kawan lama-viccy
Amt presentation 2016-kawan lama-viccyAmt presentation 2016-kawan lama-viccy
Amt presentation 2016-kawan lama-viccyHesadrian Boediman
 
How Vulnerable is Your Critical Data?
How Vulnerable is Your Critical Data?How Vulnerable is Your Critical Data?
How Vulnerable is Your Critical Data?IBM Security
 
BYOD: D for Device or D for Disaster?
BYOD: D for Device or D for Disaster?BYOD: D for Device or D for Disaster?
BYOD: D for Device or D for Disaster?Marketing Team
 
Data Security Solutions_2010 @Vilnius December Opening
Data Security Solutions_2010 @Vilnius December OpeningData Security Solutions_2010 @Vilnius December Opening
Data Security Solutions_2010 @Vilnius December OpeningAndris Soroka
 
Raz-Lee Security Corporate Profile
Raz-Lee Security Corporate ProfileRaz-Lee Security Corporate Profile
Raz-Lee Security Corporate ProfileRaz-Lee Security
 
Ricoh Value Faith
Ricoh Value FaithRicoh Value Faith
Ricoh Value Faithscottkarin
 
Business Case Of Bring Your Own Device[ BYOD]
Business Case Of Bring Your Own Device[ BYOD] Business Case Of Bring Your Own Device[ BYOD]
Business Case Of Bring Your Own Device[ BYOD] Md Yousup Faruqu
 
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...
Protecting the Castle:  CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...Protecting the Castle:  CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...Michael Scheidell
 
Cisco Connect 2018 Thailand - Changing the security equation demetris booth_c...
Cisco Connect 2018 Thailand - Changing the security equation demetris booth_c...Cisco Connect 2018 Thailand - Changing the security equation demetris booth_c...
Cisco Connect 2018 Thailand - Changing the security equation demetris booth_c...NetworkCollaborators
 
Micro Networks Compnay Profile
Micro Networks Compnay ProfileMicro Networks Compnay Profile
Micro Networks Compnay ProfileMicro Networks
 
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
 Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf... Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...Information Security Awareness Group
 
IT Consulting Services and Technology Solutions | Ampcus -USA
IT Consulting Services and Technology Solutions | Ampcus -USAIT Consulting Services and Technology Solutions | Ampcus -USA
IT Consulting Services and Technology Solutions | Ampcus -USAUnified11
 
Redrawing the Cyber Defense Frontier
Redrawing the Cyber Defense FrontierRedrawing the Cyber Defense Frontier
Redrawing the Cyber Defense FrontierJoe Hage
 
Governance and Security in Cloud and Mobile Apps
Governance and Security in Cloud and Mobile AppsGovernance and Security in Cloud and Mobile Apps
Governance and Security in Cloud and Mobile AppsMichael Scheidell
 
BYOD (Bring Your Own Device) Risks And Benefits
BYOD (Bring Your Own Device) Risks And BenefitsBYOD (Bring Your Own Device) Risks And Benefits
BYOD (Bring Your Own Device) Risks And BenefitsModis
 
Bring Your Own Device (BYOD)
Bring Your Own Device (BYOD)Bring Your Own Device (BYOD)
Bring Your Own Device (BYOD)k33a
 
Achieving Data Privacy in the Enterprise
Achieving Data Privacy in the EnterpriseAchieving Data Privacy in the Enterprise
Achieving Data Privacy in the EnterpriseSafeNet
 

What's hot (20)

Alpha & Omega Presentation
Alpha & Omega PresentationAlpha & Omega Presentation
Alpha & Omega Presentation
 
Amt presentation 2016-kawan lama-viccy
Amt presentation 2016-kawan lama-viccyAmt presentation 2016-kawan lama-viccy
Amt presentation 2016-kawan lama-viccy
 
How Vulnerable is Your Critical Data?
How Vulnerable is Your Critical Data?How Vulnerable is Your Critical Data?
How Vulnerable is Your Critical Data?
 
BYOD: D for Device or D for Disaster?
BYOD: D for Device or D for Disaster?BYOD: D for Device or D for Disaster?
BYOD: D for Device or D for Disaster?
 
Data Security Solutions_2010 @Vilnius December Opening
Data Security Solutions_2010 @Vilnius December OpeningData Security Solutions_2010 @Vilnius December Opening
Data Security Solutions_2010 @Vilnius December Opening
 
Raz-Lee Security Corporate Profile
Raz-Lee Security Corporate ProfileRaz-Lee Security Corporate Profile
Raz-Lee Security Corporate Profile
 
Ricoh Value Faith
Ricoh Value FaithRicoh Value Faith
Ricoh Value Faith
 
Business Case Of Bring Your Own Device[ BYOD]
Business Case Of Bring Your Own Device[ BYOD] Business Case Of Bring Your Own Device[ BYOD]
Business Case Of Bring Your Own Device[ BYOD]
 
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...
Protecting the Castle:  CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...Protecting the Castle:  CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...
 
Hki tsecuritysolutionsv1.1
Hki tsecuritysolutionsv1.1Hki tsecuritysolutionsv1.1
Hki tsecuritysolutionsv1.1
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
Cisco Connect 2018 Thailand - Changing the security equation demetris booth_c...
Cisco Connect 2018 Thailand - Changing the security equation demetris booth_c...Cisco Connect 2018 Thailand - Changing the security equation demetris booth_c...
Cisco Connect 2018 Thailand - Changing the security equation demetris booth_c...
 
Micro Networks Compnay Profile
Micro Networks Compnay ProfileMicro Networks Compnay Profile
Micro Networks Compnay Profile
 
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
 Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf... Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
 
IT Consulting Services and Technology Solutions | Ampcus -USA
IT Consulting Services and Technology Solutions | Ampcus -USAIT Consulting Services and Technology Solutions | Ampcus -USA
IT Consulting Services and Technology Solutions | Ampcus -USA
 
Redrawing the Cyber Defense Frontier
Redrawing the Cyber Defense FrontierRedrawing the Cyber Defense Frontier
Redrawing the Cyber Defense Frontier
 
Governance and Security in Cloud and Mobile Apps
Governance and Security in Cloud and Mobile AppsGovernance and Security in Cloud and Mobile Apps
Governance and Security in Cloud and Mobile Apps
 
BYOD (Bring Your Own Device) Risks And Benefits
BYOD (Bring Your Own Device) Risks And BenefitsBYOD (Bring Your Own Device) Risks And Benefits
BYOD (Bring Your Own Device) Risks And Benefits
 
Bring Your Own Device (BYOD)
Bring Your Own Device (BYOD)Bring Your Own Device (BYOD)
Bring Your Own Device (BYOD)
 
Achieving Data Privacy in the Enterprise
Achieving Data Privacy in the EnterpriseAchieving Data Privacy in the Enterprise
Achieving Data Privacy in the Enterprise
 

Similar to It's All About the Data!

Data Loss Prevention in O365
Data Loss Prevention in O365Data Loss Prevention in O365
Data Loss Prevention in O365Don Daubert
 
Cyber security series administrative control breaches
Cyber security series   administrative control breaches Cyber security series   administrative control breaches
Cyber security series administrative control breaches Jim Kaplan CIA CFE
 
Privacies are Coming
Privacies are ComingPrivacies are Coming
Privacies are ComingErnest Staats
 
Data Governance for End-User Computing
Data Governance for  End-User ComputingData Governance for  End-User Computing
Data Governance for End-User ComputingDATAVERSITY
 
Hackers, Cyber Crime and Espionage
Hackers, Cyber Crime and EspionageHackers, Cyber Crime and Espionage
Hackers, Cyber Crime and EspionageImperva
 
Improve IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkImprove IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkPrecisely
 
3433 IBM messaging security why securing your environment is important-feb2...
3433   IBM messaging security why securing your environment is important-feb2...3433   IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...Robert Parker
 
IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...Leif Davidsen
 
IBM i Security SIEM Integration
IBM i Security SIEM IntegrationIBM i Security SIEM Integration
IBM i Security SIEM IntegrationPrecisely
 
Deep dive into Microsoft Purview Data Loss Prevention
Deep dive into Microsoft Purview Data Loss PreventionDeep dive into Microsoft Purview Data Loss Prevention
Deep dive into Microsoft Purview Data Loss PreventionDrew Madelung
 
Broadening Your Cybersecurity Mindset
Broadening Your Cybersecurity MindsetBroadening Your Cybersecurity Mindset
Broadening Your Cybersecurity MindsetCSI Solutions
 
Why Network and Endpoint Security Isn’t Enough
Why Network and Endpoint Security Isn’t EnoughWhy Network and Endpoint Security Isn’t Enough
Why Network and Endpoint Security Isn’t EnoughImperva
 
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...AIIM International
 
How to Structure the Data Organization
How to Structure the Data OrganizationHow to Structure the Data Organization
How to Structure the Data OrganizationRobyn Bollhorst
 
Impact of data science in financial reporting
Impact of data science in financial reporting Impact of data science in financial reporting
Impact of data science in financial reporting James Deiotte
 
Michael Josephs
Michael JosephsMichael Josephs
Michael JosephsdaveGBE
 
Using international standards to improve US cybersecurity
Using international standards to improve US cybersecurityUsing international standards to improve US cybersecurity
Using international standards to improve US cybersecurityIT Governance Ltd
 
What Are you Waiting For? Remediate your File Shares and Govern your Informat...
What Are you Waiting For? Remediate your File Shares and Govern your Informat...What Are you Waiting For? Remediate your File Shares and Govern your Informat...
What Are you Waiting For? Remediate your File Shares and Govern your Informat...Everteam
 

Similar to It's All About the Data! (20)

Securing your Cloud Deployment
Securing your Cloud DeploymentSecuring your Cloud Deployment
Securing your Cloud Deployment
 
Data Loss Prevention in O365
Data Loss Prevention in O365Data Loss Prevention in O365
Data Loss Prevention in O365
 
Cyber security series administrative control breaches
Cyber security series   administrative control breaches Cyber security series   administrative control breaches
Cyber security series administrative control breaches
 
Privacies are Coming
Privacies are ComingPrivacies are Coming
Privacies are Coming
 
Mis
MisMis
Mis
 
Data Governance for End-User Computing
Data Governance for  End-User ComputingData Governance for  End-User Computing
Data Governance for End-User Computing
 
Hackers, Cyber Crime and Espionage
Hackers, Cyber Crime and EspionageHackers, Cyber Crime and Espionage
Hackers, Cyber Crime and Espionage
 
Improve IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkImprove IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in Splunk
 
3433 IBM messaging security why securing your environment is important-feb2...
3433   IBM messaging security why securing your environment is important-feb2...3433   IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...
 
IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...
 
IBM i Security SIEM Integration
IBM i Security SIEM IntegrationIBM i Security SIEM Integration
IBM i Security SIEM Integration
 
Deep dive into Microsoft Purview Data Loss Prevention
Deep dive into Microsoft Purview Data Loss PreventionDeep dive into Microsoft Purview Data Loss Prevention
Deep dive into Microsoft Purview Data Loss Prevention
 
Broadening Your Cybersecurity Mindset
Broadening Your Cybersecurity MindsetBroadening Your Cybersecurity Mindset
Broadening Your Cybersecurity Mindset
 
Why Network and Endpoint Security Isn’t Enough
Why Network and Endpoint Security Isn’t EnoughWhy Network and Endpoint Security Isn’t Enough
Why Network and Endpoint Security Isn’t Enough
 
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
 
How to Structure the Data Organization
How to Structure the Data OrganizationHow to Structure the Data Organization
How to Structure the Data Organization
 
Impact of data science in financial reporting
Impact of data science in financial reporting Impact of data science in financial reporting
Impact of data science in financial reporting
 
Michael Josephs
Michael JosephsMichael Josephs
Michael Josephs
 
Using international standards to improve US cybersecurity
Using international standards to improve US cybersecurityUsing international standards to improve US cybersecurity
Using international standards to improve US cybersecurity
 
What Are you Waiting For? Remediate your File Shares and Govern your Informat...
What Are you Waiting For? Remediate your File Shares and Govern your Informat...What Are you Waiting For? Remediate your File Shares and Govern your Informat...
What Are you Waiting For? Remediate your File Shares and Govern your Informat...
 

More from Rochester Security Summit

Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleRochester Security Summit
 
Maximizing ROI through Security Training (for Developers)
Maximizing ROI through Security Training (for Developers)Maximizing ROI through Security Training (for Developers)
Maximizing ROI through Security Training (for Developers)Rochester Security Summit
 
A Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public CloudA Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public CloudRochester Security Summit
 
State Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork QuiltState Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork QuiltRochester Security Summit
 
You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…Rochester Security Summit
 
A Security Testing Methodology that Fits Every IT Budget
A Security Testing Methodology that Fits Every IT BudgetA Security Testing Methodology that Fits Every IT Budget
A Security Testing Methodology that Fits Every IT BudgetRochester Security Summit
 
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...Rochester Security Summit
 

More from Rochester Security Summit (16)

IPv6 Can No Longer Be Ignored
IPv6 Can No Longer Be IgnoredIPv6 Can No Longer Be Ignored
IPv6 Can No Longer Be Ignored
 
Radio Reconnaissance in Penetration Testing
Radio Reconnaissance in Penetration TestingRadio Reconnaissance in Penetration Testing
Radio Reconnaissance in Penetration Testing
 
Real Business Threats!
Real Business Threats!Real Business Threats!
Real Business Threats!
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation Style
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Maximizing ROI through Security Training (for Developers)
Maximizing ROI through Security Training (for Developers)Maximizing ROI through Security Training (for Developers)
Maximizing ROI through Security Training (for Developers)
 
Dissecting the Hack: Malware Analysis 101
Dissecting the Hack: Malware Analysis 101 Dissecting the Hack: Malware Analysis 101
Dissecting the Hack: Malware Analysis 101
 
GRC– The Way Forward
GRC– The Way ForwardGRC– The Way Forward
GRC– The Way Forward
 
A Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public CloudA Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public Cloud
 
Finding Patterns in Data Breaches
Finding Patterns in Data BreachesFinding Patterns in Data Breaches
Finding Patterns in Data Breaches
 
State Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork QuiltState Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork Quilt
 
You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…
 
A Security Testing Methodology that Fits Every IT Budget
A Security Testing Methodology that Fits Every IT BudgetA Security Testing Methodology that Fits Every IT Budget
A Security Testing Methodology that Fits Every IT Budget
 
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
 
Losing Control to the Cloud
Losing Control to the CloudLosing Control to the Cloud
Losing Control to the Cloud
 
Firewall Defense against Covert Channels
Firewall Defense against Covert Channels Firewall Defense against Covert Channels
Firewall Defense against Covert Channels
 

Recently uploaded

99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdfPaige Cruz
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"DianaGray10
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...Daniel Zivkovic
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimizationarrow10202532yuvraj
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
The Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API ManagementThe Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API ManagementNuwan Dias
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
Valere | Digital Solutions & AI Transformation Portfolio | 2024
Valere | Digital Solutions & AI Transformation Portfolio | 2024Valere | Digital Solutions & AI Transformation Portfolio | 2024
Valere | Digital Solutions & AI Transformation Portfolio | 2024Alexander Turgeon
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?Juan Carlos Gonzalez
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
UiPath Studio Web workshop series - Day 5
UiPath Studio Web workshop series - Day 5UiPath Studio Web workshop series - Day 5
UiPath Studio Web workshop series - Day 5DianaGray10
 

Recently uploaded (20)

99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
The Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API ManagementThe Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API Management
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
Valere | Digital Solutions & AI Transformation Portfolio | 2024
Valere | Digital Solutions & AI Transformation Portfolio | 2024Valere | Digital Solutions & AI Transformation Portfolio | 2024
Valere | Digital Solutions & AI Transformation Portfolio | 2024
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
UiPath Studio Web workshop series - Day 5
UiPath Studio Web workshop series - Day 5UiPath Studio Web workshop series - Day 5
UiPath Studio Web workshop series - Day 5
 

It's All About the Data!

  • 1. It’s All About the Data! David C. Frier, CISSP Security Practice Lead CIBER, Upstate NY Oct. 21, 2010
  • 2. 1/29/2015 | 2 | ©2010 CIBER, Inc. CIBER Profile • CIBER is a $1Billion Global IT Services Company that Builds, Integrates and Supports Business Applications and IT Infrastructures for Business and Government  Consistent growth and profitability since 1974  More than 8,500 employees  NYSE (CBR) - Headquartered in Denver  85 Offices in 18 countries  US and Offshore Development Centers  Global IT Operations Centers – US & Europe  Global practices supported by local resources  Fortune 500 and mid-market leaders/challengers  Focus on quality: ISO 9001, CPMM, SAS 70
  • 3. 1/29/2015 | 3 | ©2010 CIBER, Inc. Frier Profile • Frier is a less-than-$1Billion IT Professional who Builds, Integrates and Supports Business Applications and IT Infrastructures for Business and Government  Consistent growth since 1957  (first up then out)  (DCF) - Headquartered in Rochester  IT Operations first established in 1979  IT Security, Operations, Architecture  Project Management and Consulting  Training and IT Evangelism  CISSP, CRISC (pending)
  • 4. 1/29/2015 | 4 | ©2010 CIBER, Inc. Outline • What is in scope of Data Protection? • What Threats exist? • Who Cares? • What is included in Data Protection? • Is Data Protection Effective • One approach for Data Classification
  • 5. 1/29/2015 | 5 | ©2010 CIBER, Inc. – Regulated Data • HIPAA • PCI • GLBA – PII/SPI • Under Safe Harbor • Subject to Breach Disclosure laws – Strategic Data • IP • Sales & Marketing Data • Financial (SOX) • M&A, Recruiting, other non-public plans Data Protection – what is in scope
  • 6. 1/29/2015 | 6 | ©2010 CIBER, Inc. • Lost or Stolen Devices – Laptops and removable storage most common • Disposal – Incorrect disposal of disk and tape media • Criminal Attacks – Hacking more than physical theft • Network Exposure – Misconfigured web presence – Email attachments • Malicious Insiders Threats to Data
  • 7. 1/29/2015 | 7 | ©2010 CIBER, Inc. Who cares about Data Protection Programs? Source: Business Case for Data Protection, Ponemon Institute, July 2009
  • 8. 1/29/2015 | 8 | ©2010 CIBER, Inc. • Data Loss Prevention- Network • Data Loss Prevention- Endpoint • Data Loss Prevention- Storage • Content Discovery (Process) • Email Filtering • Database Activity Monitoring • Full Drive Encryption • USB/Portable Media Encryption or Device Control • Enterprise Digital Rights Management • Database Encryption • Application Encryption • Web Application Firewall • Backup Tape Encryption • Entitlement Management • Access Management • Data Masking • Network Segregation • Server/Endpoint Hardening Enterprise Data Protection – what is included
  • 9. 1/29/2015 | 9 | ©2010 CIBER, Inc. • Perceived Effectiveness ¹ – CEOs: 58% – Other C-Levels: 48% • Which Controls are Most Effective² Data Loss Prevention- Network Data Loss Prevention- Endpoint Data Loss Prevention- Storage Content Discovery (Process) Email Filtering Are Corporate Data Protection Programs Effective? 2 – Source: Securosis 2010 Data Security Survey, Securosis, LLC, … 2010 1 – Source: Business Case for Data Protection, Ponemon Institute, July 2009
  • 10. 1/29/2015 | 10 | ©2010 CIBER, Inc. • Which Controls are Least Effective? Email Filtering USB/Portable Media Encryption or Device Control Database Activity Monitoring Backup Tape Encryption Content Discovery (Process) Notice anything odd? Why Are Corporate Data Protection Programs Effective? Source: Securosis 2010 Data Security Survey, Securosis, LLC, … 2010
  • 11. 1/29/2015 | 11 | ©2010 CIBER, Inc. Do you know what you are charged to protect?
  • 12. 1/29/2015 | 12 | ©2010 CIBER, Inc. Who recognizes this? Kings play chess on finely grained sand
  • 13. 1/29/2015 | 13 | ©2010 CIBER, Inc. Did you take zoology in school? Kings play chess on finely grained sand • Kingdom • Phylum • Class • Order • Family • Genus • Species
  • 14. 1/29/2015 | 14 | ©2010 CIBER, Inc. • Use a Taxonomy • From Kingdoms, the highest level, down to individual reports and documents • Seven layers may seem like a lot – …but it’s easy to find pockets where you need more Data Classification
  • 15. 1/29/2015 | 15 | ©2010 CIBER, Inc. • Start with “Public” and “Non-Public” • You might add a third for customer-privileged information • Most Data protection effort will focus on Non-Public The point of the taxonomy is to successively sharpen the focus of the enterprise data protection efforts Data Classification -- Kingdoms
  • 16. 1/29/2015 | 16 | ©2010 CIBER, Inc. • This is a good layer for your data owner organizations – Yes: All data must have an owner. – Owners make the decisions about what level of protection is needed – Typically, data owners are the groups that own the processes that create/update/delete the data • From here down you will see categories repeated – This is the way to express the matrix nature of some of these designations across the top-down hierarchy Data Classification -- Phyla
  • 17. 1/29/2015 | 17 | ©2010 CIBER, Inc. Data Classification -- Classes • At the Class level you can apply the levels-of- sensitivity classifications – Confidential – Sensitive – “Company only” These are suggestions only… the important thing is to be consistent across all the data with what you do at a given level
  • 18. 1/29/2015 | 18 | ©2010 CIBER, Inc. • With Order, start to divide up the data into groups of related business processes – Example: within the HR phylum, • Payroll • Benefits • Performance Mgt. • Recruiting – Each of these may be in different classes for sensitivity – Class designations will often repeat across phyla but that’s OK Data Classification -- Orders
  • 19. 1/29/2015 | 19 | ©2010 CIBER, Inc. • For Family, get to the application or system level – For example, within the Benefits order • One app manages Health Care • Another manages PTO • Another for Tuition Reimbursement • etc. – It is also likely that this isolates specific business processes – “Applications” in this context may be modules within larger enterprise systems Data Classification -- Families
  • 20. 1/29/2015 | 20 | ©2010 CIBER, Inc. • Genus is a particular data type – Reports – Databases – Feed files • Species is instances of those types – “The weekly payroll register” – “The monthly healthcare claims report” Data Classification – Genus & Species
  • 21. 1/29/2015 | 21 | ©2010 CIBER, Inc. Let’s look at that payroll report • Kingdom – Non-public • Phylum – HR • Class – Confidential • Order – Payroll • Family – ADP interface • Genus – Reports • Species – Payroll report
  • 22. 1/29/2015 | 22 | ©2010 CIBER, Inc. • Classification and handling decisions may be made wherever appropriate – For example, a single massive database may power an enterprise HRIS that is classified at the Order level – And that database might not be safe to have try to support multiple levels of security, so you decide to take the “worst case” approach. • You may not need all the levels – But if you give yourself the room you will get this done to enough detail to make informed decisions Data Classification – Put it to use
  • 23. 1/29/2015 | 23 | ©2010 CIBER, Inc. • Determine Regulatory Scope • Prioritize Coverage • Phase-in Programs • Get below-C Mgt. Buy-In • Communicate why you are acting to protect this and not that (yet) Data Classification – Put it to use
  • 24. 1/29/2015 | 24 | ©2010 CIBER, Inc. Remember! It’s all about the data!
  • 25. 1/29/2015 | 25 | ©2010 CIBER, Inc. • Ponemon Reports – http://www.ponemon.org/data-security • Securosis Survey – http://www.imperva.com/resources/analyst.html • CIBER – http://www.ciber.com/ • Frier – dfrier@ciber.com More Resources