SlideShare una empresa de Scribd logo

It's All About the Data!

Descargar como PPTX, PDF
Rochester Security Summit
Rochester Security Summit

David C. Frier discusses the importance of data protection and classification. He outlines common data protection threats like lost devices, disposal issues, and network exposure. While CEOs perceive effectiveness at 58%, other executives are lower at 48%. The most effective controls are seen as data loss prevention tools, while email filtering and backup encryption are seen as less effective. Frier advocates for classifying data into a taxonomy of 7 layers from kingdoms to species to appropriately focus protection efforts. This helps determine regulatory scope, prioritize coverage, and phase in programs.

Tecnología
1 de 26
It’s All About the Data! David C. Frier, CISSP Security Practice Lead CIBER, Upstate NY Oct. 21, 2010
1/29/2015 | 2 | ©2010 CIBER, Inc. CIBER Profile • CIBER is a $1Billion Global IT Services Company that Builds, Integrates and Supports Business Applications and IT Infrastructures for Business and Government  Consistent growth and profitability since 1974  More than 8,500 employees  NYSE (CBR) - Headquartered in Denver  85 Offices in 18 countries  US and Offshore Development Centers  Global IT Operations Centers – US & Europe  Global practices supported by local resources  Fortune 500 and mid-market leaders/challengers  Focus on quality: ISO 9001, CPMM, SAS 70
1/29/2015 | 3 | ©2010 CIBER, Inc. Frier Profile • Frier is a less-than-$1Billion IT Professional who Builds, Integrates and Supports Business Applications and IT Infrastructures for Business and Government  Consistent growth since 1957  (first up then out)  (DCF) - Headquartered in Rochester  IT Operations first established in 1979  IT Security, Operations, Architecture  Project Management and Consulting  Training and IT Evangelism  CISSP, CRISC (pending)
1/29/2015 | 4 | ©2010 CIBER, Inc. Outline • What is in scope of Data Protection? • What Threats exist? • Who Cares? • What is included in Data Protection? • Is Data Protection Effective • One approach for Data Classification
1/29/2015 | 5 | ©2010 CIBER, Inc. – Regulated Data • HIPAA • PCI • GLBA – PII/SPI • Under Safe Harbor • Subject to Breach Disclosure laws – Strategic Data • IP • Sales & Marketing Data • Financial (SOX) • M&A, Recruiting, other non-public plans Data Protection – what is in scope
1/29/2015 | 6 | ©2010 CIBER, Inc. • Lost or Stolen Devices – Laptops and removable storage most common • Disposal – Incorrect disposal of disk and tape media • Criminal Attacks – Hacking more than physical theft • Network Exposure – Misconfigured web presence – Email attachments • Malicious Insiders Threats to Data
1/29/2015 | 7 | ©2010 CIBER, Inc. Who cares about Data Protection Programs? Source: Business Case for Data Protection, Ponemon Institute, July 2009
1/29/2015 | 8 | ©2010 CIBER, Inc. • Data Loss Prevention- Network • Data Loss Prevention- Endpoint • Data Loss Prevention- Storage • Content Discovery (Process) • Email Filtering • Database Activity Monitoring • Full Drive Encryption • USB/Portable Media Encryption or Device Control • Enterprise Digital Rights Management • Database Encryption • Application Encryption • Web Application Firewall • Backup Tape Encryption • Entitlement Management • Access Management • Data Masking • Network Segregation • Server/Endpoint Hardening Enterprise Data Protection – what is included
1/29/2015 | 9 | ©2010 CIBER, Inc. • Perceived Effectiveness ¹ – CEOs: 58% – Other C-Levels: 48% • Which Controls are Most Effective² Data Loss Prevention- Network Data Loss Prevention- Endpoint Data Loss Prevention- Storage Content Discovery (Process) Email Filtering Are Corporate Data Protection Programs Effective? 2 – Source: Securosis 2010 Data Security Survey, Securosis, LLC, … 2010 1 – Source: Business Case for Data Protection, Ponemon Institute, July 2009
1/29/2015 | 10 | ©2010 CIBER, Inc. • Which Controls are Least Effective? Email Filtering USB/Portable Media Encryption or Device Control Database Activity Monitoring Backup Tape Encryption Content Discovery (Process) Notice anything odd? Why Are Corporate Data Protection Programs Effective? Source: Securosis 2010 Data Security Survey, Securosis, LLC, … 2010
1/29/2015 | 11 | ©2010 CIBER, Inc. Do you know what you are charged to protect?
1/29/2015 | 12 | ©2010 CIBER, Inc. Who recognizes this? Kings play chess on finely grained sand
1/29/2015 | 13 | ©2010 CIBER, Inc. Did you take zoology in school? Kings play chess on finely grained sand • Kingdom • Phylum • Class • Order • Family • Genus • Species
1/29/2015 | 14 | ©2010 CIBER, Inc. • Use a Taxonomy • From Kingdoms, the highest level, down to individual reports and documents • Seven layers may seem like a lot – …but it’s easy to find pockets where you need more Data Classification
1/29/2015 | 15 | ©2010 CIBER, Inc. • Start with “Public” and “Non-Public” • You might add a third for customer-privileged information • Most Data protection effort will focus on Non-Public The point of the taxonomy is to successively sharpen the focus of the enterprise data protection efforts Data Classification -- Kingdoms
1/29/2015 | 16 | ©2010 CIBER, Inc. • This is a good layer for your data owner organizations – Yes: All data must have an owner. – Owners make the decisions about what level of protection is needed – Typically, data owners are the groups that own the processes that create/update/delete the data • From here down you will see categories repeated – This is the way to express the matrix nature of some of these designations across the top-down hierarchy Data Classification -- Phyla
1/29/2015 | 17 | ©2010 CIBER, Inc. Data Classification -- Classes • At the Class level you can apply the levels-of- sensitivity classifications – Confidential – Sensitive – “Company only” These are suggestions only… the important thing is to be consistent across all the data with what you do at a given level
1/29/2015 | 18 | ©2010 CIBER, Inc. • With Order, start to divide up the data into groups of related business processes – Example: within the HR phylum, • Payroll • Benefits • Performance Mgt. • Recruiting – Each of these may be in different classes for sensitivity – Class designations will often repeat across phyla but that’s OK Data Classification -- Orders
1/29/2015 | 19 | ©2010 CIBER, Inc. • For Family, get to the application or system level – For example, within the Benefits order • One app manages Health Care • Another manages PTO • Another for Tuition Reimbursement • etc. – It is also likely that this isolates specific business processes – “Applications” in this context may be modules within larger enterprise systems Data Classification -- Families
1/29/2015 | 20 | ©2010 CIBER, Inc. • Genus is a particular data type – Reports – Databases – Feed files • Species is instances of those types – “The weekly payroll register” – “The monthly healthcare claims report” Data Classification – Genus & Species
1/29/2015 | 21 | ©2010 CIBER, Inc. Let’s look at that payroll report • Kingdom – Non-public • Phylum – HR • Class – Confidential • Order – Payroll • Family – ADP interface • Genus – Reports • Species – Payroll report
1/29/2015 | 22 | ©2010 CIBER, Inc. • Classification and handling decisions may be made wherever appropriate – For example, a single massive database may power an enterprise HRIS that is classified at the Order level – And that database might not be safe to have try to support multiple levels of security, so you decide to take the “worst case” approach. • You may not need all the levels – But if you give yourself the room you will get this done to enough detail to make informed decisions Data Classification – Put it to use
1/29/2015 | 23 | ©2010 CIBER, Inc. • Determine Regulatory Scope • Prioritize Coverage • Phase-in Programs • Get below-C Mgt. Buy-In • Communicate why you are acting to protect this and not that (yet) Data Classification – Put it to use
1/29/2015 | 24 | ©2010 CIBER, Inc. Remember! It’s all about the data!
1/29/2015 | 25 | ©2010 CIBER, Inc. • Ponemon Reports – http://www.ponemon.org/data-security • Securosis Survey – http://www.imperva.com/resources/analyst.html • CIBER – http://www.ciber.com/ • Frier – dfrier@ciber.com More Resources
It's All About the Data!

Recomendados

Slideshare Linkedin
Slideshare LinkedinSlideshare Linkedin
Slideshare LinkedinMbomberger
 
Cloud computing web 2.0 By Joanna Hendricks BMT 580
Cloud computing web 2.0 By Joanna Hendricks BMT 580Cloud computing web 2.0 By Joanna Hendricks BMT 580
Cloud computing web 2.0 By Joanna Hendricks BMT 580Joanna Hendricks
 
Technologies for Security and Compliance by Ken McIntyre, Ercot
Technologies for Security and Compliance by Ken McIntyre, ErcotTechnologies for Security and Compliance by Ken McIntyre, Ercot
Technologies for Security and Compliance by Ken McIntyre, ErcotTheAnfieldGroup
 
Omzig
OmzigOmzig
OmzigFrancisco Diaz III
 
Your path to the cloud local event presentation
Your path to the cloud local event presentationYour path to the cloud local event presentation
Your path to the cloud local event presentationawrightKMBS
 
Trends in Government ICT - Chasing Data, Information, and Decision Support
Trends in Government ICT - Chasing Data, Information, and Decision SupportTrends in Government ICT - Chasing Data, Information, and Decision Support
Trends in Government ICT - Chasing Data, Information, and Decision SupportCorporacion Colombia Digital
 
Business RISKS From IT
Business RISKS From IT Business RISKS From IT
Business RISKS From IT Sanjiv Arora
 
IBM Security 2017 Lunch and Learn Series
IBM Security 2017 Lunch and Learn SeriesIBM Security 2017 Lunch and Learn Series
IBM Security 2017 Lunch and Learn SeriesJeff Miller
 

Recomendados

Slideshare Linkedin
Slideshare LinkedinSlideshare Linkedin
Slideshare LinkedinMbomberger
 
Cloud computing web 2.0 By Joanna Hendricks BMT 580
Cloud computing web 2.0 By Joanna Hendricks BMT 580Cloud computing web 2.0 By Joanna Hendricks BMT 580
Cloud computing web 2.0 By Joanna Hendricks BMT 580Joanna Hendricks
 
Technologies for Security and Compliance by Ken McIntyre, Ercot
Technologies for Security and Compliance by Ken McIntyre, ErcotTechnologies for Security and Compliance by Ken McIntyre, Ercot
Technologies for Security and Compliance by Ken McIntyre, ErcotTheAnfieldGroup
 
Omzig
OmzigOmzig
OmzigFrancisco Diaz III
 
Your path to the cloud local event presentation
Your path to the cloud local event presentationYour path to the cloud local event presentation
Your path to the cloud local event presentationawrightKMBS
 
Trends in Government ICT - Chasing Data, Information, and Decision Support
Trends in Government ICT - Chasing Data, Information, and Decision SupportTrends in Government ICT - Chasing Data, Information, and Decision Support
Trends in Government ICT - Chasing Data, Information, and Decision SupportCorporacion Colombia Digital
 
Business RISKS From IT
Business RISKS From IT Business RISKS From IT
Business RISKS From IT Sanjiv Arora
 
IBM Security 2017 Lunch and Learn Series
IBM Security 2017 Lunch and Learn SeriesIBM Security 2017 Lunch and Learn Series
IBM Security 2017 Lunch and Learn SeriesJeff Miller
 
Alpha & Omega Presentation
Alpha & Omega PresentationAlpha & Omega Presentation
Alpha & Omega PresentationDarryl Santa
 
Amt presentation 2016-kawan lama-viccy
Amt presentation 2016-kawan lama-viccyAmt presentation 2016-kawan lama-viccy
Amt presentation 2016-kawan lama-viccyHesadrian Boediman
 
How Vulnerable is Your Critical Data?
How Vulnerable is Your Critical Data?How Vulnerable is Your Critical Data?
How Vulnerable is Your Critical Data?IBM Security
 
BYOD: D for Device or D for Disaster?
BYOD: D for Device or D for Disaster?BYOD: D for Device or D for Disaster?
BYOD: D for Device or D for Disaster?Marketing Team
 
Data Security Solutions_2010 @Vilnius December Opening
Data Security Solutions_2010 @Vilnius December OpeningData Security Solutions_2010 @Vilnius December Opening
Data Security Solutions_2010 @Vilnius December OpeningAndris Soroka
 
Raz-Lee Security Corporate Profile
Raz-Lee Security Corporate ProfileRaz-Lee Security Corporate Profile
Raz-Lee Security Corporate ProfileRaz-Lee Security
 
Ricoh Value Faith
Ricoh Value FaithRicoh Value Faith
Ricoh Value Faithscottkarin
 
Business Case Of Bring Your Own Device[ BYOD]
Business Case Of Bring Your Own Device[ BYOD] Business Case Of Bring Your Own Device[ BYOD]
Business Case Of Bring Your Own Device[ BYOD] Md Yousup Faruqu
 
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...Michael Scheidell
 
Hki tsecuritysolutionsv1.1
Hki tsecuritysolutionsv1.1Hki tsecuritysolutionsv1.1
Hki tsecuritysolutionsv1.1HK IT solutions... unlimited...
 
Cloud computing
Cloud computingCloud computing
Cloud computingFraser Henderson
 
Cisco Connect 2018 Thailand - Changing the security equation demetris booth_c...
Cisco Connect 2018 Thailand - Changing the security equation demetris booth_c...Cisco Connect 2018 Thailand - Changing the security equation demetris booth_c...
Cisco Connect 2018 Thailand - Changing the security equation demetris booth_c...NetworkCollaborators
 
Micro Networks Compnay Profile
Micro Networks Compnay ProfileMicro Networks Compnay Profile
Micro Networks Compnay ProfileMicro Networks
 
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf... Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...Information Security Awareness Group
 
IT Consulting Services and Technology Solutions | Ampcus -USA
IT Consulting Services and Technology Solutions | Ampcus -USAIT Consulting Services and Technology Solutions | Ampcus -USA
IT Consulting Services and Technology Solutions | Ampcus -USAUnified11
 
Redrawing the Cyber Defense Frontier
Redrawing the Cyber Defense FrontierRedrawing the Cyber Defense Frontier
Redrawing the Cyber Defense FrontierJoe Hage
 
Governance and Security in Cloud and Mobile Apps
Governance and Security in Cloud and Mobile AppsGovernance and Security in Cloud and Mobile Apps
Governance and Security in Cloud and Mobile AppsMichael Scheidell
 
BYOD (Bring Your Own Device) Risks And Benefits
BYOD (Bring Your Own Device) Risks And BenefitsBYOD (Bring Your Own Device) Risks And Benefits
BYOD (Bring Your Own Device) Risks And BenefitsModis
 
Bring Your Own Device (BYOD)
Bring Your Own Device (BYOD)Bring Your Own Device (BYOD)
Bring Your Own Device (BYOD)k33a
 
Achieving Data Privacy in the Enterprise
Achieving Data Privacy in the EnterpriseAchieving Data Privacy in the Enterprise
Achieving Data Privacy in the EnterpriseSafeNet
 
Securing your Cloud Deployment
Securing your Cloud DeploymentSecuring your Cloud Deployment
Securing your Cloud DeploymentHrusostomos Vicatos
 
Data Loss Prevention in O365
Data Loss Prevention in O365Data Loss Prevention in O365
Data Loss Prevention in O365Don Daubert
 

Más contenido relacionado

La actualidad más candente

Alpha & Omega Presentation
Alpha & Omega PresentationAlpha & Omega Presentation
Alpha & Omega PresentationDarryl Santa
 
Amt presentation 2016-kawan lama-viccy
Amt presentation 2016-kawan lama-viccyAmt presentation 2016-kawan lama-viccy
Amt presentation 2016-kawan lama-viccyHesadrian Boediman
 
How Vulnerable is Your Critical Data?
How Vulnerable is Your Critical Data?How Vulnerable is Your Critical Data?
How Vulnerable is Your Critical Data?IBM Security
 
BYOD: D for Device or D for Disaster?
BYOD: D for Device or D for Disaster?BYOD: D for Device or D for Disaster?
BYOD: D for Device or D for Disaster?Marketing Team
 
Data Security Solutions_2010 @Vilnius December Opening
Data Security Solutions_2010 @Vilnius December OpeningData Security Solutions_2010 @Vilnius December Opening
Data Security Solutions_2010 @Vilnius December OpeningAndris Soroka
 
Raz-Lee Security Corporate Profile
Raz-Lee Security Corporate ProfileRaz-Lee Security Corporate Profile
Raz-Lee Security Corporate ProfileRaz-Lee Security
 
Ricoh Value Faith
Ricoh Value FaithRicoh Value Faith
Ricoh Value Faithscottkarin
 
Business Case Of Bring Your Own Device[ BYOD]
Business Case Of Bring Your Own Device[ BYOD] Business Case Of Bring Your Own Device[ BYOD]
Business Case Of Bring Your Own Device[ BYOD] Md Yousup Faruqu
 
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...Michael Scheidell
 
Cisco Connect 2018 Thailand - Changing the security equation demetris booth_c...
Cisco Connect 2018 Thailand - Changing the security equation demetris booth_c...Cisco Connect 2018 Thailand - Changing the security equation demetris booth_c...
Cisco Connect 2018 Thailand - Changing the security equation demetris booth_c...NetworkCollaborators
 
Micro Networks Compnay Profile
Micro Networks Compnay ProfileMicro Networks Compnay Profile
Micro Networks Compnay ProfileMicro Networks
 
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf... Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...Information Security Awareness Group
 
IT Consulting Services and Technology Solutions | Ampcus -USA
IT Consulting Services and Technology Solutions | Ampcus -USAIT Consulting Services and Technology Solutions | Ampcus -USA
IT Consulting Services and Technology Solutions | Ampcus -USAUnified11
 
Redrawing the Cyber Defense Frontier
Redrawing the Cyber Defense FrontierRedrawing the Cyber Defense Frontier
Redrawing the Cyber Defense FrontierJoe Hage
 
Governance and Security in Cloud and Mobile Apps
Governance and Security in Cloud and Mobile AppsGovernance and Security in Cloud and Mobile Apps
Governance and Security in Cloud and Mobile AppsMichael Scheidell
 
BYOD (Bring Your Own Device) Risks And Benefits
BYOD (Bring Your Own Device) Risks And BenefitsBYOD (Bring Your Own Device) Risks And Benefits
BYOD (Bring Your Own Device) Risks And BenefitsModis
 
Bring Your Own Device (BYOD)
Bring Your Own Device (BYOD)Bring Your Own Device (BYOD)
Bring Your Own Device (BYOD)k33a
 
Achieving Data Privacy in the Enterprise
Achieving Data Privacy in the EnterpriseAchieving Data Privacy in the Enterprise
Achieving Data Privacy in the EnterpriseSafeNet
 

La actualidad más candente (20)

Alpha & Omega Presentation
Alpha & Omega PresentationAlpha & Omega Presentation
Alpha & Omega Presentation
 
Amt presentation 2016-kawan lama-viccy
Amt presentation 2016-kawan lama-viccyAmt presentation 2016-kawan lama-viccy
Amt presentation 2016-kawan lama-viccy
 
How Vulnerable is Your Critical Data?
How Vulnerable is Your Critical Data?How Vulnerable is Your Critical Data?
How Vulnerable is Your Critical Data?
 
BYOD: D for Device or D for Disaster?
BYOD: D for Device or D for Disaster?BYOD: D for Device or D for Disaster?
BYOD: D for Device or D for Disaster?
 
Data Security Solutions_2010 @Vilnius December Opening
Data Security Solutions_2010 @Vilnius December OpeningData Security Solutions_2010 @Vilnius December Opening
Data Security Solutions_2010 @Vilnius December Opening
 
Raz-Lee Security Corporate Profile
Raz-Lee Security Corporate ProfileRaz-Lee Security Corporate Profile
Raz-Lee Security Corporate Profile
 
Ricoh Value Faith
Ricoh Value FaithRicoh Value Faith
Ricoh Value Faith
 
Business Case Of Bring Your Own Device[ BYOD]
Business Case Of Bring Your Own Device[ BYOD] Business Case Of Bring Your Own Device[ BYOD]
Business Case Of Bring Your Own Device[ BYOD]
 
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...
 
Hki tsecuritysolutionsv1.1
Hki tsecuritysolutionsv1.1Hki tsecuritysolutionsv1.1
Hki tsecuritysolutionsv1.1
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
Cisco Connect 2018 Thailand - Changing the security equation demetris booth_c...
Cisco Connect 2018 Thailand - Changing the security equation demetris booth_c...Cisco Connect 2018 Thailand - Changing the security equation demetris booth_c...
Cisco Connect 2018 Thailand - Changing the security equation demetris booth_c...
 
Micro Networks Compnay Profile
Micro Networks Compnay ProfileMicro Networks Compnay Profile
Micro Networks Compnay Profile
 
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf... Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
 
IT Consulting Services and Technology Solutions | Ampcus -USA
IT Consulting Services and Technology Solutions | Ampcus -USAIT Consulting Services and Technology Solutions | Ampcus -USA
IT Consulting Services and Technology Solutions | Ampcus -USA
 
Redrawing the Cyber Defense Frontier
Redrawing the Cyber Defense FrontierRedrawing the Cyber Defense Frontier
Redrawing the Cyber Defense Frontier
 
Governance and Security in Cloud and Mobile Apps
Governance and Security in Cloud and Mobile AppsGovernance and Security in Cloud and Mobile Apps
Governance and Security in Cloud and Mobile Apps
 
BYOD (Bring Your Own Device) Risks And Benefits
BYOD (Bring Your Own Device) Risks And BenefitsBYOD (Bring Your Own Device) Risks And Benefits
BYOD (Bring Your Own Device) Risks And Benefits
 
Bring Your Own Device (BYOD)
Bring Your Own Device (BYOD)Bring Your Own Device (BYOD)
Bring Your Own Device (BYOD)
 
Achieving Data Privacy in the Enterprise
Achieving Data Privacy in the EnterpriseAchieving Data Privacy in the Enterprise
Achieving Data Privacy in the Enterprise
 

Similar a It's All About the Data!

Data Loss Prevention in O365
Data Loss Prevention in O365Data Loss Prevention in O365
Data Loss Prevention in O365Don Daubert
 
Cyber security series administrative control breaches
Cyber security series administrative control breaches Cyber security series administrative control breaches
Cyber security series administrative control breaches Jim Kaplan CIA CFE
 
Privacies are Coming
Privacies are ComingPrivacies are Coming
Privacies are ComingErnest Staats
 
Data Governance for End-User Computing
Data Governance for End-User ComputingData Governance for End-User Computing
Data Governance for End-User ComputingDATAVERSITY
 
Hackers, Cyber Crime and Espionage
Hackers, Cyber Crime and EspionageHackers, Cyber Crime and Espionage
Hackers, Cyber Crime and EspionageImperva
 
Improve IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkImprove IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkPrecisely
 
3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...Robert Parker
 
IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...Leif Davidsen
 
IBM i Security SIEM Integration
IBM i Security SIEM IntegrationIBM i Security SIEM Integration
IBM i Security SIEM IntegrationPrecisely
 
Deep dive into Microsoft Purview Data Loss Prevention
Deep dive into Microsoft Purview Data Loss PreventionDeep dive into Microsoft Purview Data Loss Prevention
Deep dive into Microsoft Purview Data Loss PreventionDrew Madelung
 
Broadening Your Cybersecurity Mindset
Broadening Your Cybersecurity MindsetBroadening Your Cybersecurity Mindset
Broadening Your Cybersecurity MindsetCSI Solutions
 
Why Network and Endpoint Security Isn’t Enough
Why Network and Endpoint Security Isn’t EnoughWhy Network and Endpoint Security Isn’t Enough
Why Network and Endpoint Security Isn’t EnoughImperva
 
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...AIIM International
 
How to Structure the Data Organization
How to Structure the Data OrganizationHow to Structure the Data Organization
How to Structure the Data OrganizationRobyn Bollhorst
 
Impact of data science in financial reporting
Impact of data science in financial reporting Impact of data science in financial reporting
Impact of data science in financial reporting James Deiotte
 
Michael Josephs
Michael JosephsMichael Josephs
Michael JosephsdaveGBE
 
Using international standards to improve US cybersecurity
Using international standards to improve US cybersecurityUsing international standards to improve US cybersecurity
Using international standards to improve US cybersecurityIT Governance Ltd
 
What Are you Waiting For? Remediate your File Shares and Govern your Informat...
What Are you Waiting For? Remediate your File Shares and Govern your Informat...What Are you Waiting For? Remediate your File Shares and Govern your Informat...
What Are you Waiting For? Remediate your File Shares and Govern your Informat...Everteam
 

Similar a It's All About the Data! (20)

Securing your Cloud Deployment
Securing your Cloud DeploymentSecuring your Cloud Deployment
Securing your Cloud Deployment
 
Data Loss Prevention in O365
Data Loss Prevention in O365Data Loss Prevention in O365
Data Loss Prevention in O365
 
Cyber security series administrative control breaches
Cyber security series administrative control breaches Cyber security series administrative control breaches
Cyber security series administrative control breaches
 
Privacies are Coming
Privacies are ComingPrivacies are Coming
Privacies are Coming
 
Mis
MisMis
Mis
 
Data Governance for End-User Computing
Data Governance for End-User ComputingData Governance for End-User Computing
Data Governance for End-User Computing
 
Hackers, Cyber Crime and Espionage
Hackers, Cyber Crime and EspionageHackers, Cyber Crime and Espionage
Hackers, Cyber Crime and Espionage
 
Improve IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkImprove IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in Splunk
 
3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...
 
IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...
 
IBM i Security SIEM Integration
IBM i Security SIEM IntegrationIBM i Security SIEM Integration
IBM i Security SIEM Integration
 
Deep dive into Microsoft Purview Data Loss Prevention
Deep dive into Microsoft Purview Data Loss PreventionDeep dive into Microsoft Purview Data Loss Prevention
Deep dive into Microsoft Purview Data Loss Prevention
 
Broadening Your Cybersecurity Mindset
Broadening Your Cybersecurity MindsetBroadening Your Cybersecurity Mindset
Broadening Your Cybersecurity Mindset
 
Why Network and Endpoint Security Isn’t Enough
Why Network and Endpoint Security Isn’t EnoughWhy Network and Endpoint Security Isn’t Enough
Why Network and Endpoint Security Isn’t Enough
 
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
 
How to Structure the Data Organization
How to Structure the Data OrganizationHow to Structure the Data Organization
How to Structure the Data Organization
 
Impact of data science in financial reporting
Impact of data science in financial reporting Impact of data science in financial reporting
Impact of data science in financial reporting
 
Michael Josephs
Michael JosephsMichael Josephs
Michael Josephs
 
Using international standards to improve US cybersecurity
Using international standards to improve US cybersecurityUsing international standards to improve US cybersecurity
Using international standards to improve US cybersecurity
 
What Are you Waiting For? Remediate your File Shares and Govern your Informat...
What Are you Waiting For? Remediate your File Shares and Govern your Informat...What Are you Waiting For? Remediate your File Shares and Govern your Informat...
What Are you Waiting For? Remediate your File Shares and Govern your Informat...
 

Más de Rochester Security Summit

Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleRochester Security Summit
 
Maximizing ROI through Security Training (for Developers)
Maximizing ROI through Security Training (for Developers)Maximizing ROI through Security Training (for Developers)
Maximizing ROI through Security Training (for Developers)Rochester Security Summit
 
A Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public CloudA Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public CloudRochester Security Summit
 
State Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork QuiltState Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork QuiltRochester Security Summit
 
You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…Rochester Security Summit
 
A Security Testing Methodology that Fits Every IT Budget
A Security Testing Methodology that Fits Every IT BudgetA Security Testing Methodology that Fits Every IT Budget
A Security Testing Methodology that Fits Every IT BudgetRochester Security Summit
 
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...Rochester Security Summit
 

Más de Rochester Security Summit (16)

IPv6 Can No Longer Be Ignored
IPv6 Can No Longer Be IgnoredIPv6 Can No Longer Be Ignored
IPv6 Can No Longer Be Ignored
 
Radio Reconnaissance in Penetration Testing
Radio Reconnaissance in Penetration TestingRadio Reconnaissance in Penetration Testing
Radio Reconnaissance in Penetration Testing
 
Real Business Threats!
Real Business Threats!Real Business Threats!
Real Business Threats!
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation Style
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Maximizing ROI through Security Training (for Developers)
Maximizing ROI through Security Training (for Developers)Maximizing ROI through Security Training (for Developers)
Maximizing ROI through Security Training (for Developers)
 
Dissecting the Hack: Malware Analysis 101
Dissecting the Hack: Malware Analysis 101 Dissecting the Hack: Malware Analysis 101
Dissecting the Hack: Malware Analysis 101
 
GRC– The Way Forward
GRC– The Way ForwardGRC– The Way Forward
GRC– The Way Forward
 
A Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public CloudA Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public Cloud
 
Finding Patterns in Data Breaches
Finding Patterns in Data BreachesFinding Patterns in Data Breaches
Finding Patterns in Data Breaches
 
State Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork QuiltState Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork Quilt
 
You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…
 
A Security Testing Methodology that Fits Every IT Budget
A Security Testing Methodology that Fits Every IT BudgetA Security Testing Methodology that Fits Every IT Budget
A Security Testing Methodology that Fits Every IT Budget
 
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
 
Losing Control to the Cloud
Losing Control to the CloudLosing Control to the Cloud
Losing Control to the Cloud
 
Firewall Defense against Covert Channels
Firewall Defense against Covert Channels Firewall Defense against Covert Channels
Firewall Defense against Covert Channels
 

Último

The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 

Último (20)

The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 

It's All About the Data!

  • 1. It’s All About the Data! David C. Frier, CISSP Security Practice Lead CIBER, Upstate NY Oct. 21, 2010
  • 2. 1/29/2015 | 2 | ©2010 CIBER, Inc. CIBER Profile • CIBER is a $1Billion Global IT Services Company that Builds, Integrates and Supports Business Applications and IT Infrastructures for Business and Government  Consistent growth and profitability since 1974  More than 8,500 employees  NYSE (CBR) - Headquartered in Denver  85 Offices in 18 countries  US and Offshore Development Centers  Global IT Operations Centers – US & Europe  Global practices supported by local resources  Fortune 500 and mid-market leaders/challengers  Focus on quality: ISO 9001, CPMM, SAS 70
  • 3. 1/29/2015 | 3 | ©2010 CIBER, Inc. Frier Profile • Frier is a less-than-$1Billion IT Professional who Builds, Integrates and Supports Business Applications and IT Infrastructures for Business and Government  Consistent growth since 1957  (first up then out)  (DCF) - Headquartered in Rochester  IT Operations first established in 1979  IT Security, Operations, Architecture  Project Management and Consulting  Training and IT Evangelism  CISSP, CRISC (pending)
  • 4. 1/29/2015 | 4 | ©2010 CIBER, Inc. Outline • What is in scope of Data Protection? • What Threats exist? • Who Cares? • What is included in Data Protection? • Is Data Protection Effective • One approach for Data Classification
  • 5. 1/29/2015 | 5 | ©2010 CIBER, Inc. – Regulated Data • HIPAA • PCI • GLBA – PII/SPI • Under Safe Harbor • Subject to Breach Disclosure laws – Strategic Data • IP • Sales & Marketing Data • Financial (SOX) • M&A, Recruiting, other non-public plans Data Protection – what is in scope
  • 6. 1/29/2015 | 6 | ©2010 CIBER, Inc. • Lost or Stolen Devices – Laptops and removable storage most common • Disposal – Incorrect disposal of disk and tape media • Criminal Attacks – Hacking more than physical theft • Network Exposure – Misconfigured web presence – Email attachments • Malicious Insiders Threats to Data
  • 7. 1/29/2015 | 7 | ©2010 CIBER, Inc. Who cares about Data Protection Programs? Source: Business Case for Data Protection, Ponemon Institute, July 2009
  • 8. 1/29/2015 | 8 | ©2010 CIBER, Inc. • Data Loss Prevention- Network • Data Loss Prevention- Endpoint • Data Loss Prevention- Storage • Content Discovery (Process) • Email Filtering • Database Activity Monitoring • Full Drive Encryption • USB/Portable Media Encryption or Device Control • Enterprise Digital Rights Management • Database Encryption • Application Encryption • Web Application Firewall • Backup Tape Encryption • Entitlement Management • Access Management • Data Masking • Network Segregation • Server/Endpoint Hardening Enterprise Data Protection – what is included
  • 9. 1/29/2015 | 9 | ©2010 CIBER, Inc. • Perceived Effectiveness ¹ – CEOs: 58% – Other C-Levels: 48% • Which Controls are Most Effective² Data Loss Prevention- Network Data Loss Prevention- Endpoint Data Loss Prevention- Storage Content Discovery (Process) Email Filtering Are Corporate Data Protection Programs Effective? 2 – Source: Securosis 2010 Data Security Survey, Securosis, LLC, … 2010 1 – Source: Business Case for Data Protection, Ponemon Institute, July 2009
  • 10. 1/29/2015 | 10 | ©2010 CIBER, Inc. • Which Controls are Least Effective? Email Filtering USB/Portable Media Encryption or Device Control Database Activity Monitoring Backup Tape Encryption Content Discovery (Process) Notice anything odd? Why Are Corporate Data Protection Programs Effective? Source: Securosis 2010 Data Security Survey, Securosis, LLC, … 2010
  • 11. 1/29/2015 | 11 | ©2010 CIBER, Inc. Do you know what you are charged to protect?
  • 12. 1/29/2015 | 12 | ©2010 CIBER, Inc. Who recognizes this? Kings play chess on finely grained sand
  • 13. 1/29/2015 | 13 | ©2010 CIBER, Inc. Did you take zoology in school? Kings play chess on finely grained sand • Kingdom • Phylum • Class • Order • Family • Genus • Species
  • 14. 1/29/2015 | 14 | ©2010 CIBER, Inc. • Use a Taxonomy • From Kingdoms, the highest level, down to individual reports and documents • Seven layers may seem like a lot – …but it’s easy to find pockets where you need more Data Classification
  • 15. 1/29/2015 | 15 | ©2010 CIBER, Inc. • Start with “Public” and “Non-Public” • You might add a third for customer-privileged information • Most Data protection effort will focus on Non-Public The point of the taxonomy is to successively sharpen the focus of the enterprise data protection efforts Data Classification -- Kingdoms
  • 16. 1/29/2015 | 16 | ©2010 CIBER, Inc. • This is a good layer for your data owner organizations – Yes: All data must have an owner. – Owners make the decisions about what level of protection is needed – Typically, data owners are the groups that own the processes that create/update/delete the data • From here down you will see categories repeated – This is the way to express the matrix nature of some of these designations across the top-down hierarchy Data Classification -- Phyla
  • 17. 1/29/2015 | 17 | ©2010 CIBER, Inc. Data Classification -- Classes • At the Class level you can apply the levels-of- sensitivity classifications – Confidential – Sensitive – “Company only” These are suggestions only… the important thing is to be consistent across all the data with what you do at a given level
  • 18. 1/29/2015 | 18 | ©2010 CIBER, Inc. • With Order, start to divide up the data into groups of related business processes – Example: within the HR phylum, • Payroll • Benefits • Performance Mgt. • Recruiting – Each of these may be in different classes for sensitivity – Class designations will often repeat across phyla but that’s OK Data Classification -- Orders
  • 19. 1/29/2015 | 19 | ©2010 CIBER, Inc. • For Family, get to the application or system level – For example, within the Benefits order • One app manages Health Care • Another manages PTO • Another for Tuition Reimbursement • etc. – It is also likely that this isolates specific business processes – “Applications” in this context may be modules within larger enterprise systems Data Classification -- Families
  • 20. 1/29/2015 | 20 | ©2010 CIBER, Inc. • Genus is a particular data type – Reports – Databases – Feed files • Species is instances of those types – “The weekly payroll register” – “The monthly healthcare claims report” Data Classification – Genus & Species
  • 21. 1/29/2015 | 21 | ©2010 CIBER, Inc. Let’s look at that payroll report • Kingdom – Non-public • Phylum – HR • Class – Confidential • Order – Payroll • Family – ADP interface • Genus – Reports • Species – Payroll report
  • 22. 1/29/2015 | 22 | ©2010 CIBER, Inc. • Classification and handling decisions may be made wherever appropriate – For example, a single massive database may power an enterprise HRIS that is classified at the Order level – And that database might not be safe to have try to support multiple levels of security, so you decide to take the “worst case” approach. • You may not need all the levels – But if you give yourself the room you will get this done to enough detail to make informed decisions Data Classification – Put it to use
  • 23. 1/29/2015 | 23 | ©2010 CIBER, Inc. • Determine Regulatory Scope • Prioritize Coverage • Phase-in Programs • Get below-C Mgt. Buy-In • Communicate why you are acting to protect this and not that (yet) Data Classification – Put it to use
  • 24. 1/29/2015 | 24 | ©2010 CIBER, Inc. Remember! It’s all about the data!
  • 25. 1/29/2015 | 25 | ©2010 CIBER, Inc. • Ponemon Reports – http://www.ponemon.org/data-security • Securosis Survey – http://www.imperva.com/resources/analyst.html • CIBER – http://www.ciber.com/ • Frier – dfrier@ciber.com More Resources