data-ed online: how safe is your data? data security
TRANSCRIPT
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Welcome!
Date: May 15, 2012Time: 2:00 PM ETPresenter: Dr. Peter AikenTwitter: #dataed
1
How Safe is Your Data? Data Security Management Webinar
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
New Feature: Live Twitter Feed
Join the conversation on Twitter!Follow us @datablueprint and @paiken
Ask questions and submit your comments: #dataed
2
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
New Feature: LIKE US on Facebook
www.facebook.com/datablueprint Post questions and comments
Find industry news, insightful content and event updates
3
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Meet Your Presenter: Dr. Peter Aiken
4
• Internationally recognized thought-leader in the data management field with more than 30 years of experience
• Recipient of the 2010 International Stevens Award
• Founding Director of Data Blueprint (http://datablueprint.com)
• Associate Professor of Information Systems at Virginia Commonwealth University (http://vcu.edu)
• President of DAMA International (http://dama.org)
• DoD Computer Scientist, Reverse Engineering Program Manager/Office of the Chief Information Officer
• Visiting Scientist, Software Engineering Institute/Carnegie Mellon University
• 7 books and dozens of articles• Experienced w/ 500+ data management practices in 20 countries
#dataed
4/10/2012DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION
How Safe Is Your Data?
Dr. Peter Aiken: Data Security Management Webinar
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Abstract: How Safe Is Your Data?Our presentation provides you with an overview of the organizational data security management requirements that are necessary to meet industry benchmarks. Participants will understand the requirements for planning, developing, and executing security policies and procedures to provide proper authentication, authorization, access, and auditing of data and information assets. By the end of our session, you will understand how effective data security policies and procedures ensure that the right people can use and update data in the right way, as well as the importance of restricting inappropriate access.
6
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Outline1. Data Management Overview2. What is data security management?3. Why is data security important?
(1) Top Data Security Concerns & Requirements(2) The Cost of Not Having Accurate Security(3) Data Security Statistics & Examples of Security
Breaches
4. Data Security Management Building Blocks
5. Passwords & Policy Examples6. Data Security Standards & Guiding
Principles7. Take Aways, References & Q&A
7
Tweeting now: #dataed
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
The DAMA Guide to the Data Management Body of Knowledge
8
Data Management Functions
Published by DAMA International• The professional
association for Data Managers (40 chapters worldwide)
DMBoK organized around • Primary data
management functions focused around data delivery to the organization
• Organized around several environmental elements
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
The DAMA Guide to the Data Management Body of Knowledge
9
Environmental Elements
Amazon:http://www.amazon.com/DAMA-Guide-Management-Knowledge-DAMA-DMBOK/dp/0977140083Or enter the terms "dama dm bok" at the Amazon search engine
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
What is the CDMP?• Certified Data Management
Professional• DAMA International and ICCP• Membership in a distinct group made
up of your fellow professionals• Recognition for your specialized
knowledge in a choice of 17 specialty areas
• Series of 3 exams• For more information, please visit:
– http://www.dama.org/i4a/pages/index.cfm?pageid=3399
– http://iccp.org/certification/designations/cdmp
10
#dataed
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Data Management
11
#dataed
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Data Management
12
Manage data coherently.
Share data across boundaries.
Assign responsibilities for data.Engineer data delivery systems.
Maintain data availability.
Data Program Coordination
Organizational Data Integration
Data Stewardship Data Development
Data Support Operations
#dataed
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Outline1. Data Management Overview2. What is data security management?3. Why is data security important?
(1) Top Data Security Concerns & Requirements(2) The Cost of Not Having Accurate Security(3) Data Security Statistics & Examples of Security
Breaches
4. Data Security Management Building Blocks
5. Passwords & Policy Examples6. Data Security Standards & Guiding
Principles7. Take Aways, References & Q&A
13
Tweeting now: #dataed
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Summary: Data Security Management
14
from The DAMA Guide to the Data Management Body of Knowledge © 2009 by DAMA International#dataed
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Definition: Data Security ManagementPlanning, development and execution of security policies and procedures to provide proper authentication, authorization, access and auditing of data and information assets.
15
from The DAMA Guide to the Data Management Body of Knowledge © 2009 by DAMA International#dataed
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Outline1. Data Management Overview2. What is data security management?3. Why is data security important?
(1) Top Data Security Concerns & Requirements(2) The Cost of Not Having Accurate Security(3) Data Security Statistics & Examples of Security
Breaches
4. Data Security Management Building Blocks
5. Passwords & Policy Examples6. Data Security Standards & Guiding
Principles7. Take Aways, References & Q&A
16
Tweeting now: #dataed
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Top Data Security Concerns 1. Confidentiality
– Making sure that data is supposed to be restricted to the company
2. Integrity– Ensure that the are no changes to data except those
intentional ones3. Availability
– Ability to get data when it is needed4. Non-repudiation
– Ability to prove what was sent, when, who sent it as well as what was delivered, when it was delivered and who received it
17
#dataed
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Data Security RequirementsRequirements and the procedures to meet them are categorized into 4 basic groups (the 4 As):
18
1. AuthenticationValidate users are who they say they are
2. AuthorizationIdentify the right individuals and grant them the right privileges to specific, appropriate views of data
3. AccessEnable these individuals and their privileges in a timely manner
4. AuditReview security actions and user activity to ensure compliance with regulations and conformance with policy and standards
#dataed
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Data Security in the News6 Worst Data Breaches of 20111. Sony
– Attacks compromised Sony PlayStation Network, Sony Online Entertainment, and Sony Pictures
– Failure to protect 100+ user records– On-going customer relations fallout and class-action
lawsuits– Recovery costs: $2+ million
2. Epsilon– Cloud-based email service provider fell victim to spear-
phishing attack– Breach affected data from 75 clients who trusted Epsilon
with their customers’ data– 60 million customer email addresses were breached
(conservative estimate)– Largest security breach ever
19
Source: http://www.informationweek.com/news/security/attacks/232301079?itc=edit_in_body_cross
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Data Security in the News, cont’d6 Worst Data Breaches of 20113. RSA
– Didn’t involve consumer information but one of the world’s most-used 2-factor authentication system
– Failure to detail exactly what had been stolen by low-tech spear phishing attack
– Result of this attack: Many companies retooled security and training processes to help prevent these low-cost, easy-to-execute social-engineering attacks
4. Sutter Physician Services– Thief stole desktop containing 2.2 million patients’ medical details
– Security lapse on 2 levels: • (1)Data (unencrypted)
• (2)Physical location (unsecured)
– Failure to alert affected patients in timely manner
– Class action lawsuit
20
Source: http://www.informationweek.com/news/security/attacks/232301079?itc=edit_in_body_cross
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Data Security in the News, cont’d6 Worst Data Breaches of 20115. Tricare and SAIC
– Backup tapes containing unencrypted data were stolen from an employee’s personal car
– 5.1 million people affected: Current and retired members of armed services and their families
– Significant because victims are at risk of medical identify theft AND financial identity theft
– $4.9 billion lawsuit
6. Nasdaq– Attack on Directors Desk, a cloud-based Nasdaq system
designed to facilitate boardroom-level communications for 10,000 senior executives and company directors
– Possible access to inside information that might have been sold to competitors or used to make beneficial stock market trades
21
Source: http://www.informationweek.com/news/security/attacks/232301079?itc=edit_in_body_cross
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Cost of NOT having Accurate Security: Other Examples
• 2008: Heartland Payment Systems– 130 million credit card numbers– $140 million recovery costs
• 2008: Hannaford Bros.– 4.2 million credit and debit card
numbers– Class action lawsuit
• 2007: TJ X Co.– 45 + million credit and debit card
numbers stolen– $250+ million recovery cost
22
• 2006: Department of VA– Stolen laptop exposed records
on 26.5 million veterans, including SSNs
– $14 million recovery costs
• 2005: Card Systems Solutions– 40 million credit and debit card
accounts
#dataed
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Polling Question #1 What is the cost of data security? Estimated cost per individual breach:
1. $1942. $4673. $8554. $1026
23
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Data Security Statistics (2011)• Cost of individual data breach is decreasing for the first time in 7
years• Cost of individual data breach:
– $5.5 million (2011) vs. $7.2 million (2010)
• Cost per compromised record: – $194 (2011) from $215 (2010) – Exception: Breach as a result of malicious attacks average $222 per record
(higher because companies need to do more after the fact)
• Costs are generally lower if organizations have Chief Information Security Officer (CISO)
• Other declines in 2011:– Average size of data breaches declined by 16% – Abnormal customer churn decreased by 18%
• Interesting fact: in 2011 39% of data breaches were caused by negligent insiders and 24% by system glitches
24
Source: http://www.informationweek.com/news/security/attacks/232602891
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Data Security Statistics (2011)
25
• Breaches caused by malicious attacks increased: 37% (2011) from 31% (2010)
– 50% malware– 33% malicious insiders– 28% device theft– 28% SQL injection– 22% phishing attacks– 17% social engineering attacks
• Businesses’ detection costs decreased by 6%: $428,330 (2011) from $455,670 (2010)
– Companies are more efficient in investigating breaches and organizing around response plans
• Notification costs increased by 10% $561,495 (2011)– Failure to accurately determine # of individuals affected can result in notifying
more people than necessary, which leads to higher churn and other cost-increasing factors
– Balance of being timely and accurate at the same time
Source: http://www.informationweek.com/news/security/attacks/232602891
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Other Costs Related to Data Security Breaches• Customer churn (replacing lost customers with new ones)
• Value of stolen data
• Cost of protecting affected victims
• Cost of remedial security measures
• Fines/Lawsuits
• Loss of good will and reputation
26
#dataed
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Other Examples of Security Breaches
27
Organization Type of Security Breach
Boulder Hospital Medical Records thrown in trash exposing 14 patients
Griffin Hospital 1,000 patients radiology studies data stolen
Proxima Alfa Investments LLC
Stolen backup tapes expose unknown number of clients’ names, addresses, SSNs, bank and tax numbers and copies of passports
Educational Credit Management Corporation
Data of 3,300,000 names, addresses, DoB and SSNs exposed on stolen portable media device
Northwestern Memorial Hospital
250 patients’ files stolen from unlocked cabinets by cleaning crew
Source: http://dataloss.db.org/; David Schlesinger
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Other Examples, cont’d
28
Organization Type of Security Breach
Evergreen, Vancouver, Washington Schools Information Cooperative
5,000 employee’s information, including back account information, SSNs and birth dates are compromised
Connecticut Office of Policy and Management
Names, addresses and SSNs of 11,000 rebate applications are stolen
Thrivent Financial for Lutherans
Stolen laptop exposes 9,500 clients’ names, addresses, SSNs and health information
Sony Online Entertainment
Data of 100 million gamers exposed when hackers broke into PC games network, including names, addresses, user names, passwords, credit card information
Source: http://dataloss.db.org/; David Schlesinger
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Polling Question #2 How much time should be committed to data security?
1. 1 day per week2. Ongoing activity3. 1 hour per day4. 1 hour per month
29
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
And in this corner we have Dave!
30
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Outline1. Data Management Overview2. What is data security management?3. Why is data security important?
(1) Top Data Security Concerns & Requirements(2) The Cost of Not Having Accurate Security(3) Data Security Statistics & Examples of Security
Breaches
4. Data Security Management Building Blocks
5. Passwords & Policy Examples6. Data Security Standards & Guiding
Principles7. Take Aways, References & Q&A
31
Tweeting now: #dataed
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Data Security Management Overview
3236
Illustration from The DAMA Guide to the Data Management Body of Knowledge p. 37 © 2009 by DAMA International
üü ü üü ü ü
üü ü üü ü ü
üü ü üü ü ü
üü ü üü ü ü
#dataed
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Goals and Principles
33
1. Enable appropriate, and prevent inappropriate access and change to data assets
2. Meet regulatory requirements for privacy and confidentiality
3. Enable the privacy and confidentiality needs of all stakeholders are met
from The DAMA Guide to the Data Management Body of Knowledge © 2009 by DAMA International
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Potentially Competing Concerns1. Stakeholder Concerns• Clients, patients, students, citizens, suppliers, partners
2. Government Regulations• Restricting access to information• Openness, transparency and accountability
3. Proprietary Business Concerns• Competitive advantage, IP,
intimate knowledge of customer needs/relationships
4. Legitimate Access Needs• Strategy, rules, processes
34
from The DAMA Guide to the Data Management Body of Knowledge © 2009 by DAMA International#dataed
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Data Security Activities
35
• Understand Data Security Needs and Regulatory Requirements– Business requirements– Regulatory requirements
• Define Data Security Policy• Define Data Security Standards• Classify Information Confidentiality• Audit Data Security • Define Data Security Controls and Procedures• Manage Users, Passwords, and Group Membership
– Password standards and procedures• Manage Data Access Views and Permissions• Monitor User Authentication and Access Behavior
from The DAMA Guide to the Data Management Body of Knowledge © 2009 by DAMA International
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Primary Deliverables• Data Security Policies
• Data Access Views
• Document Classifications
• Data Security Audits
• Data Security Controls
• Data Privacy and Confidentiality Standards• User Profiles, Passwords and Memberships
• Data Security Permissions
• Authentication and Access History
36
from The DAMA Guide to the Data Management Body of Knowledge © 2009 by DAMA International
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Roles and Responsibilities
37
Consumers:• Data Producers• Knowledge Workers• Managers• Executives• Customers• Data ProfessionalsParticipants:• Data Stewards• Data Security Administrators• Database Administrators• BI Analysts• Data Architects• CIO/CTO• Help Desk Analysts
Suppliers:• Data Stewards• IT Steering Committee• Data Stewardship Council• Government• Customers
from The DAMA Guide to the Data Management Body of Knowledge © 2009 by DAMA International
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Polling Question #4 Who is responsible for data security?
1. Everyone2. CIO3. Data Stewards4. Data Security Officer
38
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Technology
39
• Database Management System
• Business Intelligence Tools
• Application Frameworks
• Identity Management Technologies
• Change Control Systems
• Practices & Techniques
• Organization & Culture from The DAMA Guide to the Data Management Body of Knowledge © 2009 by DAMA International#dataed
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Outline1. Data Management Overview2. What is data security management?3. Why is data security important?
(1) Top Data Security Concerns & Requirements(2) The Cost of Not Having Accurate Security(3) Data Security Statistics & Examples of Security
Breaches
4. Data Security Management Building Blocks
5. Passwords & Policy Examples6. Data Security Standards & Guiding
Principles7. Take Aways, References & Q&A
40
Tweeting now: #dataed
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Polling Question #3 • What is the most common password?
1. 1234562. password3. asdf1234. dragon
41
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Passwords Pointers• Contains at least 8 characters• Contains an uppercase letter and a numeral• Not the same as the username• Note be the same as the previous 5 passwords used• Not contain complete dictionary words in any
language• Not be incremental (password1, password2, etc.)• Not have two characters repeated sequentially• Not use adjacent characters on the keyboard• Incorporate a space (if possible)• Changed every 45 to 60 days
42
from The DAMA Guide to the Data Management Body of Knowledge © 2009 by DAMA International
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Information Confidentially Classifications• For general audiences
– Default• Internal use only
– Minimal risk if shared – not to be copied outside of the organization
• Confidential– Not shared outside of the
organization• Restricted Confidential
– Only shown to individuals within the organization who "need to know"
• Registered Confidential– Shared only with the existence of a
legal agreement
43
from The DAMA Guide to the Data Management Body of Knowledge © 2009 by DAMA International
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Data Security Policies• Americans with Disabilities Act (ADA)• Cable Communications Policy Act of 1984 (Cable Act)• California Senate Bill 1386 (SB 1386)• Children’s Internet Protection Act of 2001 (CIPA)• Children’s Online Privacy Protection Act of 1998 (COPPA)• Communications Assistance for Law Enforcement Act of 1994 (CALEA)• Computer Fraud and Abuse Act of 1986 (CFAA)• Computer Security Act of 1987 – (Superseded by the Federal Information
Security Management Act FISMA)• Consumer Credit Reporting Reform Act of 1996 (CCRRA) – Modifies the
Fair Credit Reporting Act (FCRA)• Controlling the Assault of Non-Solicited Pornography and Marketing
(CAN-SPAM) Act of 2003• Electronic Funds Transfer Act (EFTA)• Fair and Accurate Credit Transactions Act (FACTA) of 2003• Fair Credit Reporting Act
44
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Data Security Policies, cont’d• Federal Information Security Management Act (FISMA)• Federal Trade Commission Act (FTCA)• Drivers Privacy Protection Act of 1994• Electronic Communications Privacy Act of 1986 (ECPA)• Electronic Freedom of Information Act of 1996 ( E-FOIA)• Fair Credit Reporting Act of 1999 (FCRA)• Family Education Rights and Priacy Act of 1974 (FERPA; also known as
Buckley Amendment)• Gramm-Leach-Bliley Financial Services Modernization Act of 1999 (GLBA)• Privacy Act of 1974• Privacy Protection Act of 1980 (PPA)• Right to Financial Privacy Act of 1978 (RFPA)• Telecommunications Act of 1996• Telephone Consumer Protection Act of 1991 (TCPA)• Uniting and Strengthening America by Providing Appropriate Tools Required
to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act)• Video Privacy Protection Act of 1988
45
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Data Security in an Outsourced World• Any form of outsourcing increases risk to the organization• Data security risk is escalated to the outsource vendor• Transferring control (but not accountability) requires
tighter risk management and control mechanisms• Some mechanisms include:
– Service level agreements– Limited liability provisions in the outsourcing contract– Right-to-audit clauses in the contract– Clearly defined consequences to
breaching contractual obligations– Frequent data security reports from the service vendor– Independent monitoring of vendor system activity– More frequent and thorough data security auditing
46
from The DAMA Guide to the Data Management Body of Knowledge © 2009 by DAMA International
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Outline1. Data Management Overview2. What is data security management?3. Why is data security important?
(1) Top Data Security Concerns & Requirements(2) The Cost of Not Having Accurate Security(3) Data Security Statistics & Examples of Security
Breaches
4. Data Security Management Building Blocks
5. Passwords & Policy Examples6. Data Security Standards & Guiding
Principles7. Take Aways, References & Q&A
47
Tweeting now: #dataed
• Tools for data security• Encryption standards/mechanisms• Access guidelines• Data transmission requirements• Documentation requirements• Remote access standards• Security breach reporting• Using mobile devices• Storage of data on portable devices (laptops, phones,
iPads) BYOD• Disposal of devices
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Data Security Standards
48
from The DAMA Guide to the Data Management Body of Knowledge © 2009 by DAMA International#dataed
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Security Role Hierarchy Diagram
49
from The DAMA Guide to the Data Management Body of Knowledge © 2009 by DAMA International
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Guiding Principles1. Be a responsible data
trustee (governance)2. Understand and comply
with pertinent regulations and guidelines
3. Use data-to-process and data-to-role matrices to document needs and guide role groups and permissions
4. Defining data security requirements and policies is a collaborative effort
5. Define security requirements in conjunction with development projects
50
from The DAMA Guide to the Data Management Body of Knowledge © 2009 by DAMA International
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Guiding Principles, cont’d6. Classify enterprise data
against a confidentiality classification schema
7. Follow strong password guidelines
8. Create role groups, define privileges by role; grant privileges to users by role – where possible restrict users to one role
9. Formally manage the requests and approvals for initial authorizations and changes
10. Centrally manager user identities and group memberships
51
from The DAMA Guide to the Data Management Body of Knowledge © 2009 by DAMA International
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Outline1. Data Management Overview2. What is data security management?3. Why is data security important?
(1) Top Data Security Concerns & Requirements(2) The Cost of Not Having Accurate Security(3) Data Security Statistics & Examples of Security
Breaches
4. Data Security Management Building Blocks
5. Passwords & Policy Examples6. Data Security Standards & Guiding
Principles7. Take Aways, References & Q&A
52
Tweeting now: #dataed
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Summary: Data Security Management
53
from The DAMA Guide to the Data Management Body of Knowledge © 2009 by DAMA International
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
References
54
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Additional References• http://www.dispatch.com/live/content/business/stories/2011/05/09/fbi-probing-consumer-data-breach-at-
sony.html?sid=101
• http://sanfrancisco.cbslocal.com/2011/05/06/sony-ceo-apologizes-for-massive-playstation-data-breach/
• http://www.pcworld.com/article/226357/sony_playstation_network_personal_user_data_stolen.html
• http://www.reuters.com/article/2011/05/05/us-sony-insurance-idUSTRE74472120110505
• http://wiki.answers.com/Q/What_are_the_common_data_security_concerns_for_a_business
• http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/US_Ponemon_CODB_09_012209_sec.pdf
• http://www.informationweek.com/news/198701100 • http://blog.mpecsinc.ca/2010/05/update-heartland-payment-systems-breach.html• http://www.computerworld.com/s/article/9070281/
Hannaford_hit_by_class_action_lawsuits_in_wake_of_data_breach_disclosure • Todd Newton: What Every Company Should Know About Data Security and Electronic
Discovery
55
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Questions?
56
It’s your turn! Use the chat feature or Twitter (#dataed) to submit
your questions to Peter now.
+ =
© Copyright this and previous years by Data Blueprint - all rights reserved!
TITLE
PRODUCED BY
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION
EDUCATIONDATE SLIDE
5/15/2012
Upcoming Events
57
June Webinar:Master Data Management: Quality is not an Option but a RequirementJune 12, 2012 @ 2:00 PM ET/11:00 AM PT
July Webinar:Practical Applications for Data Warehousing, Analytics, BI, and Meta-Integration TechnologiesJuly 10, 2012 @ 2:00 PM ET/11:00 AM PT
Sign up here:• www.datablueprint.com/webinar-schedule • www.Dataversity.net
Brought to you by: