Upload
brianne-ford
View
222
Download
0
Tags:
Embed Size (px)
Citation preview
8/13/2014
Keeping your sensitive data out of the public domainData Loss Prevention
Data Loss Prevention
What is data?
Data Loss Prevention
Data versus Information
DataRaw material and unorganized facts that need to be processed
InformationWhen data are processed, structured or presented in a certain context so as to make them useful, they are called information
Data Loss Prevention
Data/Information
Data/Information
Tangible Intangible
Head
kn
ow
led
ge
Pap
er
E-structuredD
ata
base
E-unstructured
Other media
EmailWeb
Str
uct
ure
d
Un
stru
ctu
red
Documents
Electronic
Data Loss Prevention
What sensitive data do you hold?
Data Loss Prevention
It’s all about the data!
Corporate dataPrice/cost lists Target customer lists New designsSource codeFormulasPending patentsIntellectual property
Personally identifiable data
Full nameBirthday, birthplace Biometric dataCredit card numbers National identification number,
passport numbersDriver's license number, vehicle
registration number
Transaction dataBank paymentsB2B ordersVendor dataSales volumesPurchase powerRevenue potentialSales projections
Customer dataCustomer list
Spending habits
Contact details
User preference
Product customer profile
Payment status
Contact history
Data Loss Prevention
Where does your sensitive data reside?
Data Loss Prevention
Data is everywhere
Databases or Repositories
Workstations
Data at rest
Data in motion
Data in use
Data at rest
Workstations
Laptops
Firewall
Internet
Data Loss Prevention
Understanding the problem
Data Loss Prevention
Megatrends in data related risks
Data is the lifeblood of most organizations
High profile breaches and leaks are in the headlines almost daily
Data protection will continue to be a significant challenge for organizations
Four of six megatrends discussed are linked to the risk category “data”
Data Loss Prevention
Megatrends in data related risks
Megatrends Business benefit Business/IT risksCategories of IT Risk
Universe affected
Emergingconsumerization
► Mobile computing: Anytime and anywhere connectivity/high-volume portable data storage capability.
► Social media: New and advanced information sharing capabilities such as crowdsourcing.
► Increased vulnerability due to anytime, anywhere accessibility.► Risk of unintended sharing, amplification of casual remarks and disclosure of
personal and company data. The availability of this data on the web facilitates cyber attacks.
► Employees may violate company policies in terms of data leakage.
► Security and privacy► Data► Legal and regulatory► Infrastructure
The rise of cloudcomputing
► Lower total cost of ownership.► Focus on core activities and reduction of
effort spent on managing IT infrastructure and applications.
► Contribute to reduction of global carbon footprint.
► Lack of governance and oversight over IT infrastructure, applications and databases.
► Vendor lock-in.► Privacy and security.► Availability of IT to be impacted by the use of the cloud.► Increased risk to regulatory noncompliance (SOX, PCI, etc.). The cloud also brings
about challenges in auditing compliance.► The cloud may impact the agility of IT and organizations; the platform dictated by
the provider may not align with software development and strategic needs of the user.
► Security and privacy► Data► Third-party suppliers and
outsourcing► Applications and databases► Infrastructure► Legal and regulatory
The increasedimportanceof businesscontinuity
► 24/7/365 availability of IT systems to enable continuous consumer support, operations, e-commerce, etc.
► Failure of the business continuity and disaster recovery plans causing financial or reputational loss.
► Infrastructure► Applications and databases► Staffing► Operations► Physical environment
Enhancedpersistence ofcybercrime
► N/A ► Spread of malicious code in company systems causing system outages.► The risk of theft of personal, financial and health information.► Loss of confidential data due to external vulnerabilities.► Financial loss due to unauthorized wire transfers.
► Security and privacy► Data
Increasedexposure tointernal threats
► N/A ► Assigning access rights that are beyond what is required for the role by employees
or contractors.► Failure to remove access rights to employees or contractors on leaving the
organization.
► Data► Applications and databases
The acceleratingchange agenda
► Fast adoption of new business models or reducing costs provides organizations with competitive advantage.
► Failure to deliver IT projects and programs within budget, timing, quality and scope causing value leakage.
► Programs and change management
Data Loss Prevention
Web technology firm
Public health corporation
International gas and oil company
US public agency
National retail bank
Online storage provider
Personal details for 3.5 million teachers and other employees of a US public agency were accidentally published on the Internet. Information released included names, social security numbers and birthdates. This data had been posted on the Internet for over a year without the organization realizing it.
An international oil and gas company lost a laptop which contained personal information for 13,000 individuals including names, social security numbers and addresses. The laptop was not encrypted and the information lost was for claimants against the company.
On their official weblog a web technology firm published a message that they uncovered a ploy to collect user passwords, likely through phishing. This ploy affected the personal accounts of hundreds of users including, among others, senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists.A public health corporation had to notify 1.7 million patients, staff, contractors, vendors and others about a reported theft of electronic record files that contained their personal information, protected health information or personally identifiable employee medical information. The information included social security numbers, names, addresses and medical histories.
2,000 customer records from a national retail bank were stolen by employees prior to leaving and joining a competitor firm. Records included customer bank account numbers, social security numbers and other highly sensitive personal data such as tax returns and pay statements.
According to a blog post an Online storage provider explained that due to an authentication bug, all accounts were at risk of a data breach. As soon as the bug was discovered, as a precaution all logged in sessions were disconnected. The bug was active for almost 4 hours and took 5 minutes to fix.
Overview of recent incidents
Data Loss Prevention
Cause► Loss or theft of laptops
and mobile devices
► Unauthorized transfer of data to USB devices
► Improper categorization of sensitive data
► Data theft by employees or external parties
► Printing and copying of sensitive data by employees
► Insufficient response to intrusions
► Unintentional transmission of sensitive data
Effect► Brand damage and loss
of reputation
► Loss of competitive advantage
► Loss of customers
► Loss of market share
► Erosion of shareholder value
► Fines and civil penalties
► Regulatory fines/sanction
► Significant cost and effort to notify affected parties and recover from the breach
Corporate data
Customer data
Personallyidentifiable
data
Transaction
data
R&DCustomerservice
Sales
HR, Legal Finance
ContractorsYour data
Your business environment
Data loss risks
Data risk: cause and effect
Data Loss Prevention
► Lack of data usage policies/guidance
► Lack of data transmission procedures
► Lack of data usage monitoring
Process
► Lack of awareness
► Lack of accountability
► Lack of user responsibility for their actions
People
► Lack of flexibility in remote connectivity
► No content aware DLP tools
► Lack of secure communication platforms
Technology
Why does data loss occur?
Data Loss Prevention
Data loss prevention
Data Loss Prevention
Data loss prevention is the practice of
detecting and preventing confidential information
from being “leaked” out of an organization’s boundaries for
unauthorized use,which may be thought of as
physical or logical
What is data loss prevention?
Data Loss Prevention
Data leakage vector
► Internal threats► Instant messaging► Mail► FTP► Webmail► Web logs► Web pages/social media► Removable media► Classification errors► Hard copy► Cameras► Inadequate logical access
► External threats► Hackers/data theft
by intruders► SQL injection► Malware► Dumpster diving► Phishing► Social engineering► Physical theft
Data Loss Prevention
Insights on information security
► 74% of respondents to our Global Information Security Survey 2013 have defined a policy for classification and handling of sensitive data as a control for data leakage risk
Source: Ernst & Young’s Global Information Security Survey 2013
74%
69%
60%
45%
45%
43%
39%
38%
35%
24%
15%
Defined a specific policy regarding the classification and handling of sensitive information
Employee awareness programs
Implemented additional security mechanisms for protecting information (e.g., encryption)
Locked down/restricted use of certain hardware components (e.g., USB drives or FireWire ports)
Utilized internal auditing for testing of controls
Defined specific requirements for telecommuting/telework regarding protection of information taken outside office
Implemented log review tools
Implemented data loss prevention tools (McAfee, Symantec, Verdasys, etc.)
Restricted or prohibited use of instant messaging or email for sensitive data transmission
Prohibited use of camera devices within sensitive or restricted areas
Restricted access to sensitive information to specific time periods
Which of the following actions has your organization taken to control data leakage of sensitive information?
Data Loss Prevention
Insights on information security
► However, 66% of respondents have not implemented data loss prevention (DLP) tools
66%
15%
14%
14%
12%
6%
4%
We have not implemented DLP tools
Users have largely not noticed the impact of these tools
Our implementation has been a success
Implementation has gone smoothly and according to schedule
It has taken longer than expected to implement
Users have been upset with the impact to their daily routines
Our implementation has not been as successful as expected thus far
Regarding DLP tools implementation, how would you describe that deployment?
Source: Ernst & Young’s Global Information Security Survey 2013
Data Loss Prevention
What an organization needs to do
► Know your data
► Know where it is
► Know where it is going
► Know who accesses it
A data loss prevention program can address these issues
Data Loss Prevention
EY data-centric security model
Data governance
Policies and standards Risk assessment Classification ArchitectureIdentification
Supporting information security processes
Data controlStructured data
Unstructured data
Foc
us a
reas
Data in use
Data anonymisation
Use of test data
Privileged user monitoring
Access/Usage monitoring
Data redaction
Export/Save control
Data in motion
Perimeter security
Network monitoring
Internet access control
Data collection and exchange
Messaging (Email, IM)
Remote access
Data at rest
EndPoint security
Host encryption
Mobile device protection
Network/intranet storage
Physical media control
Disposal and destruction
Quality
Configuration management
Physical security
Employee screening and vetting
Training and awareness
Third-party management and assurance
Vulnerability management
Incident response
Data privacy/document protection
Digital rights management
Asset management
Identity/access management Security information/event management
Business continuity Disaster recovery Regulatory compliance management Change management/SDLC
Data Loss Prevention
Data in motion
Focus area Example control objective Supporting technologies
Perimeter securityPrevent unencrypted sensitive data from leaving the perimeter.
DLP technology, firewalls, proxy servers
Network monitoringLog and monitor network traffic to identifying and investigate inappropriate sensitive data transfers.
DLP technology
Internet access controlPrevent users from accessing unauthorized sites or uploading data through the web through personal webmail, social media, online backup tools, etc.
Proxy servers, content filters
Data collection and exchange with third parties
Data exchange with third parties only occurs through secure means.
Secure email, secure FTP, secure APIs, encrypted physical media
Use of instant messaging
Prevent file transfers to external parties through instant messaging and other non web-based applications
Firewalls, proxy servers, workstation restrictions
Remote accessRemote access to the company network is secured and control the data that can be saved through remote facilities such as Outlook Web Access.
Encrypted remote access, restrictions on use of remote access tools to prevent data leakage to non-corporate assets
Data Loss Prevention
Data in use
Focus area Example control objective Supporting technologies
Privileged user monitoring
Monitor the actions of privileged users with the ability to override DLP controls, perform mass data extracts, etc.
Security information and event monitoring, operating database and application log files.
Access/usage monitoring
Monitor access and usage of high risk data to identify potentially inappropriate usage.
Security information and event monitoring, operating database and application log files, endpoint DLP logs.
Data sanitationSanitize/anonymize sensitive data when it is not required for the intended use.
Data sanitation routines and programs.
Use of test dataDo not use or copy sensitive data into non-production systems. Sanitize data before moving into test systems when possible.
Data sanitation routines and programs.
Data redactionRemove sensitive data elements from reports, interfaces and extracts when they are not necessary for the intended use.
Data redaction tools.
Export/save control
Restrict user abilities to copy sensitive data into unapproved containers, such as e-mail, web browsers, etc., including controlling the ability to copy, paste and print sections of documents.
Endpoint DLP technology, application controls.
Data Loss Prevention
Data at rest
Focus area Example control objective Supporting technologies
Endpoint securityRestrict access to local admin functions such as the ability to install software and modify security settings. Prevent malware, viruses, spyware, etc.
Operating system workstation restrictions, security software (A/V, personal firewall, etc.), endpoint DLP technology.
Host encryptionEnsure hard disks are encrypted on all servers, workstations, laptops and mobile devices.
Full disk encryption tools.
Mobile device protection
Harden mobile device configurations and enable features such as password protection, remote wipe facilities, etc.
Built in security features, third-party mobile device control products.
Network/intranet storage
Govern access to network-based repositories containing sensitive data on a least privilege basis.
Access control software and permission control in operating systems, databases and file storage systems.
Physical media control
Prevent the copying of sensitive data to unapproved media. Ensure authorized data extraction only takes place on encrypted media.
Endpoint DLP technology, endpoint media encryption tools, operating system workstation restrictions.
Disposal and destruction
Ensure all equipment with data storage capabilities are cleansed or destroyed as part of the equipment disposal process. (Including devices such as digital copiers, fax machines, etc.)
Data erasure/data wiping software.
Data Loss Prevention
Data risk reduction
Data Loss Prevention
Why data loss prevention?
Data Loss Prevention
Costs
Data Loss Prevention
Data protection life cycle
Data Loss Prevention
Implementing a DLPP
Data Loss Prevention
Key Components of a DLPP
Data Loss Prevention
Data loss prevention drivers and benefits
Prevent brand damage and loss
of reputation
Maintain competitive advantage
Prevent loss of customers
Prevent loss of shareholder value
Prevent fines and civil penalties
Prevent regulatory actions or sanctions
Prevent legal actions – litigation
Limit cost and effort for notification
Data Loss Prevention
Example approachE
rnst
& Y
ou
ng
ser
vice
Cli
ent
issu
e
Data in motion Data at restProgram assessment/
strategic roadmapData privacy assessment
Control assessments
► It is not known to what extent data leakage is an issue within the organization.
► Evidence of data loss is needed to: ► Build a business case
for DLP investment.► Support a DLP risk
assessment ► Test effectiveness
of DLP controls
► Meet with key stakeholders to understand network weaknesses for DLP.
► Conduct a facilitated workshop to determine high-risk data.
► Customize DLP rules to focus on high-risk data and add company specific criteria.
► Utilize our DLP appliance onsite to analyze electronic communications for an agreed period of time.
► Review and validate the incidents generated and develop a report highlighting high-risk exposures.
► The security of company data stored on repositories such as share drives, SharePoint sites and intranet sites is uncertain.
► Sensitive customer data or client intellectual property may be stored on widely accessible internal systems.
► ‘Rogue’ servers/workstations may be sharing sensitive data in an uncontrolled way.
► Meet with key stakeholders in a facilitated workshop to determine high-risk data.
► Customize DLP rules to focus on high-risk data and add company specific criteria.
► Utilize our DLP appliance to scan high-risk data repositories or network segments.
► Review and validate the incidents generated and develop a report highlighting high-risk exposures.
► The lack of a robust DLP program is a known issue.
► However, the root cause of data loss is unknown.
► An assessment of DLP processes and controls and/or a roadmap for developing the program and integrating it into the existing security program is needed.
► Services in options 1 and 2.► Conduct a current state
assessment of the overall DLP program.
► Develop a strategy and roadmap to build a robust DLP program that is integrated with the existing security program.
► Provide a report of high-level issues that were identified with recommendations for risk mitigation and control improvement.
Data discovery
► Assistance with managing the complex regulatory and compliance requirements associated with customer privacy or responding to inquiries and incidents is required.
► Conduct a current state privacy assessment.
► Assess compliance with specific regulations.
► Recommend improvements to data privacy controls and practices.
► Assist in responding to specific privacy incidents/ breaches.
Ernst & YoungAssurance | Tax | Transactions | Advisory
About Ernst & YoungErnst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 141,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential.
Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com.
© 2014 EYGM Limited. All Rights Reserved.
This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither EYGM Limited nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.