Post on 04-Apr-2018
Data Governance Within a Comprehensive IT
Security Strategy
Ruth M. Reiss, CISM, CRISC
Sr. Security Consultant
© 2015 GuidePoint Security, LLC
CONFIDENTIAL AND PROPRIETARY
Ruth Reiss, Sr. Security Consultant
• Over 30 years information technology
experience
• Over 12 years in IT compliance and audit
• Software development
• Processes, standards, best practices
• IT audit
• IT Compliance and Security
• CISM, CRISC, PCIP, and QSA
• Ruth.Reiss@GuidePointSecurity.com
© 2015 GuidePoint Security, LLC
CONFIDENTIAL AND PROPRIETARY 2
IT Security Strategy
• Must align with business goals
• Have C-level sponsorship and commitment
• Based on processes and mechanisms to – Control Threats
– Manage Vulnerabilities
• Need to ensure data – Confidentiality
– Integrity
– Availability
• Therefore, data governance is a key component of your IT Security Strategy
© 2015 GuidePoint Security, LLC
CONFIDENTIAL AND PROPRIETARY 3
Risk Management – Balancing Act
© 2015 GuidePoint Security, LLC
CONFIDENTIAL AND PROPRIETARY
Effort
Security
5
Manage IT Risk
• Manage the “risk”
• Assume risk
• Can’t be done without
© 2015 GuidePoint Security, LLC
CONFIDENTIAL AND PROPRIETARY 6
Know Before You Manage
© 2015 GuidePoint Security, LLC
CONFIDENTIAL AND PROPRIETARY
IT risk lies in data risk
• People want your data
– Hackers
– Insiders
– Thieves including state sponsored attackers
– Notoriety seekers
OR
• People don’t want YOU to have your data
– Political aka Hactivism
– DDOS
7
Data Governance
• Manages data risk by – Executive level commitment
– Planning / strategy
– Addressing regulations and laws
– Classifying data
– Cataloging data
– Determining data consumer and owner
– Defining roles and responsibilities
– Regulating data retention*
– Controlling usage, storage, and transmission
– Monitoring effectiveness
*Within context of any existing Records Retention Policy
© 2015 GuidePoint Security, LLC
CONFIDENTIAL AND PROPRIETARY 8
Securing Your Data
• Protecting information requires
– Governance
• The plan
• Management commitment
• Definitions
• Policies & processes
• Monitor
– People
• Awareness
• Roles / Responsibilities
– Technology
• Variety of tools
© 2015 GuidePoint Security, LLC
CONFIDENTIAL AND PROPRIETARY 9
Classify
• What is your data?
• Types of Data
– People
• PII, PHI, employee information, customer information
– Company
• Sales information, annual reports, real estate plans, formulas,
intellectual property, contracts, transaction information
• Define categories in policy or framework
Sensitive Confidential
Secret Top Secret
Internal use only Public
Restricted Classified
© 2015 GuidePoint Security, LLC
CONFIDENTIAL AND PROPRIETARY 10
Catalog
• Where is your data?
– At rest
• Storage on your network
• Storage in the cloud or at business partners
• Structured
– Databases
• Unstructured
– SharePoint, workstation files, server files, shared drives
– In flight
• Transmission in house
• Email, Instant messaging, Social media
• Communication with business partners
© 2015 GuidePoint Security, LLC
CONFIDENTIAL AND PROPRIETARY 11
Consumer
• Who are your users?
• Determine data users – Create the data (write privilege)
– View or obtain reports of the data (read privilege)
– Administer the data (provisions and revokes access, changes security settings, modifies structure)
• Determine owner – Data owner approves entitlement to data
– Performs periodic entitlement reviews
– Owner determines classification, data retention*
• Define roles and responsibilities – Address segregation of duties within a role
* Within the context of any existing Records Retention Policy
© 2015 GuidePoint Security, LLC
CONFIDENTIAL AND PROPRIETARY 12
Controls
• How to protect?
• Data governance defines controls – Encryption (including masking and truncating)
– Access restrictions / entitlements
– Backup requirements
– Retention period
– Proper storage locations
– Transmission requirements
– Considers all forms of the data
– Regulatory and legal obligations
• Based on data classification
© 2015 GuidePoint Security, LLC
CONFIDENTIAL AND PROPRIETARY 13
Check and Double Check
Monitor effectiveness of
controls
Check for data leakage
Ensure consumers are educated and
aware
Measure effectiveness
Report on effectiveness and
trending
Improve processes
© 2015 GuidePoint Security, LLC
CONFIDENTIAL AND PROPRIETARY 14
Data Governance Roadmap
1. Classify data
2. Institute policies and procedures
3. Catalog data
4. Determine consumers and owners
5. Define roles and responsibilities
6. Identify risk associated with each data class
7. Identify and deploy controls by data class
8. Establish metrics to monitor effectiveness
9. Periodic data governance framework review
© 2015 GuidePoint Security, LLC
CONFIDENTIAL AND PROPRIETARY 15
In Summary
• Data Governance manages IT risk by
– Defining accountability for data
– Decreasing risk of regulatory fines
– Improving data quality
– Decreasing cost of storage
– Improving data security
© 2015 GuidePoint Security, LLC
CONFIDENTIAL AND PROPRIETARY 16
About GuidePoint Security
• Founded in October 2011 by industry experts
• Headquartered in Herndon, VA
– Office in St. Petersburg, FL
– Office in Wakefield, MA
• Certified as a Small Business
• PCI Qualified Security Assessor
• Amazon Web Services Consulting Partner
© 2014 GuidePoint Security
CONFIDENTIAL AND PROPRIETARY 17
GuidePoint Professional Services
Practices include:
– Information Assurance
– Technology Integration
Key Differentiators
– All consultants have operational experience
managing Security Programs
– Customized engagements based on customer needs
– Vendor-agnostic approach
© 2015 GuidePoint Security, LLC
CONFIDENTIAL AND PROPRIETARY 18
Information Assurance Services
© 2015 GuidePoint Security, LLC
CONFIDENTIAL AND PROPRIETARY 19
Incident
Response /
Forensics
Compliance and
Risk
Management
Security
Assessments Application
Security
• Application
Penetration Testing
• Secure SDLC
Program
Development
• Secure Code
Review
• External Penetration
Testing
• Internal Penetration
Testing
• Wireless
Penetration Testing
• Social Engineering
• Vulnerability
Assessments
• Security Program
Review
• CISO Advisory
Services
• PCI DSS QSA
Assessment
Services
• IT Controls Reviews
• HIPAA Risk
Assessment
• Meaningful Use
Risk Assessment
• Incident Response
Plan Development
• IR Tabletop
Exercises
• Breach
Assessments
• Incident Response
• Breach Investigation
• Digital Forensics
Contact
• Ruth Reiss, Sr. Security Consultant
GuidePoint Security
Tampa, Florida
• Ruth.Reiss@GuidePointSecurity.com
© 2015 GuidePoint Security, LLC
CONFIDENTIAL AND PROPRIETARY 21