San Francisco IIA Fall Seminar Data Protection Best Practices December 1, 2017

Session Agenda Topics Duration Cybersecurity assurance: a comprehensive framework 10 minutes Why do organizations fail to protect their data? Approach for effective data protection 30 minutes

Cyber assurance: A comprehensive framework* Cybersecurity Governance Cybersecurity strategy Organizational model Steering committee structure Tone at the top Regulatory and legal landscape Key Indicators Secure Threat modeling and intelligence Penetration testing Vulnerability management Emerging threat identification Brand Protection Cyber threat information sharing User entity behavior analytics Threat and vulnerability management Software security Secure build and testing Secure coding guidelines Application role design/access Development lifecycle Patch Management Policies, standards, baselines, guidelines, and procedures Talent and Budget management Asset management Change management Program metrics & reporting Risk and compliance management Program management Security Operations Center (SOC) Security Information and Event Management (SIEM) Cyber risk analytics Continuous Monitoring Monitoring Data classification Records management Data quality management Data loss prevention Data Encryption Data Privacy Data protection Cloud security Cloud strategy Cloud risk identification Cloud provider inventory Minimum controls baseline Cloud controls compliance Evaluation and selection Contract and service initiation Ongoing monitoring Service termination Third-party management Account provisioning Privileged user management Access certification Access management and governance Generic account management Identity and access management Response planning Red team exercises Tabletop exercises Incident response and forensics Crisis communication plan Third-party responsibilities Crisis management Business Impact Analysis (BIA) Business Continuity Planning (BCP) Disaster Recovery Planning (DRP) Cyber incident insurance Enterprise resiliency Hardening standards Security design/architecture Configuration management Network defense Security operations management Endpoint protection Infrastructure security Physical security Phishing exercises Security training and awareness Workforce management Vigilant Resilient *The Deloitte Advisory cyber assurance framework is aligned with industry standards and maps to NIST, ISO, COSO, ITIL, and CIS CSC. Alternative adequate frameworks may be used.

Why do organizations struggle to protect their data? View data protection as an IT problem rather than a business and organization-wide problem 1 Organizations do not have a comprehensive view of where their data stored and how and where it is being transferred 2 Inconsistent execution and updates to fundamental data protection capabilities 3 Lack of focus on identifying and mitigating risk but instead just “checking the box” 4

Approach for effective data protection Update data protection strategy to adjust to data loss risks Gain commitment from the entire workforce Understand data that is important to the organization Identify data protection roles and responsibilities Create and implement data protection policies, procedures and training Discover and inventory the location of the data Implement security controls to support the data protection strategy Monitor and respond to instances of data misuse and loss Regulatory Compliance Client and Patient Satisfaction The development and execution of an attainable plan is important for protecting an organization’s most important data. Decrease magnitude of potential data breach Limit loss of corporate and important data

Gain commitment In order to establish a data protection strategy, it is important to gain commitment from the entire workforce Develop a culture of data protection and cyber security awareness with leadership Incorporate data protection responsibilities into everyday tasks Focus on the well-being and satisfaction of employees

Understand data that is essential to the well-being and bottom line of the organization To understand the data to protect, it is important to know if the loss or misuse of data would negatively affect the: Reputation of the organization Well-being or safety of employees, patients or clients Data Important to Organization Bottom line of the organization in the short and long term Outcome of research or work done that is unique to the organization

Identify data protection roles and responsibilities Guidance Governance Customers Data Protection Sponsor Work with leadership on the importance of data protection Strategic Technology Decisions Cybersecurity Steering Committee Employees Oversight Data Protection Leader Oversee implementation and maintenance of data protection capabilities Cybersecurity Working Committee Patients Operations Data Owners Implement data protection capabilities Data Custodian Maintain data protection capabilities Audit and Compliance Committee Clients Assurance Data Protection Audit Function

Create and socialize data protection policies, procedures and training Policies, procedures and training should be created and socialized to assist the organization in protecting important data. 1 Data Protection Policies The policies should list requirements for protection of data during collection, storage, transmittal and destruction. 2 Data Protection Procedures The procedures should demonstrate how the protection of the data should be performed. 3 Data Protection Training Appropriate resources should receive regular training on their roles and responsibilities for the data protection procedures.

Discover and inventory the location of the data The discovery of sensitive data and the development of a comprehensive inventory assists an organization in identifying and addressing key data protection risks. Structured Data Repositories Unstructured Data Repositories Data Flow Mapping Enterprise Databases Applications SharePoint Storage Drives or File Shares Email Cloud Applications (i.e. Salesforce, Box, Google Drive) Removable Media Access Databases Identify business processes that collect, transmit, store and destroy important data Identify systems that support the business processes Map the flow of data for each business process and document data protection areas of improvement or gaps

Implement the security controls to support the data protection strategy Security controls such as database security, data loss prevention and data encryption should be implemented in accordance with the data protection strategy to best protect sensitive data. Data Collection Data Storage Data Usage and Sharing Data Retention and Destruction Sensitive data is collected by an organization as part of its day-to-day operations via point of sale devices, application forms, data from credit bureaus, etc. Collected data is stored across multiple solutions such as databases, backup locations, third party storage, etc., for further use by applications and users Data is transmitted from storage solutions for processing on internal and external servers, applications, end-user devices, and other devices within and outside the network Data is retained or destroyed by organization per regulatory, internal compliance or business requirements, using electronic or physical media for retention Web applications Data Cloud data transfers Retain data on storage devices Scanning and printing devices Databases and storage devices End user reporting Destroy electronic data and physical documents after use Data Targets and Illustrative Threats Data Exfiltration Corrupt backup MITM attack Malicious insider POS Malware Stolen Device Eavesdropping Data Exfiltration Remnant data Backup Failure Physical documents Application data transfers Data discovery, inventory, and classification Database security Data Protection Capabilities Data loss prevention Data access governance Data retention and destruction Information rights management Data encryption, tokenization, and obfuscation / Key and certificate management / Payment security

Monitor and respond to instances of data misuse and loss Following the implementation of the necessary security controls, monitoring and reporting need to be put into place to effectively manage the success of the efforts and make necessary changes. 1 Define monitoring roles, responsibilities and processes for data loss and misuse Identify and react to trends demonstrating data protection risks 2 Integrate results of monitoring into overall incident response process 3 Document and review data protection key risk indicators, key performance indicators, metrics and reporting

Update data protection strategy to adjust to data loss risks Effective data protection cannot be stagnant and must adjust to ever-changing risks. Disgruntled employees  Malicious outsiders and cyber attacks Data Loss Risks Lack of properly trained personnel, contractors and third parties Inappropriate management of access to important data Broken business processes Lack of consistent monitoring and analysis

? Questions? ? ? ? ? ? ?