Copyright Security-Assessment.com 2006 Protecting The Data Data security, compliance, disclosure requirements and what can happen if you get it wrong Presented By Brett Moore
Copyright Security-Assessment.com 2006 Recent study by the Ponemon Institute Examined costs incurred by 14 companies in 11 industry sectors Breaches affecting between 1,500 to 900,000 consumers Tangible and intangible costs up to $14 million USD Related survey of customers 20% had terminated their relationship with the company Another 40% were considering in doing so What information Staggering amount of information stored now Financial, health, social, personal, business With the masses amount of data that flows through your organisation, are you taking the appropriate steps to protect what may be your most valuable asset? Information Loss Costs Money
Copyright Security-Assessment.com 2006 The Issue Many organisations choose to spend their resources identifying and managing information security vulnerabilities instead of managing risk to their information assets. Vulnerability-centric approaches to organisational security fall short of appropriately characterizing organizational risk because they fail to focus on what is actually at risk, the information and processes they support.
Copyright Security-Assessment.com 2006 What is an information asset An information asset is any data stored that is used by the organisation for information purposes. Information value can be calculated Based on the importance to the organisations continuation The affect the loss of the information would have Information risk assessment The type of data the information is created from affects the requirement to secure it Information value Determines its importance and criticality to the organisation Which data is which? What happens when an information asset is a combination of data from different sources? Information Assets
Copyright Security-Assessment.com 2006 Where Is The Information Stored You MUST know where your information is stored How else are you able to secure it? Data is stored in containers Drive, tape, cd-rom, dvd, paper, people Containers are not ‘physical’ Stored on multiple servers A collection of databases A collection of database tables Containers are not only technical Information can be in printed form Information is stored in peoples heads
Copyright Security-Assessment.com 2006 Container Security Aspects The way in which an asset is protected Through controls implemented at the container level ie: access checks at the database level Security control depth The degree to which an asset is protected is based on how well the control reflect the requirements of the asset Risk inheritance Any risk associated with the container is inherited by the asset ie: server destruction, tape backup theft Legal requirements There can be different legal requirements dependant on the information asset’s container
Copyright Security-Assessment.com 2006 Who Owns The Data? The owner Are those who have primary responsibility for the viability and survivability of the asset Security requirements Owners set the security requirements for an asset and communicate these to the assets’ custodians Ensuring the security requirements have been implemented Defining the asset The owner defines what the information asset consists of, and is responsible for determining the assets value It is this value that is used to calculate risk mitigation processes Delegation The owner can delegate responsibilities but ultimately remains the owner responsible for the assets protection
Copyright Security-Assessment.com 2006 Who Looks After The Data? The custodian Manage or are responsible for containers Accepts responsibility The custodian accepts responsibility and protects the data according to the owners defined requirements Is NOT the owner Despite common misconception, the custodian is not the owner and therefore not the responsible entity Information use Any person who makes use of the information asset becomes a custodian during that period
Copyright Security-Assessment.com 2006 Governance – External Requirements Legal Sarbanes-Oxley California Disclosure Law Common Law Duty of Care Industry Imposed PCI Compliance All concerned with information assets, not security breaches
Copyright Security-Assessment.com 2006 Sarbanes-Oxley (USA, July 2002) Requirements for all public companies listed in the US Public companies must evaluate and disclose the effectiveness of their internal controls as they relate to financial reporting Independent auditors for such companies must "attest" (i.e., agree, or qualify) to such disclosure Financial reporting is generally driven by information assets, so the security of those information assets is of primary concern SB 1386 (California Disclosure Law, September 2002) Requires protection of personally identifiable information Must disclose if this information is reasonably believed to have been compromised Relates to any instance involving a resident of California 23 States now passed and several bills in front of Congress Legal Requirements
Copyright Security-Assessment.com 2006 Impact of Disclosure Requirements Sarbanes-Oxley Cray Inc (Supercomputer manufacturer) In March 2005, Cray filed a SOX report warning of material weaknesses in internal control over financial reporting Inadequate review of third-party contracts and lack of software application controls and documentation (SoD, and IT auditing issues) Cray's stock price dropped 56%, from $3.15 per share on March 15, 2005, to $1.38 on May 25, 2005 Now faced with a class action suit by shareholders
Copyright Security-Assessment.com 2006 Impact of Disclosure Requirements US Disclosure Laws From Over 120 Breaches disclosed so far this year Over 80 million records involved Breaches included: Hacking Dishonest employees Stolen computers Lost backup tapes Accidental online exposure
Copyright Security-Assessment.com 2006
Impact of Disclosure Requirements Ponemon Institute Studies Notification Impact 19% of disclosure recipients terminated relationship 40% thinking of terminating 27% concerned regarding organisation Cost of Breach Reviewed 14 breaches Breaches ranged from 1,500 records to 900,000 records from 11 different industry sectors Average losses of $140 per record, or $14 million per company Includes direct ($50), indirect($15), and opportunity costs($75) Does not include implementation of additional controls
Copyright Security-Assessment.com 2006 Identify information assets and owners IAP – Information Asset Profiling Conduct an information security risk assessment This includes identifying the risks to the asset Develop and implement security policies and procedures This drives how and what technology is used Test, audit, and update Policies and processes must work You need to know when they are been breached They need to be kept recent and up to date Steps To Protect Information Assets
Copyright Security-Assessment.com 2006 Information Asset Risk Assessment Primary Container May Not Be Primary Risk Other locations where information may be stored includes: – Backups – DR systems – Laptops – Desktops Once Each Container Has Been Identified, Establish How Each Is Accessed – Thick client applications – Web Applications – Database connections – Direct file access
Copyright Security-Assessment.com 2006 Information Asset Risk Assessment Perform a threat assessment of each entry point of each information asset container Assess each threat using standard risk assessment mechanisms utilising the value of the information asset to determine the impact of the threat occurring Each container may have multiple risk profiles, use the highest rating to determine the overall risk for that container Remember to take into account information in transit
Copyright Security-Assessment.com 2006 Vulnerability versus Information Asset Approaches Vulnerability Management Usually focused on individual containers or access points (applications) Generally doesn’t take into account the value of information assets Rates vulnerabilities in terms of impact to container, not data Information Asset Profiling Focuses on risks to data rather than systems or applications Risks directly associated with value of data May not take into account risks not relating to data, such as reputational risk
Copyright Security-Assessment.com 2006 Encryption Database Communication Laptop Backup Principle Of Least Privilege Database Server Application Protect Data Even After Container Has Been Retired Wipe old disks/tapes, or destroy Log/Audit Trails Common Tools And Techniques To Protect Data
Copyright Security-Assessment.com 2006 Do you have an application or vulnerability-centric approach to security rather than focusing on the information itself? Have you identified where your critical business data resides? Databases Servers Backups Laptops Have you got mechanisms in place to protect each of those locations? Database/Server protections Laptop encryption Backup encryption Key Questions To Take Away
Copyright Security-Assessment.com 2006 Questions ?