A Comprehensive Solution Team Mag 5 Valerie B., Derek C., Jimmy C., Julia M., Mark Z.

 44 states have enacted laws that if the companies lose customer or employee data they can be held liable  In our most recent HR audit we discovered the following flaws ◦ Data is stored in an unsecured manner ◦ Lack of compliance with Corporate Data Privacy Policy ◦ Varying interpretations of how the Data Privacy Policy Applies ◦ Transfer of unsecured data to various vendors ◦ Lack of control of data usage and access

 Auditors increasingly concerned with personally identifiable data.  US Sarbanes Oxley Act  Global companies need to worry about Safe Harbor for global data.  Increased awareness of identity theft.  Health Information  Use technology instead of only policy to protect data.  Proactive instead of responsive measures after data has been exposed already.

Solution DescriptionProsCons Data Obfuscation (Masking, Scrambling) Fake or Scrambled data set for use by design and implementation teams Can be very expensive – good fake data can range in cost from $200,000 to $1 Million Encryption of DataAllows personally identifiable data to be scrambled if intrusion takes place. Adds overhead and possible performance issues. Database Intrusion/Extrusion Prevention Looks for SQL Injections, Bad access commands and odd outbound data Can eat into over head and cause performance issues – also expensive. Needs very specific criteria to set up. Data Leak PreventionCatches any data that is being sent out of the system Does not protect data in the actual data warehouse.

 Improved over basic encryption with high speed 128/256 bit file based encryption which resolves the performance issues with other encryption solutions.  Improved database intrusion detection because it is context aware. It knows all the users and their access hours and abilities.  Improved data leak prevention since it prevents the unencrypted data from even being accessed let alone removed from system.

 Vormetric appliance for production :$39,  Vormetric appliance for development:$29,  Unix / Windows Server Agent License for production:$6,  Windows Server Agent License for development:$3,  Oracle Database server agent License for Production:$6,  Oracle Database server agent License for Dev:$3,  Total cost for this HR Project?$88,  These costs are significantly less than the 200,000 to 1 Million dollar pricing per data set for other solutions that are available.  The Cost to Risk ratio is good as a data loss/compromise can cost millions in legal fees and lost customer or employee confidence.

 Concerns about encryptions impact on performance? ◦ Data Security Expert delivers high-speed file-level encryption of stored data using a FIPS certified AES (128/256-bit) algorithm.  Concerns about data beyond the database level? ◦ Data Security Expert provides file-level encryption because the underlying files in which data is stored is the primary point of attack.  Concerns about Administrator Access to Data? ◦ Data Security Expert’s “separation of duties” feature further restricts access to data by allowing system administrators and root users to maintain the system and backup data, without being able to view the sensitive data.

 Concerns about Authorized users taking Unauthorized Actions? ◦ “Context-aware” control means that Data Security Expert grants access only to authorized users performing authorized operations on authorized applications during specific time windows.  Concerns about being able to report on which users have accessed the system? ◦ The system logs any attempted access to any data by any user –not only authorized access requests, but all attempts to circumvent authorized access channels.  Concerns about legal regulations? ◦ The system is entirely auditable to comply with Sarbanes-Oxley, Gramm-Leach-Bliley Act (GLBA), HIPAA, CA SB 1386, the EU Data Protection Act, Visa’s CISP and the PCI requirements, and other mandates regarding the handling and protection of information.

 This will secure all HR related data on all levels with minimal performance impact ◦ Database/OS ◦ Backup ◦ Data Transfers  Will allow users to access own HR data securely and blocks access to all unauthorized users  Administrators can work on system without seeing confidential data

 HIPAA - Confidentiality and integrity controls for patient health information (PHI) HIPAA  GLBA - Privacy and protection for sensitive personally identifiable information GLBA  PCI-DSS - Broadest solution for encryption, key management, access control, and audit that uniquely removes roadblocks for compliance with PCI encryption requirements PCI-DSS  SOX - Integrity, access and audit controls for financial data plus trade secret protection to reduce risk of Sarbanes-Oxley material events SOX  State Breach Notification Laws - Transparent, cost effective encryption to eliminate data breach notification requirements State Breach Notification Laws