1 Copyright © 2014 M. E. Kabay. All rights reserved. CSH5 Chapter 67 “Developing Classification Policies for Data” Karthik Raman & Kevin Beets Classification.

Slides:

Advertisements

Similar presentations

IT Security Policy Framework

Advertisements

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Managing Outsourced Service Providers By: Philip Romero, CISSP, CISA.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

Introduction to Records Management Policy

Records Management for UW-Madison Employees – An Introduction UW-Madison Records Management UW-Archives & Records Management 2012 Photo courtesy of University.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Westbrook Technologies from Document Management’s Role in HIPAA.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

SL21 Information Security Board Mission, Goals and Guiding Principles.

Chapter 5: Asset Classification

Agenda COBIT 5 Product Family Information Security COBIT 5 content

Information Security Awareness April 13, Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.

Auditing Computer Systems

Security Controls – What Works

1 SAP Security and Controls Use of Security Compliance Tools to Detect and Prevent Security and Controls Violations.

1 Copyright © 2010 M. E. Kabay. All rights reserved. Security Audits, Standards, & Inspections CSH5 Chapter 54 “Security Audits, Standards and Inspections”

Developing a Records & Information Retention & Disposition Program:

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Department of Commerce Records Management Training.

Chapter 10 Information Systems Controls for System Reliability—Part 3: Processing Integrity and Availability Copyright © 2012 Pearson Education, Inc.

Patient Record System Team A DBM/381 February 4, 2013 John Italiano.

Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

G17: Recordkeeping for Business Activities Carried out by Contractors Patrick Power, Manager Government Recordkeeping Programme Archives New Zealand.

Evolving IT Framework Standards (Compliance and IT)

Electronic Records Management: What Management Needs to Know May 2009.

HIPAA PRIVACY AND SECURITY AWARENESS.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

1 General Awareness Training Security Awareness Module 1 Overview and Requirements.

Principle of Protection By C’Les Jensema About ARMA International and the Generally Accepted Recordkeeping Principles® ARMA International (

STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Computing Essentials 2014 Privacy, Security and Ethics © 2014 by McGraw-Hill Education. This proprietary material solely for authorized instructor use.

Generally Accepted Recordkeeping Principles Generally Accepted Recordkeeping Principles ® Registered Trademark of ARMA International.

Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.

Cloud Use Cases, Required Standards, and Roadmaps Excerpts From Cloud Computing Use Cases White Paper

Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines.

Microsoft.com/publicsector Records Management Microsoft Records Management for Government Agencies.

McGraw-Hill/Irwin © 2006 The McGraw-Hill Companies, Inc. All rights reserved. 2-1 BUSINESS DRIVEN TECHNOLOGY Business Plug-In B2 Ethics.

Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.

Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.

CIBC Global Services © 2006, Echoworx Corporation Ubiquity of Security Compliance and Content Management Stephen Dodd Director – Enterprise Accounts.

Compliance August 18, Agenda Outline Status Draft of Answers.

Csci5233 Computer Security & Integrity 1 Overview of Security & Java (based on GS: Ch. 1)

Information Security IBK3IBV01 College 2 Paul J. Cornelisse.

ISO/IEC 27001:2013 Annex A.8 Asset management

Privacy Act United States Army (Managerial Training)

Legal, Regulations, Investigations, and Compliance Chapter 9 Part 2 Pages 1006 to 1022.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

CSC4003: Computer and Information Security Professor Mark Early, M.B.A., CISSP, CISM, PMP, ITILFv3, ISO/IEC 27002, CNSS/NSA 4011.

Contingency Management Indiana University of Pennsylvania John P. Draganosky.

Welcome to the ICT Department Unit 3_5 Security Policies.

IT Audit for non-IT auditors Cornell Dover Assistant Auditor General 31 March 2013.

Learn Your Information Security Management System

Providing Access to Your Data: Handling sensitive data

Data Security Policies

IS4550 Security Policies and Implementation Unit 7 Risk Management

Electronic Records Management Program

Introduction to the Federal Defense Acquisition Regulation

Information Security Board

Developing a Data Risk Classification Program

CompTIA Security+ Study Guide (SY0-401)

Health Care: Privacy in a Digital Age

HIPAA Overview.

Security Policies and Implementation Issues

Presentation transcript:

1 Copyright © 2014 M. E. Kabay. All rights reserved. CSH5 Chapter 67 “Developing Classification Policies for Data” Karthik Raman & Kevin Beets Classification Policies

2 Copyright © 2014 M. E. Kabay. All rights reserved. TOPICS  Introduction  Purpose / Benefits  Role in IA  Legal Requirements  Design & Implementation  DC Solutions

3 Copyright © 2014 M. E. Kabay. All rights reserved. Introduction  Popular literature / media refer to “TOP SECRET”  No clear understanding of issues  Misrepresentation as negative: hiding information from stakeholders  Data classification  Labels info to support compliance with data-protection policies  Historically used by government, military, government contractors  Now increasingly used to comply with legal requirements on commercial organizations Financial / operational records Privacy protection

4 Copyright © 2014 M. E. Kabay. All rights reserved. Purpose / Benefits  Information life cycle management (ILM)  Control of data  Throughout life cycle Creation Access Modification Destruction  Legal requirements increasing pressure in private sector; e.g.,  HIPAA  European Privacy Directive Benefits Compliance with data standards, legal requirements Streamlined/secure data sharing Efficient data storage / retrieval Tracking data through ILM

5 Copyright © 2014 M. E. Kabay. All rights reserved. Role in IA  Federal Financial Institutions Examinations Council (FFIEC) guidelines  Ensure consistent protection of data  Focus controls / efforts efficiently  Systems must be classified at highest level of information stored / transmitted  Supports risk analysis  Clarifies basis for access restrictions  Supports business continuity planning & disaster recovery planning  May be mandatory  Necessary for data-loss prevention (DLP)

6 Copyright © 2014 M. E. Kabay. All rights reserved. Legal Requirements in US  Privacy Act of 1974  Including Computer Matching & Privacy Protection Act of 1988  Family Educational Rights & Privacy Act (FERPA)  Health Insurance Portability & Accountability8 Act (HIPAA)  Gramm-Leach-Bliley Act (GLBA)  Sarbanes-Oxley Act (SOX)  Federal rules of Civil Procedure (FRCP)

7 Copyright © 2014 M. E. Kabay. All rights reserved. Compliance Standards (1)  US Federal Government Executive Order  Further Amendment to Executive Order 12958… Classified National Security Information  ISO/IEC 27001:2005  Guidelines & principles for information security management  5 levels Public documents Internal use only Proprietary Highly confidential Top secret

8 Copyright © 2014 M. E. Kabay. All rights reserved. Compliance Standards (2)  Defense contracting (DoD)  Finances (Federal Financial Institutions Examination Council – FFIEC)  Life sciences (FDA)  Media, telecom (FCC)

9 Copyright © 2014 M. E. Kabay. All rights reserved. Design  Obtain management approval  Study BCP, IT assets, storage-management  Present benefits DC to business unit (BU) heads  Survey users in BUs re data utilization / management & preferences for organization & labeling  List revenue-generation & mission-critical usage of data for each BU;  Study information sharing

10 Copyright © 2014 M. E. Kabay. All rights reserved. Implementation  Obtain management approval  Map data-labeling to available hardware, networks, systems, storage  Apply automation / DC tools as appropriate  Guide users through adoption & solicit feedback  Develop service-level agreements (SLAs) for data usage  Plan for DLP  Develop cost model  Report results to management

11 Copyright © 2014 M. E. Kabay. All rights reserved. DC Solutions  Primarily related to data storage  Virtualization  Deduplication  Cheaper media  Features of DC software  Policy-based data-type discovery  File metadata classification  Multiple file system management  Compliance & legal consideration  Report style

12 Copyright © 2014 M. E. Kabay. All rights reserved. Product Roundup from SearchStorage

13 Copyright © 2014 M. E. Kabay. All rights reserved. Varonis Professor Kabay has no financial interest in any of the products shown as examples.

14 Copyright © 2014 M. E. Kabay. All rights reserved. TITUS Specifically for control Professor Kabay has no financial interest in any of the products shown as examples.

15 Copyright © 2014 M. E. Kabay. All rights reserved. Some Useful Videos  Data Classification  Part 1  Part 2  What is Network Data Loss Prevention (McAfee)   TITUS Classification Solutions Overview   McAfee Data Loss Prevention (DLP) 

16 Copyright © 2014 M. E. Kabay. All rights reserved. DISCUSSION