Presentation is loading. Please wait.

Presentation is loading. Please wait.

San Francisco IIA Fall Seminar

Published byLawrence Lynch Modified over 5 years ago

Similar presentations

Presentation on theme: "San Francisco IIA Fall Seminar"— Presentation transcript:

1 San Francisco IIA Fall Seminar
Data Protection Best Practices December 1, 2017

2 Session Agenda Topics Duration
Cybersecurity assurance: a comprehensive framework 10 minutes Why do organizations fail to protect their data? Approach for effective data protection 30 minutes

3 Cyber assurance: A comprehensive framework*
Cybersecurity Governance Cybersecurity strategy Organizational model Steering committee structure Tone at the top Regulatory and legal landscape Key Indicators Secure Threat modeling and intelligence Penetration testing Vulnerability management Emerging threat identification Brand Protection Cyber threat information sharing User entity behavior analytics Threat and vulnerability management Software security Secure build and testing Secure coding guidelines Application role design/access Development lifecycle Patch Management Policies, standards, baselines, guidelines, and procedures Talent and Budget management Asset management Change management Program metrics & reporting Risk and compliance management Program management Security Operations Center (SOC) Security Information and Event Management (SIEM) Cyber risk analytics Continuous Monitoring Monitoring Data classification Records management Data quality management Data loss prevention Data Encryption Data Privacy Data protection Cloud security Cloud strategy Cloud risk identification Cloud provider inventory Minimum controls baseline Cloud controls compliance Evaluation and selection Contract and service initiation Ongoing monitoring Service termination Third-party management Account provisioning Privileged user management Access certification Access management and governance Generic account management Identity and access management Response planning Red team exercises Tabletop exercises Incident response and forensics Crisis communication plan Third-party responsibilities Crisis management Business Impact Analysis (BIA) Business Continuity Planning (BCP) Disaster Recovery Planning (DRP) Cyber incident insurance Enterprise resiliency Hardening standards Security design/architecture Configuration management Network defense Security operations management Endpoint protection Infrastructure security Physical security Phishing exercises Security training and awareness Workforce management Vigilant Resilient *The Deloitte Advisory cyber assurance framework is aligned with industry standards and maps to NIST, ISO, COSO, ITIL, and CIS CSC. Alternative adequate frameworks may be used.

4 Why do organizations struggle to protect their data?
View data protection as an IT problem rather than a business and organization-wide problem 1 Organizations do not have a comprehensive view of where their data stored and how and where it is being transferred 2 Inconsistent execution and updates to fundamental data protection capabilities 3 Lack of focus on identifying and mitigating risk but instead just “checking the box” 4

5 Approach for effective data protection
Update data protection strategy to adjust to data loss risks Gain commitment from the entire workforce Understand data that is important to the organization Identify data protection roles and responsibilities Create and implement data protection policies, procedures and training Discover and inventory the location of the data Implement security controls to support the data protection strategy Monitor and respond to instances of data misuse and loss Regulatory Compliance Client and Patient Satisfaction The development and execution of an attainable plan is important for protecting an organization’s most important data. Decrease magnitude of potential data breach Limit loss of corporate and important data

6 Gain commitment In order to establish a data protection strategy, it is important to gain commitment from the entire workforce Develop a culture of data protection and cyber security awareness with leadership Incorporate data protection responsibilities into everyday tasks Focus on the well-being and satisfaction of employees

7 Understand data that is essential to the well-being and bottom line of the organization
To understand the data to protect, it is important to know if the loss or misuse of data would negatively affect the: Reputation of the organization Well-being or safety of employees, patients or clients Data Important to Organization Bottom line of the organization in the short and long term Outcome of research or work done that is unique to the organization

8 Identify data protection roles and responsibilities
Guidance Governance Customers Data Protection Sponsor Work with leadership on the importance of data protection Strategic Technology Decisions Cybersecurity Steering Committee Employees Oversight Data Protection Leader Oversee implementation and maintenance of data protection capabilities Cybersecurity Working Committee Patients Operations Data Owners Implement data protection capabilities Data Custodian Maintain data protection capabilities Audit and Compliance Committee Clients Assurance Data Protection Audit Function

9 Create and socialize data protection policies, procedures and training
Policies, procedures and training should be created and socialized to assist the organization in protecting important data. 1 Data Protection Policies The policies should list requirements for protection of data during collection, storage, transmittal and destruction. 2 Data Protection Procedures The procedures should demonstrate how the protection of the data should be performed. 3 Data Protection Training Appropriate resources should receive regular training on their roles and responsibilities for the data protection procedures.

10 Discover and inventory the location of the data
The discovery of sensitive data and the development of a comprehensive inventory assists an organization in identifying and addressing key data protection risks. Structured Data Repositories Unstructured Data Repositories Data Flow Mapping Enterprise Databases Applications SharePoint Storage Drives or File Shares Cloud Applications (i.e. Salesforce, Box, Google Drive) Removable Media Access Databases Identify business processes that collect, transmit, store and destroy important data Identify systems that support the business processes Map the flow of data for each business process and document data protection areas of improvement or gaps

11 Implement the security controls to support the data protection strategy
Security controls such as database security, data loss prevention and data encryption should be implemented in accordance with the data protection strategy to best protect sensitive data. Data Collection Data Storage Data Usage and Sharing Data Retention and Destruction Sensitive data is collected by an organization as part of its day-to-day operations via point of sale devices, application forms, data from credit bureaus, etc. Collected data is stored across multiple solutions such as databases, backup locations, third party storage, etc., for further use by applications and users Data is transmitted from storage solutions for processing on internal and external servers, applications, end-user devices, and other devices within and outside the network Data is retained or destroyed by organization per regulatory, internal compliance or business requirements, using electronic or physical media for retention Web applications Data Cloud data transfers Retain data on storage devices Scanning and printing devices Databases and storage devices End user reporting Destroy electronic data and physical documents after use Data Targets and Illustrative Threats Data Exfiltration Corrupt backup MITM attack Malicious insider POS Malware Stolen Device Eavesdropping Data Exfiltration Remnant data Backup Failure Physical documents Application data transfers Data discovery, inventory, and classification Database security Data Protection Capabilities Data loss prevention Data access governance Data retention and destruction Information rights management Data encryption, tokenization, and obfuscation / Key and certificate management / Payment security

12 Monitor and respond to instances of data misuse and loss
Following the implementation of the necessary security controls, monitoring and reporting need to be put into place to effectively manage the success of the efforts and make necessary changes. 1 Define monitoring roles, responsibilities and processes for data loss and misuse Identify and react to trends demonstrating data protection risks 2 Integrate results of monitoring into overall incident response process 3 Document and review data protection key risk indicators, key performance indicators, metrics and reporting

13 Update data protection strategy to adjust to data loss risks
Effective data protection cannot be stagnant and must adjust to ever-changing risks. Disgruntled employees  Malicious outsiders and cyber attacks Data Loss Risks Lack of properly trained personnel, contractors and third parties Inappropriate management of access to important data Broken business processes Lack of consistent monitoring and analysis

14 ? Questions? ? ? ? ? ? ?

Download ppt "San Francisco IIA Fall Seminar"

Similar presentations

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)

EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)
Why Information Governance….instead of Records & Information Management? Angela Fares, RHIA, CRM, CISA, CGEIT, CRISC, CISM 817.352.4929 or

Why Information Governance….instead of Records & Information Management? Angela Fares, RHIA, CRM, CISA, CGEIT, CRISC, CISM or
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Applied Technology Services, Inc. Your Partner in Technology.

Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
David N. Wozei Systems Administrator, IT Auditor.

David N. Wozei Systems Administrator, IT Auditor.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.

Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
Www.tms-ua.com TMS - Cooperation partner of TÜV SÜD EFFECTIVE SERVICE MANAGEMENT based on ISO/IEC 27001 & ISO/IEC 20000-1.

TMS - Cooperation partner of TÜV SÜD EFFECTIVE SERVICE MANAGEMENT based on ISO/IEC & ISO/IEC
Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,

Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,

Similar presentations

Ads by Google