Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright Security-Assessment.com 2006 Protecting The Data Data security, compliance, disclosure requirements and what can happen if you get it wrong Presented.

Published byWilfred Ferguson Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright Security-Assessment.com 2006 Protecting The Data Data security, compliance, disclosure requirements and what can happen if you get it wrong Presented."— Presentation transcript:

1 Copyright Security-Assessment.com 2006 Protecting The Data Data security, compliance, disclosure requirements and what can happen if you get it wrong Presented By Brett Moore

2 Copyright Security-Assessment.com 2006 Recent study by the Ponemon Institute Examined costs incurred by 14 companies in 11 industry sectors Breaches affecting between 1,500 to 900,000 consumers Tangible and intangible costs up to $14 million USD Related survey of customers 20% had terminated their relationship with the company Another 40% were considering in doing so What information Staggering amount of information stored now Financial, health, social, personal, business With the masses amount of data that flows through your organisation, are you taking the appropriate steps to protect what may be your most valuable asset? Information Loss Costs Money

3 Copyright Security-Assessment.com 2006 The Issue Many organisations choose to spend their resources identifying and managing information security vulnerabilities instead of managing risk to their information assets. Vulnerability-centric approaches to organisational security fall short of appropriately characterizing organizational risk because they fail to focus on what is actually at risk, the information and processes they support.

4 Copyright Security-Assessment.com 2006 What is an information asset An information asset is any data stored that is used by the organisation for information purposes. Information value can be calculated Based on the importance to the organisations continuation The affect the loss of the information would have Information risk assessment The type of data the information is created from affects the requirement to secure it Information value Determines its importance and criticality to the organisation Which data is which? What happens when an information asset is a combination of data from different sources? Information Assets

5 Copyright Security-Assessment.com 2006 Where Is The Information Stored You MUST know where your information is stored How else are you able to secure it? Data is stored in containers Drive, tape, cd-rom, dvd, paper, people Containers are not ‘physical’ Stored on multiple servers A collection of databases A collection of database tables Containers are not only technical Information can be in printed form Information is stored in peoples heads

6 Copyright Security-Assessment.com 2006 Container Security Aspects The way in which an asset is protected Through controls implemented at the container level ie: access checks at the database level Security control depth The degree to which an asset is protected is based on how well the control reflect the requirements of the asset Risk inheritance Any risk associated with the container is inherited by the asset ie: server destruction, tape backup theft Legal requirements There can be different legal requirements dependant on the information asset’s container

7 Copyright Security-Assessment.com 2006 Who Owns The Data? The owner Are those who have primary responsibility for the viability and survivability of the asset Security requirements Owners set the security requirements for an asset and communicate these to the assets’ custodians Ensuring the security requirements have been implemented Defining the asset The owner defines what the information asset consists of, and is responsible for determining the assets value It is this value that is used to calculate risk mitigation processes Delegation The owner can delegate responsibilities but ultimately remains the owner responsible for the assets protection

8 Copyright Security-Assessment.com 2006 Who Looks After The Data? The custodian Manage or are responsible for containers Accepts responsibility The custodian accepts responsibility and protects the data according to the owners defined requirements Is NOT the owner Despite common misconception, the custodian is not the owner and therefore not the responsible entity Information use Any person who makes use of the information asset becomes a custodian during that period

9 Copyright Security-Assessment.com 2006 Governance – External Requirements Legal Sarbanes-Oxley California Disclosure Law Common Law Duty of Care Industry Imposed PCI Compliance All concerned with information assets, not security breaches

10 Copyright Security-Assessment.com 2006 Sarbanes-Oxley (USA, July 2002) Requirements for all public companies listed in the US Public companies must evaluate and disclose the effectiveness of their internal controls as they relate to financial reporting Independent auditors for such companies must "attest" (i.e., agree, or qualify) to such disclosure Financial reporting is generally driven by information assets, so the security of those information assets is of primary concern SB 1386 (California Disclosure Law, September 2002) Requires protection of personally identifiable information Must disclose if this information is reasonably believed to have been compromised Relates to any instance involving a resident of California 23 States now passed and several bills in front of Congress Legal Requirements

11 Copyright Security-Assessment.com 2006 Impact of Disclosure Requirements Sarbanes-Oxley Cray Inc (Supercomputer manufacturer) In March 2005, Cray filed a SOX report warning of material weaknesses in internal control over financial reporting Inadequate review of third-party contracts and lack of software application controls and documentation (SoD, and IT auditing issues) Cray's stock price dropped 56%, from $3.15 per share on March 15, 2005, to $1.38 on May 25, 2005 Now faced with a class action suit by shareholders

12 Copyright Security-Assessment.com 2006 Impact of Disclosure Requirements US Disclosure Laws From http://www.privacyrights.org/ar/ChronDataBreaches.htm Over 120 Breaches disclosed so far this year Over 80 million records involved Breaches included: Hacking Dishonest employees Stolen computers Lost backup tapes Accidental online exposure

13 Copyright Security-Assessment.com 2006

14 Impact of Disclosure Requirements Ponemon Institute Studies Notification Impact 19% of disclosure recipients terminated relationship 40% thinking of terminating 27% concerned regarding organisation Cost of Breach Reviewed 14 breaches Breaches ranged from 1,500 records to 900,000 records from 11 different industry sectors Average losses of $140 per record, or $14 million per company Includes direct ($50), indirect($15), and opportunity costs($75) Does not include implementation of additional controls

15 Copyright Security-Assessment.com 2006 Identify information assets and owners IAP – Information Asset Profiling Conduct an information security risk assessment This includes identifying the risks to the asset Develop and implement security policies and procedures This drives how and what technology is used Test, audit, and update Policies and processes must work You need to know when they are been breached They need to be kept recent and up to date Steps To Protect Information Assets

16 Copyright Security-Assessment.com 2006 Information Asset Risk Assessment Primary Container May Not Be Primary Risk Other locations where information may be stored includes: – Backups – DR systems – Laptops – Desktops Once Each Container Has Been Identified, Establish How Each Is Accessed – Thick client applications – Web Applications – Database connections – Direct file access

17 Copyright Security-Assessment.com 2006 Information Asset Risk Assessment Perform a threat assessment of each entry point of each information asset container Assess each threat using standard risk assessment mechanisms utilising the value of the information asset to determine the impact of the threat occurring Each container may have multiple risk profiles, use the highest rating to determine the overall risk for that container Remember to take into account information in transit

18 Copyright Security-Assessment.com 2006 Vulnerability versus Information Asset Approaches Vulnerability Management Usually focused on individual containers or access points (applications) Generally doesn’t take into account the value of information assets Rates vulnerabilities in terms of impact to container, not data Information Asset Profiling Focuses on risks to data rather than systems or applications Risks directly associated with value of data May not take into account risks not relating to data, such as reputational risk

19 Copyright Security-Assessment.com 2006 Encryption Database Communication Laptop Backup Principle Of Least Privilege Database Server Application Protect Data Even After Container Has Been Retired Wipe old disks/tapes, or destroy Log/Audit Trails Common Tools And Techniques To Protect Data

20 Copyright Security-Assessment.com 2006 Do you have an application or vulnerability-centric approach to security rather than focusing on the information itself? Have you identified where your critical business data resides? Databases Servers Backups Laptops Have you got mechanisms in place to protect each of those locations? Database/Server protections Laptop encryption Backup encryption Key Questions To Take Away

21 Copyright Security-Assessment.com 2006 Questions ? http://www.security-assessment.com nick@security-assessment.com

Download ppt "Copyright Security-Assessment.com 2006 Protecting The Data Data security, compliance, disclosure requirements and what can happen if you get it wrong Presented."

Similar presentations

Innovation or Necessity? ISM 158 By: Sepehr Saeb.

Innovation or Necessity? ISM 158 By: Sepehr Saeb.
Security and Control Soetam Rizky. Why Systems Are Vulnerable ?

Security and Control Soetam Rizky. Why Systems Are Vulnerable ?
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
Internal Controls What Are They And Why Should I Care? 1.

Internal Controls What Are They And Why Should I Care? 1.
Bodnar/Hopwood AIS 7th Ed1 Chapter 5 u TRANSACTION PROCESSING AND INTERNAL CONTROL PROCESS.

Bodnar/Hopwood AIS 7th Ed1 Chapter 5 u TRANSACTION PROCESSING AND INTERNAL CONTROL PROCESS.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
Auditing Concepts.

Auditing Concepts.
Information Security Jim Cusson, CISSP. Largest Breaches 110,000 2009-11-27 NorthgateArinso, Verity Trustees 6,400 2009-11-25 Aurora St. Luke's Medical.

Information Security Jim Cusson, CISSP. Largest Breaches 110, NorthgateArinso, Verity Trustees 6, Aurora St. Luke's Medical.
Auditing Computer Systems

Auditing Computer Systems
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Operational risk management Margaret Guerquin, FSA, FCIA Canadian Institute of Actuaries 2006 General Meeting Chicago Confidential © 2006 Swiss Re All.

Operational risk management Margaret Guerquin, FSA, FCIA Canadian Institute of Actuaries 2006 General Meeting Chicago Confidential © 2006 Swiss Re All.
IS Audit Function Knowledge

IS Audit Function Knowledge
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
SOX & ISO 27001 Protect your data and be ready to be audited!!!

SOX & ISO Protect your data and be ready to be audited!!!

Similar presentations

Ads by Google