Presentation is loading. Please wait.

Presentation is loading. Please wait.

Strategies in the Game of

Published byJodie Melton Modified over 6 years ago

Similar presentations

Presentation on theme: "Strategies in the Game of"— Presentation transcript:

1 Strategies in the Game of
Data Stewards vs. Data Hoarders Keith Hartranft, CISSP Information Security and Policy Officer Library and Technology Services Sara Rodgers Chief Information Security Officer Library and Technology Services

2 Playing the Wrong Game Prioritize initiatives Classify data
Analyze risk

3 Security Framework SANS 20 Critical Controls
Objectives: • Implement controls proven to block known attacks • Map specific actions to implement the controls • Associate activities with NIST & NSA network security tasks • Utilize procedures & tools for implementation and automation. • Assess through proven metrics & testing ISO Policy Administration Objectives: To provide Management direction and support for information security in accordance with business requirements and relevant laws and regulations through Information Security Policy. Security Awareness Objectives of SETA: • Integrate skills and competencies into a common body of knowledge • Produce relevant and needed security skills and competencies • Change behavior or reinforce good security practices Security Framework A Three Pronged Approach

4 Institutional - Proprietary
Data Classification Restricted Confidential Government regulated (PCI-DSS, GLB, et al.) Breach notification required Examples: credit card number, social security number, driver’s license number, bank account number Confidential Government regulated (FERPA, HIPAA, GLB, et al.) No breach notification required Examples: grades, health care information, financial aid information, export control data Institutional - Proprietary Privacy, ethical or proprietary constraints Examples: Lehigh Identification Numbers (LINS), internal reports and memos Public – Unrestricted Protected at the discretion of the department or data owner Examples: directory information, documents for public distribution Public - Unrestricted Institutional - Proprietary Confidential Restricted PCI-DSS GLB FERPA, HIPAA GLB

5 Likelihood/Probability
Measuring Risk Reducing number of people records with restricted data Collecting/storing restricted data on a large population with multiple copies and/or accessible by a large number of people Likelihood/Probability Reducing storage locations or limiting access Removing or redacting restricted data Severity/Impact

6 Knowing the Board and the Rules
Laws Regulations Asset Valuation & Risk The Players

7

8 Risk Reduction Information Security Legal Data User Risk Management
Restrict Redact Remove Risk Management Data Custodians Executives

9 The Strategy of the 3 R’s Remove – Do we even need to collect it? Or can we dispose of? Redact – If we store it, can we redact or obfuscate? Restrict – Who should see it? Access it? What views?

10 Security as the Ambassador
Be the liaison in the process of Data Risk Reduction Risk Reduction Restrict Redact Remove Data Hoarder Data Stewards

11 ROCK - The Process R. – Recruit the appropriate team(s) members O. – Organize Assets, Policies, and Possible Solutions C. – Communicate with the Data Users K. – Kickstart the process with Quick Wins! Data Stewards

12 Recruit - Build Your Armies
Legal Governance Regulation Compliance Committee (GRC) Data Users Risk Management Data E-Security Data Custodians Executives

13

14 Organize - Arm Yourself With Policies
Data Classification Retention Policies Other?

15 Institutional - Proprietary
Data Classification Restricted Confidential Government regulated (PCI-DSS, GLB, et al.) Breach notification required Examples: credit card number, social security number, driver’s license number, bank account number Confidential Government regulated (FERPA, HIPAA, GLB, et al.) No breach notification required Examples: grades, health care information, financial aid information, export control data Institutional - Proprietary Privacy, ethical or proprietary constraints Examples: Lehigh Identification Numbers (LINS), internal reports and memos Public – Unrestricted Protected at the discretion of the department or data owner Examples: directory information, documents for public distribution Public - Unrestricted Institutional - Proprietary Confidential Restricted PCI-DSS GLB FERPA, HIPAA GLB

16 Data Retention Policy Attributes of a Good Retention Policy:
Value Based Clear goals for retention and accountabilities Defined Categories of Data Properly vetted with cross functional buy-in by the community Directs technology to support lifecycle sustainability Includes monitoring and compliance

17 Communicate - the Strategy of the 3 R’s
Remove – Do we even need to collect it? Or can we dispose of? Redact – If we store it, can we redact or obfuscate? Restrict – Who should see it? Access it? What views?

18 Communicate - AND I MEAN IT!!!
Remove – Can simply remove it or do without? Redact – Who should be able to view it? Restrict – Who should access it? And HOW? Examine a “Fountain” effect. What are some consequences?

19 Communicate – How to Comply With Data Retention
Bring Strategies for Storage solutions Being a GOOD Steward – Disposing of Data Properly Know your Retention times Treat E-records like paper records

20 Communicate – Once We Reach Restrict, Protecting Access Controls
76% of breaches were the result of weak or stolen account credentials What’s the cost? Approx. $200 per record.

21 Communicate with the Leaders and Troops
Meet with the Data Stewards and Users and pitch the steps and the consequences and results of each step Do your homework for proposals regarding what you think are “Quick Wins” and ask others to identify other “Quick Win” areas. Explain that greater Access Controls implemented by InfoSec are often the result of exhaustion of the first 2 R’s

22 KICKSTART! - Go for QUICK WINS!!!
Propose some key targets for data removal Ask your Stewards to identify “Quick Wins” or Gains Monitor and maintain momentum for proposed projects

23 KICKSTART! - QUICK WIN Stories!
F&A Review of Data Repositories PII in more globally viewable locations removed Duplicated Data in Test instances reduced

24 Deploy the Custodians - Technology
Automating scans and searches for records dates Automated purges Provide end user tools Deploying data redaction or access control limitations MFA

25 Sustain Your Strategy – ROCK(S)?
Repeatable processes Review technology tools for process automation Revist timelines and record schedules Report annual records counts and reductions

26

27 WIN!!! With Strategies in the Game of

Download ppt "Strategies in the Game of"

Similar presentations

The Role of the IRB An Institutional Review Board (IRB) is a review committee established to help protect the rights and welfare of human research subjects.

The Role of the IRB An Institutional Review Board (IRB) is a review committee established to help protect the rights and welfare of human research subjects.
IT Security Policy Framework

IT Security Policy Framework
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Health Records Management Practitioner

Health Records Management Practitioner
Amber LaFountain Project Archivist - Private Practices, Public Health Center for the History of Medicine Francis A. Countway Library of Medicine Harvard.

Amber LaFountain Project Archivist - Private Practices, Public Health Center for the History of Medicine Francis A. Countway Library of Medicine Harvard.
Information Security Awareness April 13, 2003. Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.

Information Security Awareness April 13, Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Data Ownership Responsibilities & Procedures

Data Ownership Responsibilities & Procedures
Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.

Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.
Information & Communication Technologies 08 2014 NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.

Information & Communication Technologies NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.
Security Controls – What Works

Security Controls – What Works
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.

Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.
Www.adira.org Philippe LE TERTRE IS Governance Consultant  Founder and managing partner of VADEGIS (company specialized in Information System Management.

Philippe LE TERTRE IS Governance Consultant  Founder and managing partner of VADEGIS (company specialized in Information System Management.
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Peer Information Security Policies: A Sampling Summer 2015.

Peer Information Security Policies: A Sampling Summer 2015.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.

Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.

Similar presentations

Ads by Google