Presentation is loading. Please wait.

Presentation is loading. Please wait.

WSV323. CSO/CIO department Regulation translated to control objectives Infrastructure Support Control objectives turned into control activities.

Published byByron Logan Modified over 9 years ago

Similar presentations

Presentation on theme: "WSV323. CSO/CIO department Regulation translated to control objectives Infrastructure Support Control objectives turned into control activities."— Presentation transcript:

1 WSV323

2

3

4

5 CSO/CIO department Regulation translated to control objectives Infrastructure Support Control objectives turned into control activities and monitoring Content Business Owner Helps identify the information and drives business case for compliance Information Worker Perform job without needing to worry about regulations

6 Option 1: Reactive - Do nothing until you have to Predictable cost (just add storage) Potentially enable Bitlocker to encrypt the disk that the data resides on Potential high cost when a need comes up (Audit, eDiscovery, Leakage …) Option 2: Proactive – Taking steps towards Data governance on file servers Get insight into information and apply policy Apply common data governance policies: Encryption, Retention Start with one department (e.g.: Finance) and expand to additional departments Expire data to reduce cost and risk

7

8

9

10

11 Knowledge Establish Classification Baseline Provide Information governance policies IT GRC Integration Map to compliance requirements Demonstrate IT data governance & compliance for audits Multiple File Server Support Maintain Consistency across file Servers Reduce manual labor Aggregated Reporting Reporting

12 Authoritative Health Industry (HIPAA/HITECH) US Government (NIST 800-60) Financial Industry (Sarbanes-Oxley) Credit Card Industry (PCI-DSS) Privacy Laws (PII) Harmonized Ships required terms, extensible by customers Applicable to hundreds of authority documents Validated Reviewed by IT pros, legal, auditors, customers in the Industry Simple o ntology to be used across Windows Servers Actionable based on data governance and protection policies Goals

13 AreaPropertiesValues Information Privacy Personally Identifiable InformationHigh; Moderate; Low; Public; Not PII Protected Health InformationHigh; Moderate; Low Information Security ConfidentialityHigh; Moderate; Low Required ClearanceRestricted; Internal Use; Public Legal Compliancy SOX; PCI; HIPAA/HITECH; NIST SP 800-53; NIST SP 800-122; U.S.-EU Safe Harbor Framework; GLBA; ITAR; PIPEDA; EU Data Protection Directive; Japanese Personal Information Privacy Act DiscoverabilityPrivileged; Hold ImmutableYes/No Intellectual Property Copyright; Trade Secret; Parent Application Document; Patent Supporting Document Records Management Retention Long-term; Mid-term; Short-term; Indefinite Retention Start Date Organizational ImpactHigh; Moderate; Low Department Engineering ;Legal; Human Resources … Project Personal UseYes/No 13

14 demo

15 Payment Card Industry - Data Security Standard Data Classification Classify Data containing PII RMS Protect Data containing PII Board of Dir./CEO CIO/CSO Audit Committee IT Pro Data Protection

16 demo

17 IT Pro Implement Controls for PCI-DSS Create Classification Baseline for PCI-DSS (Import & Customize )

18 demo

19 IT Pro Implement Controls for PCI-DSS Create Baseline for PCI-DSS (Import & Customize ) Apply Baseline to all File Servers Export Baseline Baseline

20 demo

21 Apply Baseline to all File Servers IT Pro Implement Controls for PCI-DSS Export Baseline Create Baseline for PCI-DSS (Import & Customize ) Baseline Reports Monitor IT ProValidate Auditor / Compliance Manager

22 1. Configure 3. Collect 4. Report

23 PCI – DSS (Regulation) Data Classification Classify Data containing PII RMS Protect Data containing PII Data Protection Data Classification Toolkit (Knowledge + Multiple File Server Support) Data Classification Toolkit (Knowledge + Multiple File Server Support) File Server & FCI Board of Dir./CEO CIO/CSO Audit Committee IT Pro IT GRC Process Management Pack (Regulations, Controls) IT GRC Process Management Pack (Regulations, Controls)

24 partner

25 Shahed K. Latif Partner Information Security KPMG Are controls designed in accordance with information asset value and risk? Are resources allocated in accordance with value and risk? Are data protection needs communicated to the PMO, Internal Audit, Legal, BI, etc.? Are controls designed in accordance with information asset value and risk? Are resources allocated in accordance with value and risk? Are data protection needs communicated to the PMO, Internal Audit, Legal, BI, etc.? Does the business comply with employee, customer, and third party privacy requirements? Where does information come from and where does it go? Is the organization adequately profiting from the use of information? Which processes, and what data, drives business value and risk? Where does information come from and where does it go? Is the organization adequately profiting from the use of information? Which processes, and what data, drives business value and risk? Who has access to what? Do incident response programs adequately address data breaches? Are tools used to restrict data leakage and loss? Do controls protect the quality, integrity, completeness, and availability of data? How are employees trained? Who has access to what? Do incident response programs adequately address data breaches? Are tools used to restrict data leakage and loss? Do controls protect the quality, integrity, completeness, and availability of data? How are employees trained? Do contract terms and/or SLAs reflect information asset requirements and controls (owned and managed)? Is proper notification provided in the event of data breach? Do contract terms and/or SLAs reflect information asset requirements and controls (owned and managed)? Is proper notification provided in the event of data breach? Is IT effectively collecting, organizing, storing, retrieving, and disposing of electronic data and content? Is data duplication, redundancy, and exposure minimized?

26 Consumer Products Client Industry / Description The client requested assistance with identifying, defining, classifying, and locating information assets and (data) owners for the organization’s consumer data, employee data, and intellectual property related to product engineering. This project was the first component of a larger initiative to implement a global security risk management program for the organization. Client Challenge KPMG began by conducting a current state assessment to identify existing data classification procedures and to evaluate high-level information handling practices. KPMG then designed a data classification framework to identify, label, and define security control requirements for confidential data. Utilizing a GRC tool, we then utilized end-user surveys to identify and define confidential data types across several departments and calculate an inherent risk of each of those data types based on the sensitivity of the information and its usage. In addition, KPMG created a data classification charter for the organization, provided recommendations for updating their existing corporate information classification policy, and developed technical data handling standards. Approach This project allowed the client to identify and locate its most critical data across the organization, as well as established policies and processes for assessing the risks and controls related to the storage, processing, and transmission of those information assets. Outcomes

27

28 Q2 2010 2011 Q3 Q1 Q4

29

30

31

32 www.microsoft.com/teched Sessions On-Demand & CommunityMicrosoft Certification & Training Resources Resources for IT ProfessionalsResources for Developers www.microsoft.com/learning http://microsoft.com/technet http://microsoft.com/msdn http://northamerica.msteched.com Connect. Share. Discuss.

33

34 Scan the Tag to evaluate this session now on myTechEd Mobile

35

36

Download ppt "WSV323. CSO/CIO department Regulation translated to control objectives Infrastructure Support Control objectives turned into control activities."

Similar presentations

IT Security Policy Framework

IT Security Policy Framework
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
? ? AreaPropertiesValues Information Privacy Personally Identifiable InformationHigh; Moderate; Low; Public; Not PII Protected Health InformationHigh;

? ? AreaPropertiesValues Information Privacy Personally Identifiable InformationHigh; Moderate; Low; Public; Not PII Protected Health InformationHigh;
? ? 63K confirmed security incidents for 2013 w/ 1,367 confirmed data breaches. Over 40% targeted at server assets. 73% of enterprise IT hardware decision.

? ? 63K confirmed security incidents for 2013 w/ 1,367 confirmed data breaches. Over 40% targeted at server assets. 73% of enterprise IT hardware decision.
Agenda Customer pain points and how data classification can help Ecosystem Windows Server 2008 R2 for file Classification Infrastructure Demos Customer.

Agenda Customer pain points and how data classification can help Ecosystem Windows Server 2008 R2 for file Classification Infrastructure Demos Customer.
Security Controls – What Works

Security Controls – What Works
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
What is the problem we are trying to solve? Users want to work anywhere on any device IT needs to retain control and manage risk.

What is the problem we are trying to solve? Users want to work anywhere on any device IT needs to retain control and manage risk.
? ? 63K confirmed security incidents for 2013 w/ 1,367 confirmed data breaches. Over 40% targeted at server assets. 73% of enterprise IT hardware.

? ? 63K confirmed security incidents for 2013 w/ 1,367 confirmed data breaches. Over 40% targeted at server assets. 73% of enterprise IT hardware.
Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.

Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.
Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.

Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.
WCL309. Demo.

WCL309. Demo.
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
SIM329. Certificate Enrollment Without CEP/CES Certificate Authority Active Directory Client Workstations 3 4 1 2 LDAP RPC/DCOM.

SIM329. Certificate Enrollment Without CEP/CES Certificate Authority Active Directory Client Workstations LDAP RPC/DCOM.
EXL302-R. Storage Management Balance mailbox size demands with available storage resources Reduce the proliferation of.PST files stored outside of IT.

EXL302-R. Storage Management Balance mailbox size demands with available storage resources Reduce the proliferation of.PST files stored outside of IT.
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)

Similar presentations

Ads by Google