Contenu connexe Similaire à Data-Ed Online: How Safe is Your Data? Data Security (20) Data-Ed Online: How Safe is Your Data? Data Security1. Welcome!
TITLE
How Safe is Your Data?
Data Security Management Webinar
Date: May 15, 2012
Time: 2:00 PM ET
Presenter: Dr. Peter Aiken
Twitter: #dataed
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 1
© Copyright this and previous years by Data Blueprint - all rights reserved!
2. New Feature: Live Twitter Feed
TITLE
Join the conversation on Twitter!
Follow us @datablueprint and @paiken
Ask questions and submit your comments:
#dataed
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 2
© Copyright this and previous years by Data Blueprint - all rights reserved!
3. New Feature: LIKE US on Facebook
TITLE
www.facebook.com/datablueprint
Post questions and comments
Find industry news, insightful content
and event updates
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 3
© Copyright this and previous years by Data Blueprint - all rights reserved!
4. TITLE
Meet Your Presenter: Dr. Peter Aiken
• Internationally recognized thought-leader in
the data management field with more than 30
years of experience
• Recipient of the 2010 International Stevens
Award
• Founding Director of Data Blueprint
(http://datablueprint.com)
• Associate Professor of Information Systems
at Virginia Commonwealth University
(http://vcu.edu)
• President of DAMA International (http://dama.org)
• DoD Computer Scientist, Reverse Engineering Program Manager/
Office of the Chief Information Officer
• Visiting Scientist, Software Engineering Institute/Carnegie Mellon
University
• 7 books and dozens of articles
• Experienced w/ 500+ data management practices in 20 countries
#dataed
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 4
© Copyright this and previous years by Data Blueprint - all rights reserved!
5. How Safe Is Your
Data?
Dr. Peter Aiken: Data Security Management Webinar
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 4/10/2012
6. TITLE
Abstract: How Safe Is Your Data?
Our presentation provides you with an overview of the
organizational data security management requirements
that are necessary to meet industry benchmarks.
Participants will understand the requirements for
planning, developing, and executing security policies
and procedures to provide proper authentication,
authorization, access, and auditing of data and
information assets. By the end of our session, you will
understand how effective data security policies and
procedures ensure that the right people can use and
update data in the right way, as well as the importance
of restricting inappropriate access.
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 6
© Copyright this and previous years by Data Blueprint - all rights reserved!
7. TITLE
Outline
1. Data Management Overview
2. What is data security management?
3. Why is data security important?
(1) Top Data Security Concerns & Requirements
(2) The Cost of Not Having Accurate Security
(3) Data Security Statistics & Examples of Security
Breaches
4. Data Security Management Building
Blocks
5. Passwords & Policy Examples
6. Data Security Standards & Guiding
Principles
Tweeting now:
7. Take Aways, References & Q&A #dataed
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 7
© Copyright this and previous years by Data Blueprint - all rights reserved!
8. TITLE
The DAMA Guide to the Data Management Body of Knowledge
Published by DAMA
International
• The professional
association for Data
Managers (40
chapters worldwide)
DMBoK organized
around
• Primary data
management
functions focused
around data delivery
to the organization
• Organized around
several
environmental
elements
Data Management Functions
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 8
© Copyright this and previous years by Data Blueprint - all rights reserved!
9. TITLE
The DAMA Guide to the Data Management Body of Knowledge
Amazon:
http://
www.amazon.com/
DAMA-Guide-
Management-
Knowledge-DAMA-
DMBOK/dp/
0977140083
Or enter the terms
"dama dm bok" at the
Amazon search
engine
Environmental Elements
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 9
© Copyright this and previous years by Data Blueprint - all rights reserved!
10. TITLE
What is the CDMP?
• Certified Data Management
Professional
• DAMA International and ICCP
• Membership in a distinct group made
up of your fellow professionals
• Recognition for your specialized
knowledge in a choice of 17 specialty
areas
• Series of 3 exams
• For more information, please visit:
– http://www.dama.org/i4a/pages/
index.cfm?pageid=3399
– http://iccp.org/certification/
designations/cdmp
#dataed
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 10
© Copyright this and previous years by Data Blueprint - all rights reserved!
11. TITLE
Data Management
#dataed
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 11
© Copyright this and previous years by Data Blueprint - all rights reserved!
12. TITLE
Data Management
Manage data coherently.
Data Program
Coordination
Share data across boundaries.
Organizational
Data Integration
Data Stewardship Data Development
Assign responsibilities for data.
Engineer data delivery systems.
Data Support
Operations
Maintain data availability.
#dataed
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 12
© Copyright this and previous years by Data Blueprint - all rights reserved!
13. TITLE
Outline
1. Data Management Overview
2. What is data security management?
3. Why is data security important?
(1) Top Data Security Concerns & Requirements
(2) The Cost of Not Having Accurate Security
(3) Data Security Statistics & Examples of Security
Breaches
4. Data Security Management Building
Blocks
5. Passwords & Policy Examples
6. Data Security Standards & Guiding
Principles
Tweeting now:
7. Take Aways, References & Q&A #dataed
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 13
© Copyright this and previous years by Data Blueprint - all rights reserved!
14. TITLE
Summary: Data Security Management
#dataed from The DAMA Guide to the Data Management Body of Knowledge © 2009 by DAMA International
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 14
© Copyright this and previous years by Data Blueprint - all rights reserved!
15. TITLE
Definition: Data Security Management
Planning, development and execution of security policies
and procedures to provide proper authentication,
authorization, access and auditing of data and information
assets.
#dataed from The DAMA Guide to the Data Management Body of Knowledge © 2009 by DAMA International
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 15
© Copyright this and previous years by Data Blueprint - all rights reserved!
16. TITLE
Outline
1. Data Management Overview
2. What is data security management?
3. Why is data security important?
(1) Top Data Security Concerns & Requirements
(2) The Cost of Not Having Accurate Security
(3) Data Security Statistics & Examples of Security
Breaches
4. Data Security Management Building
Blocks
5. Passwords & Policy Examples
6. Data Security Standards & Guiding
Principles
Tweeting now:
7. Take Aways, References & Q&A #dataed
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 16
© Copyright this and previous years by Data Blueprint - all rights reserved!
17. TITLE
Top Data Security Concerns
1. Confidentiality
– Making sure that data is supposed to be restricted to
the company
2. Integrity
– Ensure that the are no changes to data except those
intentional ones
3. Availability
– Ability to get data when it is needed
4. Non-repudiation
– Ability to prove what was sent, when, who sent it as
well as what was delivered, when it was delivered and
who received it
#dataed
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 17
© Copyright this and previous years by Data Blueprint - all rights reserved!
18. TITLE
Data Security Requirements
Requirements and the procedures to meet them are
categorized into 4 basic groups (the 4 As):
1. Authentication
Validate users are who they say they are
2. Authorization
Identify the right individuals and grant them
the right privileges to specific, appropriate
views of data
3. Access
Enable these individuals and their privileges
in a timely manner
4. Audit
Review security actions and user activity to
ensure compliance with regulations and
conformance with policy and standards
#dataed
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 18
© Copyright this and previous years by Data Blueprint - all rights reserved!
19. TITLE
Data Security in the News
6 Worst Data Breaches of 2011
1. Sony
– Attacks compromised Sony PlayStation Network, Sony Online
Entertainment, and Sony Pictures
– Failure to protect 100+ user records
– On-going customer relations fallout and class-action
lawsuits
– Recovery costs: $2+ million
2. Epsilon
– Cloud-based email service provider fell victim to spear-
phishing attack
– Breach affected data from 75 clients who trusted Epsilon
with their customers’ data
– 60 million customer email addresses were breached
(conservative estimate)
– Largest security breach ever
Source: http://www.informationweek.com/news/security/attacks/232301079?itc=edit_in_body_cross
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 19
© Copyright this and previous years by Data Blueprint - all rights reserved!
20. TITLE
Data Security in the News, cont’d
6 Worst Data Breaches of 2011
3. RSA
– Didn’t involve consumer information but one of the world’s most-used
2-factor authentication system
– Failure to detail exactly what had been stolen by low-tech spear
phishing attack
– Result of this attack: Many companies retooled security and training
processes to help prevent these low-cost, easy-to-execute social-
engineering attacks
4. Sutter Physician Services
– Thief stole desktop containing 2.2 million patients’ medical details
– Security lapse on 2 levels:
• (1)Data (unencrypted)
• (2)Physical location (unsecured)
– Failure to alert affected patients in timely manner
– Class action lawsuit
Source: http://www.informationweek.com/news/security/attacks/232301079?itc=edit_in_body_cross
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 20
© Copyright this and previous years by Data Blueprint - all rights reserved!
21. TITLE
Data Security in the News, cont’d
6 Worst Data Breaches of 2011
5. Tricare and SAIC
– Backup tapes containing unencrypted data were stolen from an
employee’s personal car
– 5.1 million people affected: Current and retired members of
armed services and their families
– Significant because victims are at risk of medical identify
theft AND financial identity theft
– $4.9 billion lawsuit
6. Nasdaq
– Attack on Directors Desk, a cloud-based Nasdaq system
designed to facilitate boardroom-level communications for
10,000 senior executives and company directors
– Possible access to inside information that might have been
sold to competitors or used to make beneficial stock market
trades
Source: http://www.informationweek.com/news/security/attacks/232301079?itc=edit_in_body_cross
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 21
© Copyright this and previous years by Data Blueprint - all rights reserved!
22. TITLE
Cost of NOT having Accurate Security: Other Examples
• 2008: Heartland Payment • 2006: Department of VA
Systems – Stolen laptop exposed records
– 130 million credit card numbers on 26.5 million veterans,
including SSNs
– $140 million recovery costs
– $14 million recovery costs
• 2008: Hannaford Bros.
– 4.2 million credit and debit card
• 2005: Card Systems
numbers Solutions
– Class action lawsuit – 40 million credit and debit card
accounts
• 2007: TJ X Co.
– 45 + million credit and debit card
numbers stolen
– $250+ million recovery cost
#dataed
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 22
© Copyright this and previous years by Data Blueprint - all rights reserved!
23. TITLE
Polling Question #1
What is the cost of data security? Estimated cost
per individual breach:
1. $194
2. $467
3. $855
4. $1026
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 23
© Copyright this and previous years by Data Blueprint - all rights reserved!
24. TITLE
Data Security Statistics (2011)
• Cost of individual data breach is decreasing for the first time in 7
years
• Cost of individual data breach:
– $5.5 million (2011) vs. $7.2 million (2010)
• Cost per compromised record:
– $194 (2011) from $215 (2010)
– Exception: Breach as a result of malicious attacks average $222 per record
(higher because companies need to do more after the fact)
• Costs are generally lower if organizations have Chief Information
Security Officer (CISO)
• Other declines in 2011:
– Average size of data breaches declined by 16%
– Abnormal customer churn decreased by 18%
• Interesting fact: in 2011 39% of data breaches were caused by
negligent insiders and 24% by system glitches
Source: http://www.informationweek.com/news/security/attacks/232602891
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 24
© Copyright this and previous years by Data Blueprint - all rights reserved!
25. TITLE
Data Security Statistics (2011)
• Breaches caused by malicious attacks increased: 37% (2011) from
31% (2010)
– 50% malware
– 33% malicious insiders
– 28% device theft
– 28% SQL injection
– 22% phishing attacks
– 17% social engineering attacks
• Businesses’ detection costs decreased by 6%: $428,330 (2011)
from $455,670 (2010)
– Companies are more efficient in investigating breaches and organizing around
response plans
• Notification costs increased by 10% $561,495 (2011)
– Failure to accurately determine # of individuals affected can result in notifying
more people than necessary, which leads to higher churn and other cost-
increasing factors
– Balance of being timely and accurate at the same time
Source: http://www.informationweek.com/news/security/attacks/232602891
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 25
© Copyright this and previous years by Data Blueprint - all rights reserved!
26. TITLE
Other Costs Related to Data Security Breaches
• Customer churn (replacing lost customers with new ones)
• Value of stolen data
• Cost of protecting
affected victims
• Cost of remedial
security measures
• Fines/Lawsuits
• Loss of good will and reputation
#dataed
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 26
© Copyright this and previous years by Data Blueprint - all rights reserved!
27. TITLE
Other Examples of Security Breaches
Organization Type of Security Breach
Medical Records thrown in trash
Boulder Hospital
exposing 14 patients
1,000 patients radiology studies data
Griffin Hospital
stolen
Stolen backup tapes expose unknown
Proxima Alfa Investments number of clients’ names, addresses,
LLC SSNs, bank and tax numbers and copies
of passports
Data of 3,300,000 names, addresses,
Educational Credit
DoB and SSNs exposed on stolen
Management Corporation
portable media device
Northwestern Memorial 250 patients’ files stolen from unlocked
Hospital cabinets by cleaning crew
Source: http://dataloss.db.org/; David Schlesinger
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 27
© Copyright this and previous years by Data Blueprint - all rights reserved!
28. TITLE
Other Examples, cont’d
Organization Type of Security Breach
Evergreen, Vancouver, 5,000 employee’s information, including
Washington Schools back account information, SSNs and
Information Cooperative birth dates are compromised
Names, addresses and SSNs of 11,000
Connecticut Office of Policy
rebate applications are stolen
and Management
Stolen laptop exposes 9,500 clients’
Thrivent Financial for
names, addresses, SSNs and health
Lutherans
information
Data of 100 million gamers exposed
when hackers broke into PC games
Sony Online Entertainment network, including names, addresses,
user names, passwords, credit card
information
Source: http://dataloss.db.org/; David Schlesinger
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 28
© Copyright this and previous years by Data Blueprint - all rights reserved!
29. TITLE
Polling Question #2
How much time should be committed to data
security?
1. 1 day per week
2. Ongoing activity
3. 1 hour per day
4. 1 hour per month
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 29
© Copyright this and previous years by Data Blueprint - all rights reserved!
30. TITLE
And in this corner we have Dave!
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 30
© Copyright this and previous years by Data Blueprint - all rights reserved!
31. TITLE
Outline
1. Data Management Overview
2. What is data security management?
3. Why is data security important?
(1) Top Data Security Concerns & Requirements
(2) The Cost of Not Having Accurate Security
(3) Data Security Statistics & Examples of Security
Breaches
4. Data Security Management Building
Blocks
5. Passwords & Policy Examples
6. Data Security Standards & Guiding
Principles
Tweeting now:
7. Take Aways, References & Q&A #dataed
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 31
© Copyright this and previous years by Data Blueprint - all rights reserved!
32. TITLE
Data Security Management Overview
ü ü ü ü ü ü ü
ü ü ü ü ü ü ü
ü ü ü ü ü ü ü
ü ü ü ü ü ü ü
#dataed Illustration from The DAMA Guide to the Data Management Body of Knowledge p. 37 © 2009 by DAMA International
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 32
© Copyright this and previous years by Data Blueprint - all rights reserved!
36
33. TITLE
Goals and Principles
1. Enable appropriate, and
prevent inappropriate
access and change to data
assets
2. Meet regulatory
requirements for privacy
and confidentiality
3. Enable the privacy and
confidentiality needs of all
stakeholders are met
from The DAMA Guide to the Data Management Body of Knowledge © 2009 by DAMA International
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 33
© Copyright this and previous years by Data Blueprint - all rights reserved!
34. TITLE
Potentially Competing Concerns
1. Stakeholder Concerns
• Clients, patients, students, citizens, suppliers, partners
2. Government Regulations
• Restricting access to information
• Openness, transparency and accountability
3. Proprietary Business Concerns
• Competitive advantage, IP,
intimate knowledge of
customer needs/relationships
4. Legitimate Access Needs
• Strategy, rules, processes
#dataed from The DAMA Guide to the Data Management Body of Knowledge © 2009 by DAMA International
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 34
© Copyright this and previous years by Data Blueprint - all rights reserved!
35. TITLE
Data Security Activities
• Understand Data Security Needs and
Regulatory Requirements
– Business requirements
– Regulatory requirements
• Define Data Security Policy
• Define Data Security Standards
• Classify Information Confidentiality
• Audit Data Security
• Define Data Security Controls and Procedures
• Manage Users, Passwords, and Group Membership
– Password standards and procedures
• Manage Data Access Views and Permissions
• Monitor User Authentication and Access Behavior
from The DAMA Guide to the Data Management Body of Knowledge © 2009 by DAMA International
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 35
© Copyright this and previous years by Data Blueprint - all rights reserved!
36. TITLE
Primary Deliverables
• Data Security Policies
• Data Access Views
• Document Classifications
• Data Security Audits
• Data Security Controls
• Data Privacy and Confidentiality Standards
• User Profiles, Passwords and Memberships
• Data Security Permissions
• Authentication and Access History
from The DAMA Guide to the Data Management Body of Knowledge © 2009 by DAMA International
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 36
© Copyright this and previous years by Data Blueprint - all rights reserved!
37. TITLE
Roles and Responsibilities
Suppliers: Consumers:
• Data Stewards • Data Producers
• IT Steering Committee • Knowledge Workers
• Data Stewardship Council • Managers
• Government • Executives
• Customers • Customers
• Data Professionals
Participants:
• Data Stewards
• Data Security Administrators
• Database Administrators
• BI Analysts
• Data Architects
• CIO/CTO
• Help Desk Analysts
from The DAMA Guide to the Data Management Body of Knowledge © 2009 by DAMA International
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 37
© Copyright this and previous years by Data Blueprint - all rights reserved!
38. TITLE
Polling Question #4
Who is responsible for data security?
1. Everyone
2. CIO
3. Data Stewards
4. Data Security Officer
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 38
© Copyright this and previous years by Data Blueprint - all rights reserved!
39. TITLE
Technology
• Database Management System
• Business Intelligence Tools
• Application Frameworks
• Identity Management
Technologies
• Change Control Systems
• Practices & Techniques
• Organization & Culture
#dataed from The DAMA Guide to the Data Management Body of Knowledge © 2009 by DAMA International
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 39
© Copyright this and previous years by Data Blueprint - all rights reserved!
40. TITLE
Outline
1. Data Management Overview
2. What is data security management?
3. Why is data security important?
(1) Top Data Security Concerns & Requirements
(2) The Cost of Not Having Accurate Security
(3) Data Security Statistics & Examples of Security
Breaches
4. Data Security Management Building
Blocks
5. Passwords & Policy Examples
6. Data Security Standards & Guiding
Principles
Tweeting now:
7. Take Aways, References & Q&A #dataed
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 40
© Copyright this and previous years by Data Blueprint - all rights reserved!
41. TITLE
Polling Question #3
• What is the most common password?
1. 123456
2. password
3. asdf123
4. dragon
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 41
© Copyright this and previous years by Data Blueprint - all rights reserved!
42. TITLE
Passwords Pointers
• Contains at least 8 characters
• Contains an uppercase letter and a numeral
• Not the same as the username
• Note be the same as the previous 5 passwords used
• Not contain complete dictionary words in any
language
• Not be incremental (password1, password2, etc.)
• Not have two characters repeated sequentially
• Not use adjacent characters on the keyboard
• Incorporate a space (if possible)
• Changed every 45 to 60 days
from The DAMA Guide to the Data Management Body of Knowledge © 2009 by DAMA International
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 42
© Copyright this and previous years by Data Blueprint - all rights reserved!
43. TITLE
Information Confidentially Classifications
• For general audiences
– Default
• Internal use only
– Minimal risk if shared – not to be
copied outside of the organization
• Confidential
– Not shared outside of the
organization
• Restricted Confidential
– Only shown to individuals within the
organization who "need to know"
• Registered Confidential
– Shared only with the existence of a
legal agreement
from The DAMA Guide to the Data Management Body of Knowledge © 2009 by DAMA International
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 43
© Copyright this and previous years by Data Blueprint - all rights reserved!
44. TITLE
Data Security Policies
• Americans with Disabilities Act (ADA)
• Cable Communications Policy Act of 1984 (Cable Act)
• California Senate Bill 1386 (SB 1386)
• Children’s Internet Protection Act of 2001 (CIPA)
• Children’s Online Privacy Protection Act of 1998 (COPPA)
• Communications Assistance for Law Enforcement Act of 1994 (CALEA)
• Computer Fraud and Abuse Act of 1986 (CFAA)
• Computer Security Act of 1987 – (Superseded by the Federal Information
Security Management Act FISMA)
• Consumer Credit Reporting Reform Act of 1996 (CCRRA) – Modifies the
Fair Credit Reporting Act (FCRA)
• Controlling the Assault of Non-Solicited Pornography and Marketing
(CAN-SPAM) Act of 2003
• Electronic Funds Transfer Act (EFTA)
• Fair and Accurate Credit Transactions Act (FACTA) of 2003
• Fair Credit Reporting Act
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 44
© Copyright this and previous years by Data Blueprint - all rights reserved!
45. TITLE
Data Security Policies, cont’d
• Federal Information Security Management Act (FISMA)
• Federal Trade Commission Act (FTCA)
• Drivers Privacy Protection Act of 1994
• Electronic Communications Privacy Act of 1986 (ECPA)
• Electronic Freedom of Information Act of 1996 ( E-FOIA)
• Fair Credit Reporting Act of 1999 (FCRA)
• Family Education Rights and Priacy Act of 1974 (FERPA; also known as
Buckley Amendment)
• Gramm-Leach-Bliley Financial Services Modernization Act of 1999 (GLBA)
• Privacy Act of 1974
• Privacy Protection Act of 1980 (PPA)
• Right to Financial Privacy Act of 1978 (RFPA)
• Telecommunications Act of 1996
• Telephone Consumer Protection Act of 1991 (TCPA)
• Uniting and Strengthening America by Providing Appropriate Tools Required
to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act)
• Video Privacy Protection Act of 1988
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 45
© Copyright this and previous years by Data Blueprint - all rights reserved!
46. TITLE
Data Security in an Outsourced World
• Any form of outsourcing increases risk to the organization
• Data security risk is escalated to the outsource vendor
• Transferring control (but not accountability) requires
tighter risk management and control mechanisms
• Some mechanisms include:
– Service level agreements
– Limited liability provisions in the outsourcing contract
– Right-to-audit clauses in the contract
– Clearly defined consequences to
breaching contractual obligations
– Frequent data security reports from the service vendor
– Independent monitoring of vendor system activity
– More frequent and thorough data security auditing
from The DAMA Guide to the Data Management Body of Knowledge © 2009 by DAMA International
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 46
© Copyright this and previous years by Data Blueprint - all rights reserved!
47. TITLE
Outline
1. Data Management Overview
2. What is data security management?
3. Why is data security important?
(1) Top Data Security Concerns & Requirements
(2) The Cost of Not Having Accurate Security
(3) Data Security Statistics & Examples of Security
Breaches
4. Data Security Management Building
Blocks
5. Passwords & Policy Examples
6. Data Security Standards & Guiding
Principles
Tweeting now:
7. Take Aways, References & Q&A #dataed
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 47
© Copyright this and previous years by Data Blueprint - all rights reserved!
48. TITLE
Data Security Standards
• Tools for data security
• Encryption standards/mechanisms
• Access guidelines
• Data transmission requirements
• Documentation requirements
• Remote access standards
• Security breach reporting
• Using mobile devices
• Storage of data on portable devices (laptops, phones,
iPads) BYOD
• Disposal of devices
#dataed from The DAMA Guide to the Data Management Body of Knowledge © 2009 by DAMA International
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 48
© Copyright this and previous years by Data Blueprint - all rights reserved!
49. TITLE
Security Role Hierarchy Diagram
from The DAMA Guide to the Data Management Body of Knowledge © 2009 by DAMA International
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 49
© Copyright this and previous years by Data Blueprint - all rights reserved!
50. TITLE
Guiding Principles
1. Be a responsible data
trustee (governance)
2. Understand and comply
with pertinent regulations
and guidelines
3. Use data-to-process and data-to-role matrices to
document needs and guide role groups and
permissions
4. Defining data security requirements and policies is a
collaborative effort
5. Define security requirements in conjunction with
development projects from The DAMA Guide to the Data Management Body of Knowledge © 2009 by DAMA International
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 50
© Copyright this and previous years by Data Blueprint - all rights reserved!
51. TITLE
Guiding Principles, cont’d
6. Classify enterprise data
against a confidentiality
classification schema
7. Follow strong
password guidelines
8. Create role groups, define privileges by role; grant
privileges to users by role – where possible restrict
users to one role
9. Formally manage the requests and approvals for
initial authorizations and changes
10. Centrally manager user identities and group
memberships
from The DAMA Guide to the Data Management Body of Knowledge © 2009 by DAMA International
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 51
© Copyright this and previous years by Data Blueprint - all rights reserved!
52. TITLE
Outline
1. Data Management Overview
2. What is data security management?
3. Why is data security important?
(1) Top Data Security Concerns & Requirements
(2) The Cost of Not Having Accurate Security
(3) Data Security Statistics & Examples of Security
Breaches
4. Data Security Management Building
Blocks
5. Passwords & Policy Examples
6. Data Security Standards & Guiding
Principles
Tweeting now:
7. Take Aways, References & Q&A #dataed
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 52
© Copyright this and previous years by Data Blueprint - all rights reserved!
53. TITLE
Summary: Data Security Management
from The DAMA Guide to the Data Management Body of Knowledge © 2009 by DAMA International
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 53
© Copyright this and previous years by Data Blueprint - all rights reserved!
54. TITLE
References
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 54
© Copyright this and previous years by Data Blueprint - all rights reserved!
55. TITLE
Additional References
• http://www.dispatch.com/live/content/business/stories/2011/05/09/fbi-probing-consumer-data-breach-at-
sony.html?sid=101
• http://sanfrancisco.cbslocal.com/2011/05/06/sony-ceo-apologizes-for-massive-playstation-data-breach/
• http://www.pcworld.com/article/226357/sony_playstation_network_personal_user_data_stolen.html
• http://www.reuters.com/article/2011/05/05/us-sony-insurance-idUSTRE74472120110505
• http://wiki.answers.com/Q/What_are_the_common_data_security_concerns_for_a_business
• http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/
US_Ponemon_CODB_09_012209_sec.pdf
• http://www.informationweek.com/news/198701100
• http://blog.mpecsinc.ca/2010/05/update-heartland-payment-systems-breach.html
• http://www.computerworld.com/s/article/9070281/
Hannaford_hit_by_class_action_lawsuits_in_wake_of_data_breach_disclosure
• Todd Newton: What Every Company Should Know About Data Security and Electronic
Discovery
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 55
© Copyright this and previous years by Data Blueprint - all rights reserved!
56. TITLE
Questions?
+ =
It’s your turn!
Use the chat feature or Twitter (#dataed) to submit
your questions to Peter now.
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 56
© Copyright this and previous years by Data Blueprint - all rights reserved!
57. TITLE
Upcoming Events
June Webinar:
Master Data Management: Quality is not an Option but a Requirement
June 12, 2012 @ 2:00 PM ET/11:00 AM PT
July Webinar:
Practical Applications for Data Warehousing,
Analytics, BI, and Meta-Integration Technologies
July 10, 2012 @ 2:00 PM ET/11:00 AM PT
Sign up here:
• www.datablueprint.com/webinar-schedule
• www.Dataversity.net
Brought to you by:
PRODUCED BY CLASSIFICATION DATE SLIDE
DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION 5/15/2012 57
© Copyright this and previous years by Data Blueprint - all rights reserved!