data-ed online: how safe is your data? data security

© Copyright this and previous years by Data Blueprint - all rights reserved!

TITLE

PRODUCED BY

DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060CLASSIFICATION

EDUCATIONDATE SLIDE

5/15/2012

Welcome!

Date: May 15, 2012Time: 2:00 PM ETPresenter: Dr. Peter AikenTwitter: #dataed

1

How Safe is Your Data? Data Security Management Webinar


TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

New Feature: Live Twitter Feed

Join the conversation on Twitter!Follow us @datablueprint and @paiken

Ask questions and submit your comments: #dataed

2


TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

New Feature: LIKE US on Facebook

www.facebook.com/datablueprint Post questions and comments

Find industry news, insightful content and event updates

3


TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Meet Your Presenter: Dr. Peter Aiken

4

• Internationally recognized thought-leader in the data management field with more than 30 years of experience

• Recipient of the 2010 International Stevens Award

• Founding Director of Data Blueprint (http://datablueprint.com)

• Associate Professor of Information Systems at Virginia Commonwealth University (http://vcu.edu)

• President of DAMA International (http://dama.org)

• DoD Computer Scientist, Reverse Engineering Program Manager/Office of the Chief Information Officer

• Visiting Scientist, Software Engineering Institute/Carnegie Mellon University

• 7 books and dozens of articles• Experienced w/ 500+ data management practices in 20 countries

#dataed

4/10/2012DATA BLUEPRINT 10124-C W. BROAD ST, GLEN ALLEN, VA 23060 EDUCATION

How Safe Is Your Data?

Dr. Peter Aiken: Data Security Management Webinar


TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Abstract: How Safe Is Your Data?Our presentation provides you with an overview of the organizational data security management requirements that are necessary to meet industry benchmarks. Participants will understand the requirements for planning, developing, and executing security policies and procedures to provide proper authentication, authorization, access, and auditing of data and information assets. By the end of our session, you will understand how effective data security policies and procedures ensure that the right people can use and update data in the right way, as well as the importance of restricting inappropriate access.

6


TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Outline1. Data Management Overview2. What is data security management?3. Why is data security important?

(1) Top Data Security Concerns & Requirements(2) The Cost of Not Having Accurate Security(3) Data Security Statistics & Examples of Security

Breaches

4. Data Security Management Building Blocks

5. Passwords & Policy Examples6. Data Security Standards & Guiding

Principles7. Take Aways, References & Q&A

7

Tweeting now: #dataed


TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

The DAMA Guide to the Data Management Body of Knowledge

8

Data Management Functions

Published by DAMA International• The professional

association for Data Managers (40 chapters worldwide)

DMBoK organized around • Primary data

management functions focused around data delivery to the organization

• Organized around several environmental elements


TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

The DAMA Guide to the Data Management Body of Knowledge

9

Environmental Elements

Amazon:http://www.amazon.com/DAMA-Guide-Management-Knowledge-DAMA-DMBOK/dp/0977140083Or enter the terms "dama dm bok" at the Amazon search engine


TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

What is the CDMP?• Certified Data Management

Professional• DAMA International and ICCP• Membership in a distinct group made

up of your fellow professionals• Recognition for your specialized

knowledge in a choice of 17 specialty areas

• Series of 3 exams• For more information, please visit:

– http://www.dama.org/i4a/pages/index.cfm?pageid=3399

– http://iccp.org/certification/designations/cdmp

10

#dataed


TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Data Management

11

#dataed


TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Data Management

12

Manage data coherently.

Share data across boundaries.

Assign responsibilities for data.Engineer data delivery systems.

Maintain data availability.

Data Program Coordination

Organizational Data Integration

Data Stewardship Data Development

Data Support Operations

#dataed


TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012



Breaches




13



TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Summary: Data Security Management

14

from The DAMA Guide to the Data Management Body of Knowledge © 2009 by DAMA International#dataed


TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Definition: Data Security ManagementPlanning, development and execution of security policies and procedures to provide proper authentication, authorization, access and auditing of data and information assets.

15



TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012



Breaches




16



TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Top Data Security Concerns 1. Confidentiality

– Making sure that data is supposed to be restricted to the company

2. Integrity– Ensure that the are no changes to data except those

intentional ones3. Availability

– Ability to get data when it is needed4. Non-repudiation

– Ability to prove what was sent, when, who sent it as well as what was delivered, when it was delivered and who received it

17

#dataed


TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Data Security RequirementsRequirements and the procedures to meet them are categorized into 4 basic groups (the 4 As):

18

1. AuthenticationValidate users are who they say they are

2. AuthorizationIdentify the right individuals and grant them the right privileges to specific, appropriate views of data

3. AccessEnable these individuals and their privileges in a timely manner

4. AuditReview security actions and user activity to ensure compliance with regulations and conformance with policy and standards

#dataed


TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Data Security in the News6 Worst Data Breaches of 20111. Sony

– Attacks compromised Sony PlayStation Network, Sony Online Entertainment, and Sony Pictures

– Failure to protect 100+ user records– On-going customer relations fallout and class-action

lawsuits– Recovery costs: $2+ million

2. Epsilon– Cloud-based email service provider fell victim to spear-

phishing attack– Breach affected data from 75 clients who trusted Epsilon

with their customers’ data– 60 million customer email addresses were breached

(conservative estimate)– Largest security breach ever

19

Source: http://www.informationweek.com/news/security/attacks/232301079?itc=edit_in_body_cross


TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Data Security in the News, cont’d6 Worst Data Breaches of 20113. RSA

– Didn’t involve consumer information but one of the world’s most-used 2-factor authentication system

– Failure to detail exactly what had been stolen by low-tech spear phishing attack

– Result of this attack: Many companies retooled security and training processes to help prevent these low-cost, easy-to-execute social-engineering attacks

4. Sutter Physician Services– Thief stole desktop containing 2.2 million patients’ medical details

– Security lapse on 2 levels: • (1)Data (unencrypted)

• (2)Physical location (unsecured)

– Failure to alert affected patients in timely manner

– Class action lawsuit

20



TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Data Security in the News, cont’d6 Worst Data Breaches of 20115. Tricare and SAIC

– Backup tapes containing unencrypted data were stolen from an employee’s personal car

– 5.1 million people affected: Current and retired members of armed services and their families

– Significant because victims are at risk of medical identify theft AND financial identity theft

– $4.9 billion lawsuit

6. Nasdaq– Attack on Directors Desk, a cloud-based Nasdaq system

designed to facilitate boardroom-level communications for 10,000 senior executives and company directors

– Possible access to inside information that might have been sold to competitors or used to make beneficial stock market trades

21



TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Cost of NOT having Accurate Security: Other Examples

• 2008: Heartland Payment Systems– 130 million credit card numbers– $140 million recovery costs

• 2008: Hannaford Bros.– 4.2 million credit and debit card

numbers– Class action lawsuit

• 2007: TJ X Co.– 45 + million credit and debit card

numbers stolen– $250+ million recovery cost

22

• 2006: Department of VA– Stolen laptop exposed records

on 26.5 million veterans, including SSNs

– $14 million recovery costs

• 2005: Card Systems Solutions– 40 million credit and debit card

accounts

#dataed


TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Polling Question #1 What is the cost of data security? Estimated cost per individual breach:

1. $1942. $4673. $8554. $1026

23


TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Data Security Statistics (2011)• Cost of individual data breach is decreasing for the first time in 7

years• Cost of individual data breach:

– $5.5 million (2011) vs. $7.2 million (2010)

• Cost per compromised record: – $194 (2011) from $215 (2010) – Exception: Breach as a result of malicious attacks average $222 per record

(higher because companies need to do more after the fact)

• Costs are generally lower if organizations have Chief Information Security Officer (CISO)

• Other declines in 2011:– Average size of data breaches declined by 16% – Abnormal customer churn decreased by 18%

• Interesting fact: in 2011 39% of data breaches were caused by negligent insiders and 24% by system glitches

24

Source: http://www.informationweek.com/news/security/attacks/232602891


TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Data Security Statistics (2011)

25

• Breaches caused by malicious attacks increased: 37% (2011) from 31% (2010)

– 50% malware– 33% malicious insiders– 28% device theft– 28% SQL injection– 22% phishing attacks– 17% social engineering attacks

• Businesses’ detection costs decreased by 6%: $428,330 (2011) from $455,670 (2010)

– Companies are more efficient in investigating breaches and organizing around response plans

• Notification costs increased by 10% $561,495 (2011)– Failure to accurately determine # of individuals affected can result in notifying

more people than necessary, which leads to higher churn and other cost-increasing factors

– Balance of being timely and accurate at the same time

Source: http://www.informationweek.com/news/security/attacks/232602891


TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Other Costs Related to Data Security Breaches• Customer churn (replacing lost customers with new ones)

• Value of stolen data

• Cost of protecting affected victims

• Cost of remedial security measures

• Fines/Lawsuits

• Loss of good will and reputation

26

#dataed


TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Other Examples of Security Breaches

27

Organization Type of Security Breach

Boulder Hospital Medical Records thrown in trash exposing 14 patients

Griffin Hospital 1,000 patients radiology studies data stolen

Proxima Alfa Investments LLC

Stolen backup tapes expose unknown number of clients’ names, addresses, SSNs, bank and tax numbers and copies of passports

Educational Credit Management Corporation

Data of 3,300,000 names, addresses, DoB and SSNs exposed on stolen portable media device

Northwestern Memorial Hospital

250 patients’ files stolen from unlocked cabinets by cleaning crew

Source: http://dataloss.db.org/; David Schlesinger


TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Other Examples, cont’d

28

Organization Type of Security Breach

Evergreen, Vancouver, Washington Schools Information Cooperative

5,000 employee’s information, including back account information, SSNs and birth dates are compromised

Connecticut Office of Policy and Management

Names, addresses and SSNs of 11,000 rebate applications are stolen

Thrivent Financial for Lutherans

Stolen laptop exposes 9,500 clients’ names, addresses, SSNs and health information

Sony Online Entertainment

Data of 100 million gamers exposed when hackers broke into PC games network, including names, addresses, user names, passwords, credit card information

Source: http://dataloss.db.org/; David Schlesinger


TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Polling Question #2 How much time should be committed to data security?

1. 1 day per week2. Ongoing activity3. 1 hour per day4. 1 hour per month

29


TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

And in this corner we have Dave!

30


TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012



Breaches




31



TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Data Security Management Overview

3236

Illustration from The DAMA Guide to the Data Management Body of Knowledge p. 37 © 2009 by DAMA International

üü ü üü ü ü

üü ü üü ü ü

üü ü üü ü ü

üü ü üü ü ü

#dataed


TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Goals and Principles

33

1. Enable appropriate, and prevent inappropriate access and change to data assets

2. Meet regulatory requirements for privacy and confidentiality

3. Enable the privacy and confidentiality needs of all stakeholders are met

from The DAMA Guide to the Data Management Body of Knowledge © 2009 by DAMA International


TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Potentially Competing Concerns1. Stakeholder Concerns• Clients, patients, students, citizens, suppliers, partners

2. Government Regulations• Restricting access to information• Openness, transparency and accountability

3. Proprietary Business Concerns• Competitive advantage, IP,

intimate knowledge of customer needs/relationships

4. Legitimate Access Needs• Strategy, rules, processes

34



TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Data Security Activities

35

• Understand Data Security Needs and Regulatory Requirements– Business requirements– Regulatory requirements

• Define Data Security Policy• Define Data Security Standards• Classify Information Confidentiality• Audit Data Security • Define Data Security Controls and Procedures• Manage Users, Passwords, and Group Membership

– Password standards and procedures• Manage Data Access Views and Permissions• Monitor User Authentication and Access Behavior



TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Primary Deliverables• Data Security Policies

• Data Access Views

• Document Classifications

• Data Security Audits

• Data Security Controls

• Data Privacy and Confidentiality Standards• User Profiles, Passwords and Memberships

• Data Security Permissions

• Authentication and Access History

36



TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Roles and Responsibilities

37

Consumers:• Data Producers• Knowledge Workers• Managers• Executives• Customers• Data ProfessionalsParticipants:• Data Stewards• Data Security Administrators• Database Administrators• BI Analysts• Data Architects• CIO/CTO• Help Desk Analysts

Suppliers:• Data Stewards• IT Steering Committee• Data Stewardship Council• Government• Customers



TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Polling Question #4 Who is responsible for data security?

1. Everyone2. CIO3. Data Stewards4. Data Security Officer

38


TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Technology

39

• Database Management System

• Business Intelligence Tools

• Application Frameworks

• Identity Management Technologies

• Change Control Systems

• Practices & Techniques

• Organization & Culture from The DAMA Guide to the Data Management Body of Knowledge © 2009 by DAMA International#dataed


TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012



Breaches




40



TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Polling Question #3 • What is the most common password?

1. 1234562. password3. asdf1234. dragon

41


TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Passwords Pointers• Contains at least 8 characters• Contains an uppercase letter and a numeral• Not the same as the username• Note be the same as the previous 5 passwords used• Not contain complete dictionary words in any

language• Not be incremental (password1, password2, etc.)• Not have two characters repeated sequentially• Not use adjacent characters on the keyboard• Incorporate a space (if possible)• Changed every 45 to 60 days

42



TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Information Confidentially Classifications• For general audiences

– Default• Internal use only

– Minimal risk if shared – not to be copied outside of the organization

• Confidential– Not shared outside of the

organization• Restricted Confidential

– Only shown to individuals within the organization who "need to know"

• Registered Confidential– Shared only with the existence of a

legal agreement

43



TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Data Security Policies• Americans with Disabilities Act (ADA)• Cable Communications Policy Act of 1984 (Cable Act)• California Senate Bill 1386 (SB 1386)• Children’s Internet Protection Act of 2001 (CIPA)• Children’s Online Privacy Protection Act of 1998 (COPPA)• Communications Assistance for Law Enforcement Act of 1994 (CALEA)• Computer Fraud and Abuse Act of 1986 (CFAA)• Computer Security Act of 1987 – (Superseded by the Federal Information

Security Management Act FISMA)• Consumer Credit Reporting Reform Act of 1996 (CCRRA) – Modifies the

Fair Credit Reporting Act (FCRA)• Controlling the Assault of Non-Solicited Pornography and Marketing

(CAN-SPAM) Act of 2003• Electronic Funds Transfer Act (EFTA)• Fair and Accurate Credit Transactions Act (FACTA) of 2003• Fair Credit Reporting Act

44


TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Data Security Policies, cont’d• Federal Information Security Management Act (FISMA)• Federal Trade Commission Act (FTCA)• Drivers Privacy Protection Act of 1994• Electronic Communications Privacy Act of 1986 (ECPA)• Electronic Freedom of Information Act of 1996 ( E-FOIA)• Fair Credit Reporting Act of 1999 (FCRA)• Family Education Rights and Priacy Act of 1974 (FERPA; also known as

Buckley Amendment)• Gramm-Leach-Bliley Financial Services Modernization Act of 1999 (GLBA)• Privacy Act of 1974• Privacy Protection Act of 1980 (PPA)• Right to Financial Privacy Act of 1978 (RFPA)• Telecommunications Act of 1996• Telephone Consumer Protection Act of 1991 (TCPA)• Uniting and Strengthening America by Providing Appropriate Tools Required

to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act)• Video Privacy Protection Act of 1988

45


TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Data Security in an Outsourced World• Any form of outsourcing increases risk to the organization• Data security risk is escalated to the outsource vendor• Transferring control (but not accountability) requires

tighter risk management and control mechanisms• Some mechanisms include:

– Service level agreements– Limited liability provisions in the outsourcing contract– Right-to-audit clauses in the contract– Clearly defined consequences to

breaching contractual obligations– Frequent data security reports from the service vendor– Independent monitoring of vendor system activity– More frequent and thorough data security auditing

46



TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012



Breaches




47


• Tools for data security• Encryption standards/mechanisms• Access guidelines• Data transmission requirements• Documentation requirements• Remote access standards• Security breach reporting• Using mobile devices• Storage of data on portable devices (laptops, phones,

iPads) BYOD• Disposal of devices


TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Data Security Standards

48



TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Security Role Hierarchy Diagram

49



TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Guiding Principles1. Be a responsible data

trustee (governance)2. Understand and comply

with pertinent regulations and guidelines

3. Use data-to-process and data-to-role matrices to document needs and guide role groups and permissions

4. Defining data security requirements and policies is a collaborative effort

5. Define security requirements in conjunction with development projects

50



TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Guiding Principles, cont’d6. Classify enterprise data

against a confidentiality classification schema

7. Follow strong password guidelines

8. Create role groups, define privileges by role; grant privileges to users by role – where possible restrict users to one role

9. Formally manage the requests and approvals for initial authorizations and changes

10. Centrally manager user identities and group memberships

51



TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012



Breaches




52



TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Summary: Data Security Management

53



TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

References

54


TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Additional References• http://www.dispatch.com/live/content/business/stories/2011/05/09/fbi-probing-consumer-data-breach-at-

sony.html?sid=101

• http://sanfrancisco.cbslocal.com/2011/05/06/sony-ceo-apologizes-for-massive-playstation-data-breach/

• http://www.pcworld.com/article/226357/sony_playstation_network_personal_user_data_stolen.html

• http://www.reuters.com/article/2011/05/05/us-sony-insurance-idUSTRE74472120110505

• http://wiki.answers.com/Q/What_are_the_common_data_security_concerns_for_a_business

• http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/US_Ponemon_CODB_09_012209_sec.pdf

• http://www.informationweek.com/news/198701100 • http://blog.mpecsinc.ca/2010/05/update-heartland-payment-systems-breach.html• http://www.computerworld.com/s/article/9070281/

Hannaford_hit_by_class_action_lawsuits_in_wake_of_data_breach_disclosure • Todd Newton: What Every Company Should Know About Data Security and Electronic

Discovery

55


TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Questions?

56

It’s your turn! Use the chat feature or Twitter (#dataed) to submit

your questions to Peter now.

+ =


TITLE

PRODUCED BY


EDUCATIONDATE SLIDE

5/15/2012

Upcoming Events

57

June Webinar:Master Data Management: Quality is not an Option but a RequirementJune 12, 2012 @ 2:00 PM ET/11:00 AM PT

July Webinar:Practical Applications for Data Warehousing, Analytics, BI, and Meta-Integration TechnologiesJuly 10, 2012 @ 2:00 PM ET/11:00 AM PT

Sign up here:• www.datablueprint.com/webinar-schedule • www.Dataversity.net

Brought to you by:

data-ed online: how safe is your data? data security

Technology

andupdate data

data security important

data management practices

data management field

data management overview2

glen allen

broad st

previous years