![Page 1: Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)](https://reader033.vdocuments.net/reader033/viewer/2022052608/577cc60f1a28aba7119d9a94/html5/thumbnails/1.jpg)
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 1/27
Strategies in the
Game of
Keith Hartranft, CISSPInformation Security and Policy Officer
Library and Technology Services
Sara RodgersChief Information Security Officer
Library and Technology Services
Data Stewards vs. Data Hoarders
![Page 2: Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)](https://reader033.vdocuments.net/reader033/viewer/2022052608/577cc60f1a28aba7119d9a94/html5/thumbnails/2.jpg)
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 2/27
Playing the Wrong Game
• Prioritize initiatives
• Classify data
• Analyze risk
![Page 3: Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)](https://reader033.vdocuments.net/reader033/viewer/2022052608/577cc60f1a28aba7119d9a94/html5/thumbnails/3.jpg)
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 3/27
A Three Pronged Approach
SANS 20 Critical Controls
Objectives:
• Implement controlsproven to block knownattacks
• Map specific actions to
implement the controls• Associate activitieswith NIST & NSAnetwork security tasks
• Utilize procedures &tools for implementationand automation.
• Assess through provenmetrics & testing
ISO 27002 Policy Administration
Objectives:
To provide Managementdirection and supportfor information securityin accordance withbusiness requirementsand relevant laws andregulations throughInformation SecurityPolicy.
Security Awareness
Objectives of SETA:
• Integrate skills and
competencies into acommon body ofknowledge
• Produce relevant andneeded security skillsand competencies
• Change behavior orreinforce good securitypractices
Security Framework
![Page 4: Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)](https://reader033.vdocuments.net/reader033/viewer/2022052608/577cc60f1a28aba7119d9a94/html5/thumbnails/4.jpg)
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 4/27
![Page 5: Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)](https://reader033.vdocuments.net/reader033/viewer/2022052608/577cc60f1a28aba7119d9a94/html5/thumbnails/5.jpg)
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 5/27
Measuring Risk
Severity/Impact
L i k e l i h o o d / P r
o b a b i l i t y
Collecting/storing restricted
data on a large population
with multiple copies and/or
accessible by a large
number of people
Reducing number of people
records with restricted data
Reducing
storage
locations
or limiting
accessRemoving or redacting
restricted data
![Page 6: Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)](https://reader033.vdocuments.net/reader033/viewer/2022052608/577cc60f1a28aba7119d9a94/html5/thumbnails/6.jpg)
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 6/27
Knowing the Board and the Rules
• Laws• Regulations
• Asset Valuation
& Risk• The Players
![Page 7: Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)](https://reader033.vdocuments.net/reader033/viewer/2022052608/577cc60f1a28aba7119d9a94/html5/thumbnails/7.jpg)
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 7/27
![Page 8: Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)](https://reader033.vdocuments.net/reader033/viewer/2022052608/577cc60f1a28aba7119d9a94/html5/thumbnails/8.jpg)
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 8/27
Risk Reduct ion
Restrict
Redact
Remove
Executives
Risk Management
Legal
Information Security
Data User
Data Custodians
![Page 9: Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)](https://reader033.vdocuments.net/reader033/viewer/2022052608/577cc60f1a28aba7119d9a94/html5/thumbnails/9.jpg)
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 9/27
The Strategy of the 3 R’s
• Remove
– Do we evenneed to collect it? Or can
we dispose of?
• Redact – If we store it,
can we redact or
obfuscate?
• Restr ict – Who should
see it? Access it? What
views?
![Page 10: Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)](https://reader033.vdocuments.net/reader033/viewer/2022052608/577cc60f1a28aba7119d9a94/html5/thumbnails/10.jpg)
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 10/27
Security as the Ambassador
Be the liaisonin the process
of Data Risk
Reduction
Risk Reduct ion
Restrict
Redact
Remove
Data Stewards
Data Hoarder
![Page 11: Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)](https://reader033.vdocuments.net/reader033/viewer/2022052608/577cc60f1a28aba7119d9a94/html5/thumbnails/11.jpg)
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 11/27
ROCK - The Process
R. – Recruit the appropriateteam(s) members
O. – Organize Assets,
Policies, and Possible
Solutions
C. – Communicate with the
Data Users
K. – Kickstart the process
with Quick Wins!
Data Stewards
![Page 12: Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)](https://reader033.vdocuments.net/reader033/viewer/2022052608/577cc60f1a28aba7119d9a94/html5/thumbnails/12.jpg)
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 12/27
Recruit - Build Your Armies
Executives
Risk Management
LegalData Users
Data Custodians
GovernanceRegulationComplianceCommittee (GRC)
Data E-Security
![Page 13: Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)](https://reader033.vdocuments.net/reader033/viewer/2022052608/577cc60f1a28aba7119d9a94/html5/thumbnails/13.jpg)
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 13/27
![Page 14: Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)](https://reader033.vdocuments.net/reader033/viewer/2022052608/577cc60f1a28aba7119d9a94/html5/thumbnails/14.jpg)
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 14/27
Organize - Arm Yourself With Policies
• Data Classification
• Retention Policies
• Other?
![Page 15: Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)](https://reader033.vdocuments.net/reader033/viewer/2022052608/577cc60f1a28aba7119d9a94/html5/thumbnails/15.jpg)
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 15/27
![Page 16: Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)](https://reader033.vdocuments.net/reader033/viewer/2022052608/577cc60f1a28aba7119d9a94/html5/thumbnails/16.jpg)
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 16/27
Data Retention Policy
Attributes of a Good Retention Policy:• Value Based
• Clear goals for retention and
accountabilities
• Defined Categories of Data• Properly vetted with cross functional buy-
in by the community
• Directs technology to support lifecycle
sustainability• Includes monitoring and compliance
![Page 17: Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)](https://reader033.vdocuments.net/reader033/viewer/2022052608/577cc60f1a28aba7119d9a94/html5/thumbnails/17.jpg)
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 17/27
Communicate - the Strategy of the 3 R’s
• Remove
– Do we evenneed to collect it? Or can
we dispose of?
• Redact – If we store it,
can we redact or
obfuscate?
• Restr ict – Who should
see it? Access it? What
views?
![Page 18: Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)](https://reader033.vdocuments.net/reader033/viewer/2022052608/577cc60f1a28aba7119d9a94/html5/thumbnails/18.jpg)
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 18/27
Communicate - AND I MEAN IT!!!
• Remove – Can simply
remove it or do without?• Redact – Who should be
able to view it?
• Restr ict – Who shouldaccess it? And HOW?
Examine a “Fountain” effect. What are some consequences?
![Page 19: Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)](https://reader033.vdocuments.net/reader033/viewer/2022052608/577cc60f1a28aba7119d9a94/html5/thumbnails/19.jpg)
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 19/27
Communicate – How to Comply With Data
Retention
• Bring Strategies forStorage solutions
• Being a GOOD Steward –
Disposing of Data Properly• Know your Retention
times• Treat E-records like paper
records
![Page 20: Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)](https://reader033.vdocuments.net/reader033/viewer/2022052608/577cc60f1a28aba7119d9a94/html5/thumbnails/20.jpg)
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 20/27
Communicate – Once We Reach Restrict,Protecting Access Controls
• 76% of breaches were theresult of weak or stolenaccount credentials
• What’s the cost? Approx.
$200 per record.
![Page 21: Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)](https://reader033.vdocuments.net/reader033/viewer/2022052608/577cc60f1a28aba7119d9a94/html5/thumbnails/21.jpg)
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 21/27
Communicate with the Leaders and Troops
• Meet with the Data Stewards and Users andpitch the steps and the consequences and
results of each step
• Do your homework for proposals regardingwhat you think are “Quick Wins” and ask
others to identify other “Quick Win” areas.
• Explain that greater Access Controls
implemented by InfoSec are often the result
of exhaustion of the first 2 R’s
![Page 22: Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)](https://reader033.vdocuments.net/reader033/viewer/2022052608/577cc60f1a28aba7119d9a94/html5/thumbnails/22.jpg)
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 22/27
KICKSTART! - Go for QUICK WINS!!!
• Propose some key
targets for data
removal
• Ask your Stewards
to identify “Quick
Wins” or Gains
• Monitor and maintain
momentum forproposed projects
![Page 23: Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)](https://reader033.vdocuments.net/reader033/viewer/2022052608/577cc60f1a28aba7119d9a94/html5/thumbnails/23.jpg)
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 23/27
KICKSTART! - QUICK WIN Stories!
• F&A Review of DataRepositories
• PII in more globally
viewable locations
removed
• Duplicated Data in
Test instances
reduced
![Page 24: Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)](https://reader033.vdocuments.net/reader033/viewer/2022052608/577cc60f1a28aba7119d9a94/html5/thumbnails/24.jpg)
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 24/27
Deploy the Custodians - Technology
• Automating scans and
searches for records
dates
• Automated purges
• Provide end user tools
• Deploying data redaction
or access control
limitations
• MFA
![Page 25: Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)](https://reader033.vdocuments.net/reader033/viewer/2022052608/577cc60f1a28aba7119d9a94/html5/thumbnails/25.jpg)
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 25/27
Sustain Your Strategy – ROCK(S)?
• Repeatable processes• Review technology
tools for process
automation
• Revist timelines and
record schedules
• Report annual recordscounts and reductions
![Page 26: Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)](https://reader033.vdocuments.net/reader033/viewer/2022052608/577cc60f1a28aba7119d9a94/html5/thumbnails/26.jpg)
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 26/27
![Page 27: Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)](https://reader033.vdocuments.net/reader033/viewer/2022052608/577cc60f1a28aba7119d9a94/html5/thumbnails/27.jpg)
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 27/27
WIN!!! With Strategies in the
Game of