guidepoint security powerpoint template - isaca governance roadmap 1. classify data 2. institute...

Data Governance Within a Comprehensive IT

Security Strategy

Ruth M. Reiss, CISM, CRISC

Sr. Security Consultant

© 2015 GuidePoint Security, LLC

CONFIDENTIAL AND PROPRIETARY

Ruth Reiss, Sr. Security Consultant

• Over 30 years information technology

experience

• Over 12 years in IT compliance and audit

• Software development

• Processes, standards, best practices

• IT audit

• IT Compliance and Security

• CISM, CRISC, PCIP, and QSA

• [email protected]


CONFIDENTIAL AND PROPRIETARY 2

mailto:[email protected]

IT Security Strategy

• Must align with business goals

• Have C-level sponsorship and commitment

• Based on processes and mechanisms to – Control Threats

– Manage Vulnerabilities

• Need to ensure data – Confidentiality

– Integrity

– Availability

• Therefore, data governance is a key component of your IT Security Strategy



Risk

Business Risk



Risk Management – Balancing Act



Effort

Security

5

Manage IT Risk

• Manage the “risk”

• Assume risk

• Can’t be done without



Know Before You Manage



IT risk lies in data risk

• People want your data

– Hackers

– Insiders

– Thieves including state sponsored attackers

– Notoriety seekers

OR

• People don’t want YOU to have your data

– Political aka Hactivism

– DDOS

7

Data Governance

• Manages data risk by – Executive level commitment

– Planning / strategy

– Addressing regulations and laws

– Classifying data

– Cataloging data

– Determining data consumer and owner

– Defining roles and responsibilities

– Regulating data retention*

– Controlling usage, storage, and transmission

– Monitoring effectiveness

*Within context of any existing Records Retention Policy



Securing Your Data

• Protecting information requires

– Governance

• The plan

• Management commitment

• Definitions

• Policies & processes

• Monitor

– People

• Awareness

• Roles / Responsibilities

– Technology

• Variety of tools



Classify

• What is your data?

• Types of Data

– People

• PII, PHI, employee information, customer information

– Company

• Sales information, annual reports, real estate plans, formulas,

intellectual property, contracts, transaction information

• Define categories in policy or framework

Sensitive Confidential

Secret Top Secret

Internal use only Public

Restricted Classified



Catalog

• Where is your data?

– At rest

• Storage on your network

• Storage in the cloud or at business partners

• Structured

– Databases

• Unstructured

– SharePoint, workstation files, server files, shared drives

– In flight

• Transmission in house

• Email, Instant messaging, Social media

• Communication with business partners



Consumer

• Who are your users?

• Determine data users – Create the data (write privilege)

– View or obtain reports of the data (read privilege)

– Administer the data (provisions and revokes access, changes security settings, modifies structure)

• Determine owner – Data owner approves entitlement to data

– Performs periodic entitlement reviews

– Owner determines classification, data retention*

• Define roles and responsibilities – Address segregation of duties within a role

* Within the context of any existing Records Retention Policy



Controls

• How to protect?

• Data governance defines controls – Encryption (including masking and truncating)

– Access restrictions / entitlements

– Backup requirements

– Retention period

– Proper storage locations

– Transmission requirements

– Considers all forms of the data

– Regulatory and legal obligations

• Based on data classification



Check and Double Check

Monitor effectiveness of

controls

Check for data leakage

Ensure consumers are educated and

aware

Measure effectiveness

Report on effectiveness and

trending

Improve processes



Data Governance Roadmap

1. Classify data

2. Institute policies and procedures

3. Catalog data

4. Determine consumers and owners

5. Define roles and responsibilities

6. Identify risk associated with each data class

7. Identify and deploy controls by data class

8. Establish metrics to monitor effectiveness

9. Periodic data governance framework review



In Summary

• Data Governance manages IT risk by

– Defining accountability for data

– Decreasing risk of regulatory fines

– Improving data quality

– Decreasing cost of storage

– Improving data security



About GuidePoint Security

• Founded in October 2011 by industry experts

• Headquartered in Herndon, VA

– Office in St. Petersburg, FL

– Office in Wakefield, MA

• Certified as a Small Business

• PCI Qualified Security Assessor

• Amazon Web Services Consulting Partner

© 2014 GuidePoint Security


GuidePoint Professional Services

Practices include:

– Information Assurance

– Technology Integration

Key Differentiators

– All consultants have operational experience

managing Security Programs

– Customized engagements based on customer needs

– Vendor-agnostic approach



Information Assurance Services



Incident

Response /

Forensics

Compliance and

Risk

Management

Security

Assessments Application

Security

• Application

Penetration Testing

• Secure SDLC

Program

Development

• Secure Code

Review

• External Penetration

Testing

• Internal Penetration

Testing

• Wireless

Penetration Testing

• Social Engineering

• Vulnerability

Assessments

• Security Program

Review

• CISO Advisory

Services

• PCI DSS QSA

Assessment

Services

• IT Controls Reviews

• HIPAA Risk

Assessment

• Meaningful Use

Risk Assessment

• Incident Response

Plan Development

• IR Tabletop

Exercises

• Breach

Assessments

• Incident Response

• Breach Investigation

• Digital Forensics

Questions?



Contact

• Ruth Reiss, Sr. Security Consultant

GuidePoint Security

Tampa, Florida

• [email protected]



mailto:[email protected]

guidepoint security powerpoint template - isaca governance roadmap 1. classify data 2. institute...

Documents