A Holistic Approach to Protecting and Securing Enterprise Information

Meenu Gupta, CISA,CISM,CISSP,CIPP,PMP ISACA, COBIT 5 Security Taskforce President, Mittal Technologies Washington, DC

1

Agenda

• Managing Business Information

• Challenges, Risks, Realities

• Solutions, Mitigations, Visions

• Information Governance vs Management

• Best Practices

2

History of Information

3

As a general rule, the most successful man in life is the man who has the best information. Benjamin Disraeli We are more thoroughly an enlightened people, with respect to our political interests, than perhaps any other under heaven. Every man among us reads, and is so easy in his circumstances as to have leisure for conversations of improvement and for acquiring information. Benjamin Franklin …knowledge has become the central, key resource that knows no geography. Peter Drucker Information technology and business are becoming inextricably interwoven. I don't think anybody can talk meaningfully about one without the talking about the other. Bill Gates

So, What’s the Problem?

4

EPA security breach exposes personal information of 8,000 people

The recent data breach at Massachusetts Eye and Ear Infirmary (MEEI)……

In the wake of a massive security breach on the business networking site LinkedIn, which resulted in the leaking of roughly 6.5 million user passwords……

The U.S. Federal Trade Commission has filed a lawsuit against hotel chain Wyndham Worldwide….

Managing Business Information

5

Managing Business Information

www.IronMountain.com

6

Managing Business Information

www.IronMountain.com

Managing Business Information

7

Managing Business Information

8

Managing Business Information

9

And to make matters worse…

10

Challenges, Risks, Realities

•Inappropriate disclosure •Lost •Stolen •Held for Ransom •Destructive •Fraud

11

Challenges, Risks, Realities

1. Lack of accountability 2. Carelessness 3. Lack of Awareness 4. Malware Infection 5. Hacking 6. Fraud 7. Improper Disposal of Equipment

12

Challenges, Risks, Realities

13

Top Management Challenges Facing the Department of Transportation – OIG Report, March 2012

“To prevent unauthorized access to PII, OMB requires agencies

to reduce the volume of and restrict access to information

collected and maintained, as well as implement other security

controls, such as encryption.

….

However, until these measures are implemented, the

Department’s systems remain vulnerable to exploitation. For

example, our ongoing audit of the United States Merchant

Marine Academy’s (USMMA) network identified and exploited a

critical vulnerability providing full access to the network,

including databases containing sensitive midshipmen

information. “

Challenges, Risks, Realities

14

Recommendations on technical implementation guidelines of Article 4 - ENISA

Solutions, Mitigations, Visions

15

What do best legally compliant organizations look like?

Malcolm-Baldridge National Quality Award Nestle-Purina (2010)

16

www.NIST.gov

4.2 Management of Information, Knowledge, and

Information Technology

a. Data, Information, and Knowledge Management

(1) NPPC uses a multi-faceted approach to ensuring the

integrity, accuracy, timeliness, and security of our

performance data.

Malcolm-Baldridge National Quality Award Bronson Methodist Hospital(2005)

17

www.NIST.gov

In 2005, BMH dedicated over $28 million to capital

investment, more than 7 percent of total budgeted

expenses, in information technology, equipment, and

facilities.

In addition, the system allows physicians to provide

patient care from off-site locations by accessing patient

information through a secure Internet connection.

Best Legally Compliant Programs

18

Best Legally Compliant Programs

• View Information as a key organization asset

• Understand the “Information Life Cycle”

• Not just “Manage” information, but “Govern” it.

• Find an approach that supports compliance with relevant laws, regulations, contractual agreements and policies

19

Best Legally Compliant Programs

Will have:

• A unified approach to addressing data breaches

• Best practices, policies and procedures in place

• Effective technical measures in place

• A thorough understanding of various regulations

• A good grasp on data breach trends and statistics

• A good notification plan in place

20

21

So how can we become a compliant organization?

Information a Key Asset

• Information Inventory

• Information Classification

• Information Valuation

• Information Stewards/Stakeholders

• Information Goals

22

Information Life Cycle Approach

• Plan/Design/Build/Acquire

• Use/Operate

• Monitor

• Disposal

23

Information Management Activities

• Information Management Plan

• Information Architecture

• Information Security

• Information Risk Profiles

• Information Risk Management

• Information Management Policies and Practices

• Information Audits

24

Information Governance vs Management

• Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed-on direction and objectives (EDM).

• Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM).

25

26

Information Governance vs Management

Best Practices

Is there such a thing?

27

– COBIT, COBIT5

– The Business Model for Information Security (BMIS), ISACA, USA, 2010

– The 2011 Standard of Good Practice for Information Security, Information Security Forum (ISF), UK, 2011

– Common Security Framework (CSF), Health Information Trust Alliance (HITRUST), USA, 2009

– Extended Basic Input/Output System (EBIOS), Direction Centrale de la Sécurité des Systèmes d’Information

(DCSSI), Ministry of Defense, France, 2000

– Health Insurance Portability and Accountability Act (HIPAA)/Health Information Technology for

Economic and

Clinical Health (HITECH), USA, 1996 and 2009, respectively

– ISO/IEC 27000 series, Switzerland, 2009-2012

– National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53A, Guide

for Assessing

the Information Security Controls in Federal Information Systems and Organizations, Building Effective SecurityAssessment Plans, Department of Commerce, USA, 2010

– Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVE®), Carnegie Mellon Software

Engineering Institute (SEI), USA, 2001

– Payment Card Industry Data Security Standards (PCI DSS) v2.0, PCI Security Standards Council, USA, 2010

28

Best Practices

COBIT 5 Information Security Enablers

• Principles, policies and frameworks enabler

• Processes enabler

• Organisational structures enabler

• Culture, ethics and behaviour enabler

• Information enabler

• Services, infrastructure and applications enabler

• People, skills and competencies enabler

29

COBIT 5 Enabler Model - Generic

30

www.ISACA.org COBIT 5 for Information Security

COBIT 5 for Information Security – Information

31

www.ISACA.org COBIT 5 for Information Security

Detailed Guidance – Information Types

32

www.ISACA.org COBIT 5 for Information Security

33

Detailed Guidance – Information Roles

www.ISACA.org COBIT 5 for Information Security

34

Detailed Guidance – Culture & Behavior

www.ISACA.org COBIT 5 for Information Security

Questions?

35