moss adams llp | 1 w hat i s s ensitive d ata ? whats the risk and what do we do about it? weston...
TRANSCRIPT
MOSS ADAMS LLP | 1
WHAT IS SENSITIVE DATA?What’s the Risk and What Do We Do About It?
Weston NelsonSteve FinebergSteven Gin
MOSS ADAMS LLP | 2
Disclosure Statement
The material appearing in this presentation is for informational purposes only and is not legal or accounting advice. Communication of this information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant-client relationship. Although these materials may have been prepared by professionals, they should not be used as a substitute for professional services. If legal, accounting, or other professional advice is required, the services of a professional should be sought.
MOSS ADAMS LLP | 3
Moss Adams LLP
3
o Moss Adams is one of the 15 largest accounting and consulting firms in the U.S.
o 21 locations; 1,800 personnel
o Industry-focused service groups
o IT consulting specialists
MOSS ADAMS LLP | 4
Agendao What is sensitive data? Why do we care?o Define the states of data in the data lifecycleo How is your data at risk?o Discuss what your organization is doingo Review possible controls to protect your
sensitive datao Questions and Answers
MOSS ADAMS LLP | 5
What is Sensitive Data?o What is important to your
organization?
o Who owns or is responsible for sensitive data?
o Where does your sensitive data reside?
o Are there multiple versions of your sensitive data?
o Where does your date go and how is it protected?
MOSS ADAMS LLP | 6
What is Sensitive Data? (cont.)
o What is important to your organization?
o Student records
o Employee records
o Payment transactions
o Grades and examinations
o Faculty research
o Grant and donor data
o Other data?
MOSS ADAMS LLP | 7
What is Sensitive Data? (cont.)
o How are these data classified?
o Student records (PII, ePHI)
o Employee records (PII, ePHI)
o Payment transactions (PCI)
o Grades and examinations (operational data)
o Faculty research (intellectual property)
o Grant and donor data (competitive information)
o Other data?
MOSS ADAMS LLP | 8
What is Sensitive Data? (cont.)
o Who owns or is responsible for sensitive data?o Administration
o Enrollment
o Test centers
o Research personnel
o Grants and funding departments
o Medical staff
o Professors
MOSS ADAMS LLP | 9
What is Sensitive Data? (cont.)
o Where does your sensitive data reside?o Internal
o Campus Network
o Local workstations
o External
o Hosted co-location
o Cloud
o ??? (Do you really know?)
o Mobile devices
MOSS ADAMS LLP | 10
What is Sensitive Data? (cont.)
o Are there multiple versions of your data?o Network file shares
o Workstations, laptops
o Third-party vendors
o Removable media
o E-mail
o Cloud
o Mobile devices
o Hard copies
MOSS ADAMS LLP | 11
What is Sensitive Data? (cont.)o Where does your data go and how is it protected?
o Where is your data?
o Data Marts
o File shares/servers
o How is it transmitted?
o Encrypted
o Trusted Recipient
MOSS ADAMS LLP | 12
What is Sensitive Data? (cont.)o Where does your data go and how is it protected?
o Who can access it?
o Appropriate Access
o Authorized User
MOSS ADAMS LLP | 13
The Data Lifecycleo From a data loss perspective, the industry has
adopted three standard terms to describe the states of data in the data lifecycle:
o Data at rest
o Data in motion
o Data in use
MOSS ADAMS LLP | 14
The Data Lifecycle (cont.)oData at resto Data that is in storage and accessible by your
organization. These data may be in disparate locations and stored on various types of media.
o Examples include:o Spreadsheets, databases, application configuration files
MOSS ADAMS LLP | 15
The Data Lifecycle (cont.)oData in motiono Data that is in transit, flowing across internal networks
and to the outside world
o Includes data on wired and wireless networks
o Exampleso File being opened from a network drive on a workstation,
network packet data
MOSS ADAMS LLP | 16
The Data Lifecycle (cont.)oData in useo Data that is being accessed or used by a system at
a point in time
o Examples
o Data in temporary memory on a local machine
o File being copied to a USB drive
o Data being copied and pasted from one file to another
MOSS ADAMS LLP | 17
How Is Your Data At Risk?oRisks related to data stateso Inappropriate access, theft (data at rest)
o Interception (data in motion)
o Misuse, abuse of access (data in use)
oRisks related to data locationo Unintentional transmission (mobile devices)
MOSS ADAMS LLP | 18
Establishing an Understanding of the Datao Education and communication as to what is critical to
the organization
oProtocols or procedures for data usageo What is internal use only?
o What is public?
o What is restricted or used only be a few groups or individuals?
oSecurity protocols around data classes
MOSS ADAMS LLP | 19
What is your organization doing?oPolicies and procedures
o IT general controls
oThird-party vendor controls
oEducation of users
MOSS ADAMS LLP | 20
Sensitive Data Controlso To adequately protect against data loss, you should
consider both systematic and manual controls, to be applied at each data state
o Data state-specific controlso Data at rest
o Data in motion
o Data in use
o Supporting controls
MOSS ADAMS LLP | 21
Sensitive Data Controls (cont.)o Data at rest
o Encryption
o Physical security
o Physical media security and destruction
o Mobile device protection
o Endpoint security
o Continuous discovery
MOSS ADAMS LLP | 22
Sensitive Data Controls (cont.)o Data in motion
o Perimeter security
o Network monitoring
o Internet access controls
o Messaging
o Remote access controls
o Data collection and exchange
MOSS ADAMS LLP | 23
Sensitive Data Controls (cont.)o Data in use
o Access controls and monitoring
o Privileged user monitoring
o Export/save controls
o Use of test data
o Change and version controls
o Data anonymization
MOSS ADAMS LLP | 24
Sensitive Data Controls (cont.)o Supporting Controls
o Disaster recovery plan / business continuity plan
o Training and awareness
o Third-party management
o Change management / SDLC
o Identity / access management
MOSS ADAMS LLP | 25
Sensitive Data Controls (cont.)o Supporting Controls
o Security information / event monitoring
o Physical security
o Employee screening
o Regulatory compliance management
MOSS ADAMS LLP | 26
Other Control Considerationso Tailor controls to each specific set of data
o Data location
o Breadth of access
o Frequency of use or access
o Organizational risk
MOSS ADAMS LLP | 27
What else can be done by Internal Audit?o Annual risk assessments
o A major overhaul of your risk assessment process isn’t required
o Consider asking the following questions for each area of the audit universe:o What is the associated data?
o Is it sensitive data?
o How frequently is sensitive data created for this area?
o Where does is reside? (data at rest)
o Who can access it? (data in use)
o What is its vulnerability to theft, abuse, and misuse? (data in motion)
MOSS ADAMS LLP | 28
What else can be done by Internal Audit?o Full Organizational Involvement
o Administration
o Enrollment
o Test centers
o Research personnel
o Grants and funding departments
o Medical staff
o Professors
MOSS ADAMS LLP | 29
Key Points
o Sensitive data exists throughout and externally to your organization
o Different states of data have different risks and controlso Specific controls can be implemented to address the
varying states of datao Everyone in your organization has a responsibility for
protecting sensitive datao By asking the right questions, your organization can
ensure that sensitive data is identified and properly controlled
MOSS ADAMS LLP | 30
Questions and Answers
MOSS ADAMS LLP | 31
Thank You For Attending!
Weston NelsonDirector, Business Risk [email protected]: (503) 478-2144
Steve FinebergManager, Business Risk [email protected]: (916) 503-8175
Steven GinManager, Business Risk [email protected]: (310) 295-3780