Professional Documents
Culture Documents
Developing a Data
Protection Plan for Your
Organization
Satya Sachdeva
Senior Principal, Information Management Practice
Hewlett-Packard
March 12, 2008
AGENDA - am
9:00 9:30 am Satya Sachdeva, HP, Introduction to Developing Your Data Protection Plan
9:30 10:00 am Kevin Bocek, PGP, Developing a Business Case for Enterprise Data
Protection
10:45 11:15 am David Hill, Principal, Mesabi Group Data Protection: Fitting the Pieces of
11:15 11:45 am Dan Bailey , Principal Solns Architect and Ros Schulman, Dir Data
11:45 am Noon Final Questions and Answers with Morning Speakers. Chairperson: Satya
Sachdeva, HP
Page 2
AGENDA - pm
2:30 3 pm Jim Russ, VP Enterprise Technology, Nth Generation Computing , Local and
Remote Data Protection: Leveraging the Latest Backup and Data Replication Techniques
3 3:30 pm George Symons, CEO, Yosemite Technologies Mobile User Data Protection
3:30 4 pm Subra Kumaraswamy, Dir Info Security and Brennan Baybeck, Dir IT
Page 3
Page 4
Premise
THE
ISSUE
of Todays Workshop
Information is now used as a currency for committing crimes
Identity theft is a real threat
218 million records have been involved in data breaches
2007 was a record year with more than 80 million stolen records
Page 5
Page 6
Opportunity
Privacy as a differentiator
Trust is not a commodity
Brand elevation alternative to price leadership
Page 7
consumer data
Ensure security/confidentiality of customer nonpublic financial information records (privacy)
Protect against any anticipated threats or hazards to the security or integrity of such
records (safeguarding)
Protect against unauthorized access to or use of such records or information that could
result in substantial harm or inconvenience to customers (pretexting)
Page 8
(95/46/ED)
Page 9
Page 10
Security as an afterthought
Page 11
continue
Page 12
Other
Organiization
Distribute
Information
Capture/
Collect/Create
Information
Process
Information
Store
Information
Destroy/Retain
Information
Page 13
Transport
Information
ACCOUNTABILITY
custody
The organization should designate a person or team to be accountable
for the organizations compliance with the the best practices and/or
applicable Federal and State laws
Page 14
ACCOUNTABILITY
Page 15
Page 16
flow processes
Internal and external
Page 17
IDENTIFY VULNERABILITIES
For each touch point
Identify and assign accountable organizational unit
Document threat assessment
Define and communicate security policy
Define risk assessment
Define strategy for safeguards
External
External
Hostile
Structured
Page 18
Internal
NonHostile
Un
Structured
Structured
Un
Structured
Hostile
Structured
NonHostile
Un
Structured
Structured
Un
Structured
RISK ASSESSMENT
Impact analysis on business when a touch point is compromised
What is the impact if a DBA or developer with access to production data copies customer
What is the impact if someone breaks into HR and walks away with sensitive information
about employees?
What is the impact if call center employee is able to print screens and copy them to a flash
drive?
What if a tape being sent over to a partner vendor is lost on the way?
Page 19
SECURITY SAFEGUARDS
The nature and extent of the safeguards will vary depending on:
Page 20
Page 21
Page 22
LO
B
General Bank
Wealth Mgt.
Capital Mgt.
manageable pieces
Small Business
Hierarchies
Account
Customer
Relationship
Activity
Regulator
Outsource
Vendor
Internal
Mitigation
Define acceptable risk at a highlevel
Action plan (alternatives) for each
prioritized piece
SUMMARY
points
likely to be impacted
Page 24
Thank you
Questions?
Satya Sachdeva
Senior Principal, Financial Services
973.978.9797
Satya.sachdeva@hp.com