Tutorial T1A

Developing a Data
Protection Plan for Your
Organization
Satya Sachdeva
Senior Principal, Information Management Practice
Hewlett-Packard
March 12, 2008

RIGHT. FROM THE START. Better information, smarter business decisions.

Page 1

Copyright 2005 Knightsbridge Solutions LLC

Tutorial T1A Developing a Data Protection Plan for Your Organization

AGENDA - am
9:00 9:30 am Satya Sachdeva, HP, Introduction to Developing Your Data Protection Plan
9:30 10:00 am Kevin Bocek, PGP, Developing a Business Case for Enterprise Data

Protection

10:00 10:15 am Morning Break

10:15 10:45 am Dave Drab, Principal Info and Content Security, Xerox Global Services

Seven Steps to More Effective Information Security

10:45 11:15 am David Hill, Principal, Mesabi Group Data Protection: Fitting the Pieces of

the Puzzle Together

11:15 11:45 am Dan Bailey , Principal Solns Architect and Ros Schulman, Dir Data

Protection Hitachi Data Systems, Data ProtectionIts Not Your Fathers DR

11:45 am Noon Final Questions and Answers with Morning Speakers. Chairperson: Satya

Sachdeva, HP

Page 2

Copyright 2005 Knightsbridge Solutions LLC

Tutorial T1A Making Your Data Protection Plan Work

AGENDA - pm
2:30 3 pm Jim Russ, VP Enterprise Technology, Nth Generation Computing , Local and

Remote Data Protection: Leveraging the Latest Backup and Data Replication Techniques

3 3:30 pm George Symons, CEO, Yosemite Technologies Mobile User Data Protection

From Obstacles to Best Practices

3:30 4 pm Subra Kumaraswamy, Dir Info Security and Brennan Baybeck, Dir IT

Security, Sun Microsystems, Case Study of a Major Protection Initiative

4 4:30 pm Breakout Sessions

Data Protection Methods - David Hill

Security Management - Subra Kumaraswamy and Brennan Baybeck
Threat Analysis - Jim Szafranski
4:30 5:00 pm Breakout Session Report Panel Discussion

Page 3

Copyright 2005 Knightsbridge Solutions LLC

INTRODUCTION TO DEVELOPING YOUR DATA PROTECTION PLAN

Background on sensitive data
The issue facing businesses today
What is customer sensitive data?
Why protect sensitive data?
Imperatives of current and upcoming legislation
Challenges in protecting sensitive data
Overall framework to develop your data protection plan
Need for a framework?
Components of the framework

Page 4

Copyright 2005 Knightsbridge Solutions LLC

Premise
THE
ISSUE
of Todays Workshop
Information is now used as a currency for committing crimes
Identity theft is a real threat
218 million records have been involved in data breaches
2007 was a record year with more than 80 million stolen records

Impact on businesses is huge. Risks include

Direct loses as a result of fraudulent charges
Loss of stock value, brand equity, and customer trust
Class action lawsuits if stolen data leads to cases of identity theft

Page 5

Copyright 2005 Knightsbridge Solutions LLC

WHAT CONSTITUTES CUSTOMER SENSITIVE DATA?

Customer sensitive data is information used by identity thieves to steal

identity (and rates are increasing faster than ever)

Any combination of the following pieces of information that uniquely

identify you:

Name and address

SSN
Drivers license #
Name, address and mothers maiden name
Credit card #
Account #
User ID and password

Also known as Personally Identifiable Information (PII)

Page 6

Copyright 2005 Knightsbridge Solutions LLC

WHY PROTECTING CUSTOMER SENSITIVE DATA IS ESSENTIAL

As per industry statistics compromised firms could lose an

average of 2% in market capitalization per incident
ChoicePoint shares fell 11% after security breach paid $15 million to
settle charges
Extreme case: DoubleClick lost $5B of market cap due to concerns of
privacy plans

Impairment of brand equity

Loss of consumer trust

Compliance with national and international laws

Class action law suits could be a killer

Opportunity
Privacy as a differentiator
Trust is not a commodity
Brand elevation alternative to price leadership

Page 7

Copyright 2005 Knightsbridge Solutions LLC

IMPERATIVES OF CURRENT AND FUTURE LAWS

Californias Database Security Breach Notification Act, SB 1386 and CA Civil

Code 1798.85-86 and 1786-6

Inform people whose identify information might have been compromised
Cant use SSN as account #, ID # or employee #
20 states have joined California in requiring organizations to notify individuals if their SSN,
driver's license numbers, financial account numbers or other sensitive information is
exposed to unauthorized people

Gramm-Leach-Bliley Act (GLBA) comprehensive guidelines for safeguarding

consumer data
Ensure security/confidentiality of customer nonpublic financial information records (privacy)
Protect against any anticipated threats or hazards to the security or integrity of such
records (safeguarding)
Protect against unauthorized access to or use of such records or information that could
result in substantial harm or inconvenience to customers (pretexting)

The Safe Harbor Framework developed by the U.S. Department of Commerce,

compliance in response to EU laws

Effective since 2003 and voluntary in nature
Multinational organizations which received PII data from EU
Covers data privacy, data security and data integrity

Page 8

Copyright 2005 Knightsbridge Solutions LLC

IMPERATIVES OF CANADIAN AND EUROPEAN LAWS

In these regions, laws are more comprehensive and are often on consumers side
Unlike U.S. laws that are focused on a

specific vertical, these are all-encompassing

Canadas Personal Information Protection

and Document Act (PIPEDA)

Impacts U.S. businesses if they buy or collect

information on Canadian consumers via a
Canadian business entity (i.e. subsidiary or
partner)
U.S. entity must ensure the sensitive
information will receive the protection level
required by PIPEDA

European Union Data Protection Directive

(95/46/ED)

Information should be collected for specific,

legitimate purposes only, and be stored in
individually identifiable form no longer than
necessary
EU data can flow freely to U.S. companies if
they are in compliance with Safe Harbor
Framework

Page 9

Copyright 2005 Knightsbridge Solutions LLC

CHALLENGES IN PROTECTING SENSITIVE DATA BY BUSINESSES

Ubiquitous nature
Where does it live? Where is it processed? How it is used?
What are all the touch points?
Structured and unstructured
Different types of media
Organizational challenges
Accountability
Awareness across depth and breadth of the organization
Ever changing methods of attack

2005 worldwide study:

"Unknown" showed up in survey responses as the 2nd most prevalent attack
type, 4th most common attack method, and 3rd highest attack source
Source for the study: CIO Magazine - 09/15/20005

Page 10

Copyright 2005 Knightsbridge Solutions LLC

CHALLENGES IN PROTECTING SENSITIVE DATA BY BUSINESSES

Attacker needs to understand only one vulnerability

Defender needs to secure all entry points
Attackers have unlimited time

Attackers vs. Defenders

Businesses have to work within time and cost constraints

Secure systems are more difficult to use

Performance Impact

Security vs. Usability

Do I need
security

Security as an afterthought
Page 11

Complex and strong passwords are difficult to remember

Developers and management think that security does not add

any business value
Addressing vulnerabilities just before software is released is
very expensive and ineffective

Copyright 2005 Knightsbridge Solutions LLC

NEED FOR A FRAMEWORK

Companies are spending $30b on IT security but expensive breaches

continue

Most efforts focus on network and application security

At least 25% of all breaches are carried out by internal staff

Major categories of breaches reported in the last 12 months
Hacking
Stolen laptops / computers
Lost tapes or media
Malicious insiders
Business processes with leakages
Businesses must
Proactively identify all the touch points and vulnerabilities of sensitive data
Take appropriate measures in mitigating risks associated with each touch point
This requires a systematic approach

Page 12

Copyright 2005 Knightsbridge Solutions LLC

INFORMATION LIFECYCLE-BASED FRAMEWORK

Other
Organiization

Distribute
Information

Capture/
Collect/Create
Information

Process
Information

Store
Information

Destroy/Retain
Information

The principles and approach will apply to any organizational unit

that touches information

Page 13

Transport
Information

Could be big or small macro or micro level

Information could be stored on any media paper, tape, disk
Could represent a partner organization i.e. supplier, processor, customer
Could apply to any kind of information i.e. customer information, employee
information or other classified information

Copyright 2005 Knightsbridge Solutions LLC

ACCOUNTABILITY

An organization is responsible for personal data in its possession or

custody
The organization should designate a person or team to be accountable

for the organizations compliance with the the best practices and/or
applicable Federal and State laws

Page 14

Copyright 2005 Knightsbridge Solutions LLC

ACCOUNTABILITY

Questions an organization should consider

Does it have at least one individual responsible for data collected,
used, maintained, or stored by the organization?
Is the individual accountable for protecting all information held by the
organization or transferred to another organization for processing?
Does the person have authority, the support of senior management?
Does the accountable person have in-depth knowledge of
information management techniques, computer and
telecommunications?
Does the organization have documented information policies and
practices?
Does the organization have a detailed process flow for sharing or
distributing various categories information?

Accountability must be deep rooted in a corporation a CPO or CSO is not enough.

Every organization within the corporation MUST have an accountable person.

Page 15

Copyright 2005 Knightsbridge Solutions LLC

INVENTORY AND CATEGORIZE

For an organization to follow the best practices and comply with

federal and state laws, a comprehensive up-to-date inventory of
all sensitive data is critical
Categorize information by type, purpose and sensitivity level
Define a policy for each sub category
Implement a process to keep information current

Page 16

Copyright 2005 Knightsbridge Solutions LLC

IDENTIFY ALL TOUCHPOINTS

Human-machine interfaces
BI accesses remote or local
Operational system interfaces
Web interfaces
Machine-machine interfaces
Developers, DBAs accessing data

applications, SQL or any other

means, in development, test, QA
or production environments
Data hand-offs in business work

flow processes
Internal and external

Page 17

Copyright 2005 Knightsbridge Solutions LLC

IDENTIFY VULNERABILITIES
For each touch point
Identify and assign accountable organizational unit
Document threat assessment
Define and communicate security policy
Define risk assessment
Define strategy for safeguards
External

External

Hostile

Structured

Page 18

Internal

NonHostile

Un
Structured

Structured

Un
Structured

Hostile

Structured

NonHostile

Un
Structured

Structured

Un
Structured

Copyright 2005 Knightsbridge Solutions LLC

RISK ASSESSMENT
Impact analysis on business when a touch point is compromised
What is the impact if a DBA or developer with access to production data copies customer

data on to a CD and walks away?

Max number of customers potentially impacted
Estimated cost per customer
Total potential impact

What is the impact if someone breaks into HR and walks away with sensitive information

about employees?
What is the impact if call center employee is able to print screens and copy them to a flash

drive?
What if a tape being sent over to a partner vendor is lost on the way?

Page 19

Copyright 2005 Knightsbridge Solutions LLC

SECURITY SAFEGUARDS

The nature and extent of the safeguards will vary depending on:

Sensitivity of the data that have been collected

Amount, distribution, and format of the data
Method of storage
Method of transportation
State of technological development
Cost and reasonableness of implementation of the safeguards
Level of Risk

The security safeguards should protect data against accidental or

unlawful loss, as well as unauthorized access, disclosure, copying,
use, or modification as per the policy laid out

Organizations should protect personal data regardless of

format or media

Page 20

Copyright 2005 Knightsbridge Solutions LLC

ONGOING MONITORING SYSTEM

Establishing an ongoing monitoring system is necessary not only to track the progress
of compliance of various privacy/security requirements, but also to keep abreast of the
changes in federal, state and international laws
The monitoring system should also keep abreast of changing threats and
organizational/technological responses
Questions to ask

Does your organization have have a

monitoring organization and program?

Does your organization have a metrics

system in place to track various aspects of
information privacy and security?

Does your organization have processes in

place to monitor overall threat environment?

Compliance monitoring system is often the most

overlooked part of Information Security Lifecycle

Page 21

Copyright 2005 Knightsbridge Solutions LLC

ONGOING MONITORING SYSTEM

Privacy and security audit organization
Metrics system to monitor
Computed risk level
Compliance level
Encryption compliance level
Various components of computed risk level
Authorization metrics
Access metrics
Various data store counts
Data transportation metrics
Destination data store metrics
Improvement status
Percentage inventory completion status
Processes
Educational and communication
Policy review
Enforcement

Page 22

Copyright 2005 Knightsbridge Solutions LLC

DIVIDING AND PRIORITIZING

LO
B

General Bank
Wealth Mgt.
Capital Mgt.

Break the problem into

manageable pieces

Relate to the businesses

Must be data/information relevant
Must be contained

Small Business

Hierarchies

Account

Prioritize the pieces

Must be a risk-based process
(impact, exposure, threats)
Driven by a Stakeholder Group
Process must be based upon
metrics

Customer
Relationship
Activity

Regulator

Outsource

Vendor

Internal

Mitigation
Define acceptable risk at a highlevel
Action plan (alternatives) for each
prioritized piece

Sources & Stores

Page 23

Copyright 2005 Knightsbridge Solutions LLC

SUMMARY

Identity theft through businesses is on the rise through different touch

points

Protecting sensitive data for all stakeholders is critical to protect people

likely to be impacted

Acts as a differentiator as a trustworthy partner

Protects against law suits and fines

Organizations need a systematic approach and planning due to

ubiquitous nature of the problem

Start with the basics, develop a plan

Accountability
Inventory/Categorization
Identify Touch points and Vulnerabilities
Assess Risk
Apply Safeguards
Remember this is not a one time exercise!

Page 24

Copyright 2005 Knightsbridge Solutions LLC

Thank you
Questions?

Satya Sachdeva
Senior Principal, Financial Services
973.978.9797
Satya.sachdeva@hp.com

RIGHT. FROM THE START. Better information, smarter business decisions.

Page 25

Copyright 2005 Knightsbridge Solutions LLC