1 / 54

Data Governance for Privacy, Confidentiality, and Compliance

Required Slide. SESSION CODE: SIA337. Data Governance for Privacy, Confidentiality, and Compliance. Javier Salido, CIPP Sr. Program Manager Trustworthy Computing Group Microsoft Corporation. Data Accumulation, Projections.

tamyra
Télécharger la présentation

Data Governance for Privacy, Confidentiality, and Compliance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Required Slide SESSION CODE: SIA337 Data Governance for Privacy, Confidentiality, and Compliance Javier Salido, CIPP Sr. Program Manager Trustworthy Computing Group Microsoft Corporation

  2. Data Accumulation, Projections In 2010 mankind will require the equivalent of 2.7 Gb of storage space* for each inhabitant of earth * Projections ** Source: “How Much Information? 2003,” University of California Berkeley School of Information: http://www2.sims.berkeley.edu/research/projects/how-much-info-2003

  3. Data Security • Theft of Intellectual Property and spying • Personal data can be breached: stolen, lost or misused • Just under 219 million customer records were compromised in 436 separate incidents in 2009* • 60% of incidents due to lost or stolen laptops or media* • Data breaches may lead to identity theft * Source: DataLossDB, http://datalossdb.org

  4. Cost of Data Breaches in 2009* • Average cost of an incident was $6.75 million U.S. (+2% over 2008) • 3.7% churn for customer data breaches • 6% for communications, healthcare and pharmaceuticals • 5% for financial services industry *Source: Ponemon study, “Cost of a Data Breach,” January 2010 www.encryptionreports.com/

  5. Privacy, What Consumers Think • Consumers want to have control over*: • When their personal information is collected • Who it is shared with • How it is used by ALL parties involved • They are worried that inappropriate or careless use of technology will put their privacy at risk *Source: Joshua Gómez, Travis Pinnick and AshkanSoltani, “KnowPrivacy,” June 1 2009. http://www.knowprivacy.org/report/KnowPrivacy_Final_Report.pdf

  6. What Consumers Think • Top two reasons why consumers present privacy complaints in the U.S.*: • Perception that organizations employ deceptive practices to collect personal information from consumers • Perception that organizations employ business practices that contradict their privacy policies *Source: Joshua Gómez, Travis Pinnick and AshkanSoltani, “KnowPrivacy,” June 1 2009. http://www.knowprivacy.org/report/KnowPrivacy_Final_Report.pdf

  7. Complex Regulatory Landscape • Motivated by these threats, legislative bodies and industry associations have take action • Organizations have to: • Protect the security and privacy of sensitive information • Comply with possibly contradictory: • Laws • Regulations • Industry standards (i.e. PCI DSS)

  8. The Challenges of Data Privacy, Security and Compliance • Security: protect all types of confidential data appropriately • Privacy: preserve, and enforce customer choice and consent throughout the information lifecycle • Compliance: comply and prove compliance with laws, regulations, and standards

  9. Meeting the Challenges Develop processes and tools that: • Look at privacy, security and compliance needs for all types of sensitive information in a holistic way • Evaluate threats and select controls that manage risk effectively and efficiently • To enable participation of all relevant parties in the organization (legal, HR, CPO/CSO, mktg, LOB)

  10. Agenda • A look at the challenges • Data governance for privacy, confidentiality, and compliance: a framework • The Cloud • Conclusion

  11. Data Governance for Privacy Confidentiality and Compliance (DGPC) Framework • DGPC Framework • People • Executive management commitment • Engaged management team • Integrated governance organization • Trained, aware, and accountable DGPC “Aware ” Culture • Process • Structured and repeatable processes • Practical and enforceable policies • Harmonized frameworks and standards • Effective internal control environment DGPC Embedded in Processes • Technology • Secure infrastructure • Identity and access control • Information protection • Auditing and reporting DGPC Enabled in Technology

  12. The DGPC Process Manage DGPC Organization Business Strategy • Integrated GRC Authority Documents • Requirements • Business Data • Data Compliance • Harmonized GRC Guidance (e.g. UCF) • GRC Authority Documents • External regulations • Control Frameworks • Security & Privacy Standards Manage DGPC Requirements • DGPC Strategy • Data Privacy & Confidentiality Principles • DGPC Policies (Data Classification) Manage DGPC Strategy & Policies Manage DGPC Control Environment • DGPC Controls • Manual Controls • Technical Controls

  13. Harmonized Governance, Risk Management, and Compliance DEMO

  14. Information Lifecycle Collect Delete Update Transfer (New Lifecycle) Data Storage Transfer Process

  15. Technology Domains • Safeguards against malware • Safeguards against unauthorized access to sensitive info • Protect systems from evolving threats Secure Infrastructure Identity and Access Control • Protect personal information from unauthorized access or use • Provide management controls for identity, access and provisioning • Protect sensitive personal information in structured databases • Protect sensitive personal information in unstructured documents, messages and records, through encryption • Protect data while on the net Information Protection Auditing and reporting • Monitor to verify integrity of systems and data • Monitor to verify compliance with business processes

  16. The Four Principles of Data Privacy & Confidentiality • Honor policies throughout the confidential data lifespan • Minimize risk of unauthorized access or misuse of confidential data • Minimize impact of confidential data loss • Document applicable controls and demonstrate their effectiveness

  17. Risk/Gap Analysis Matrix Secure Infrastructure Information Protection Identity and Access Control Honor policies throughout the information lifecycle Minimize risk of data misuse Minimize impact of data loss Demonstrate effectiveness of data protection policies and measures Manual Controls Auditing and reporting

  18. Risk/Gap Analysis Process • Clearly define the business purpose of the flow • Identify privacy, security and compliance objectives for the flow • Identify systems using the data

  19. Scenario Application Server Customer Log Storage Cloud Provider

  20. Risk/Gap Analysis Process Diagram of flow • Data Flow Diagrams (DFD) • Data stores & Data Flows • Place Trust Boundaries! Threat Identification

  21. Scenario Trust Boundary Application Server Customer Log Storage Cloud Provider Trust Boundary

  22. Scenario

  23. Risk/Gap Analysis Process Diagram of flow Threat Identification • How to do this without being an expert? • Use a method to step through • Get specific about threats

  24. First DP&C Principle Honor policies throughout confidential data lifespan • Category 1: Choice and consent (collection, use and disclosure) • Does the system provide notice of data collection, use, disclosure and redress policies? • Does the system clearly and efficiently enable the user to make appropriate choices and provide consent for collection and use of personal information? • Category 2: Individual access and correction • Does the system provide the user with the means to verify correctness of her/his information? To modify accordingly?

  25. First DP&C Principle Honor policies throughout confidential data lifespan • Category 3: Accountability • Does the system provide the necessary controls to enforce customer choice and consent, and other policies, including use/enforcement of data classification? • Category 4: Compliance • Does the system meet applicable compliance requirements? • Does the system log relevant compliance information?

  26. Second DP&C Principle Minimize risk of unauthorized access or misuse of confidential data • Category 1: Information Protection • Does the system provide reasonable administrative, technical and physical safeguards to ensure confidentiality, integrity and availability of data? • Can the system prevent/detect unauthorized or inappropriate access to data?

  27. Second DP&C Principle Minimize risk of unauthorized access or misuse of confidential data • Category 2: Data quality • Does the system maintain accurate, timely and relevant data? How is this verified? • Does the system allow the user to make corrections as appropriate/applicable?

  28. Third DP&C Principle Minimize impact of confidential data loss • Category 1: Information Protection • Does the system provide reasonable safeguards to ensure confidentiality of data after it is lost or stolen? • Category 2: Accountability • Do we have a data breach response plan and escalation path in place? • Does the system encrypt all confidential data? • Is adherence to data protection principles verified through appropriate monitoring, auditing and use of controls?

  29. Fourth DP&C Principle Document applicable controls and demonstrate their effectiveness • Category 1: Accountability • Are plans, controls, processes and configurations properly documented? • Category 2: Compliance • Can compliance be verified through existing logs, reports and controls? • How is non-compliance reported? Is there a clearly defined escalation path? • Do we have a breach notification plan? Other plans required by law?

  30. Threat Enumeration

  31. Threat Identification Collection/Update See Microsoft’s Application Privacy Assessment: http://www.microsoft.com/datagovernance

  32. Differences to “Traditional” Security Threat Modeling • Focus is on data, not on applications • Model flows and storage, as opposed to application processes • One does not replace the other!!!!! See Microsoft’s IT Infrastructure Threat Modeling Guide: http://technet.microsoft.com/en-us/library/dd941826.aspx

  33. Risk/Gap Analysis Process • Build the Risk/Gap analysis matrix • Apply existing mitigations • Identify residual risk

  34. Risk/Gap Analysis Matrix Secure Infrastructure Information Protection Identity and Access Control Manual Controls Auditing and reporting

  35. Risk/Gap Analysis Process • Identify additional mitigations • Determine risk treatment • Mitigate • Transfer • Assume

  36. Risk/Gap Analysis Matrix Secure Infrastructure Information Protection Identity and Access Control Manual Controls Auditing and reporting

  37. Risk/Gap Analysis Process • Ensure you are covering the entire data lifecycle • Examine each trust boundary • Have you made a clear decision of how each risk will be treated? • Are mitigations done right?

  38. Trustworthy Computing Agenda • A look at the challenges • Data governance for privacy, confidentiality, and compliance: a framework • The Cloud • Conclusion

  39. What Changes You control Shared control Vendor control On Premise IaaS SaaS PaaS Application Application Virtual Machine Application Application Virtual Machine Virtual Machine Server Server Server Server Storage Storage Storage Storage Network Network Network Network Mather, Kumaraswamyand Latif, “Cloud Security and Privacy,” O’Reilly 2009

  40. Three Elements to Consider • Look for transparency in Cloud Service Provider (CSP) • Processes and procedures • Policies • Permanence • Compliance • Can you host your data in the cloud? • What do you need to meet your compliance obligations? • Risk analysis/risk management

  41. Transparency in Processes • Ask for documentation • Understand overall what they do for ISMS and control framework: Security and Compliance • How will account provisioning be managed and what authentication mechanisms used? • Third parties? • Software development practices and testing?

  42. Transparency in Policies • Policies • Geolocation • Data retention and data destruction • Privacy • Architecture, patching, testing and new version rollout (SaaS and PaaS) • Vulnerabilities and breaches

  43. Transparency • Ask to see independent third party audits and attestations • Understand what exactly what the certification/attestation is verifying • ISO 27001 • SAS 70 Type I and Type II • Understand what is covered and what is not covered • Coverage of the platform does not imply coverage of applications

  44. Compliance • Can you put your data in the cloud … legally? • Intellectual property and trade secrets • Sensitive data (i.e. VAWA and Tax info) • Geolocation • Terms of the agreement? • SLA • Data, aggregated data and metadata ownership • Special types of data • Does CSP provide the documentation you need for compliance?

  45. Technology Domains • Safeguards against malware (filtering: spam, antivirus, firewalls) • Protect systems from evolving threats (patching and testing) • Virtualization how is it used (depends on service type) • PaaS development process from security/privacy perspective • Roles and responsibilities between you and provider Secure Infrastructure • Provisioning and administration of accounts • Model: Role/group based, least privilege • Monitoring and auditing of accounts • Provider access to your data • Roles and responsibilities between you and provider Identity and Access Control Information Protection • Encryption of data while in storage and in transit • Key management • Data integrity and backups, data disposal methods • Data collection and retention by provider • Data loss/leakage prevention • Roles and responsibilities between you and provider Auditing and reporting • What can be monitored and reported by provider? • How does that meet your compliance needs? • Roles and responsibilities between you and provider

  46. References • Security in the cloud at Microsoft • Global Foundation Services • Physical and logical infrastructure security • http://www.globalfoundationservices.com/security • Business Productivity Online Services • Security and risk management in E-mail, SharePoint, LiveMeeting and Instant Messaging for businesses • http://technet.microsoft.com/en-us/library/cc742708.aspx • Cloud Security Alliance • http://www.cloudsecurityalliance.org • “Cloud Security and Privacy,” • Mather, Kumaraswamy, Latif • O’Reilly 2009

  47. Data Governance Web Sitehttp://www.microsoft.com/datagovernance ANNOUNCING

  48. Agenda • A look at the challenges • Data governance for privacy, confidentiality, and compliance: a framework • The Cloud • Conclusion

  49. Conclusion In order to meet the challenges of data security and privacy, organizations need to: • Manage privacy, security and compliance risks for all types of sensitive information in a holistic way • Evaluate threats and select controls that manage risk effectively and efficiently • To enable participation of all relevant parties in the organization (legal, HR, CPO/CSO, mktg, LOB)

  50. Required Slide Resources Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers • http://microsoft.com/technet • http://microsoft.com/msdn

More Related