8 steps to protecting personally identifiable information ... · 2. identify pii in your...
TRANSCRIPT
8 Steps To Protecting Personally
Identifiable Information (PII)Nagraj Seshadri
Security Technologist
www.sophos.com
Agenda
About Sophos
Threats to PII and consequences
8 Steps to Protect PII
Q & A
About Sophos
Security company: threat protection and data security
Founded in 1985
1500+ employees, 600+ in R&D
Solid growth, profitable
Business focus only
Gartner Leader: Endpoint Protection & Mobile Data Protection
Data Breach Incident Types
http://datalossdb.org/statistics (Note: Similar categories have been combined and aggregated)
Hacks, Virus, 17%
Web,Email, 17.0%
Fraud, 8%PCs (inc. Laptops) Lost/Stolen , 31%
Documents Lost/Stolen, 14%
Unknown, 4%
Portable Media Lost/stolen , 10%
1. Define PII, Understand Regulations
First name & Last name
First initial & Last name
or &
Social Security #
State ID # or Drivers License #
or
Financial Acct # or Credit Card #
or
Medical Information
or
PII = Name & Unique Identifier
2. Identify PII in your organization
File Share,
db
Security Admins.
Internet
Local Users
Removable Media
Partners, Customers
Remote UsersEmail
Encryption
Core LAN DMZ Internet Edge & Beyond
Email gateway
Email, Web
3. Assess PII Security Risks – Sample Model
Threat
Likelihood:
High=1
Med.=0.5
Low=0.1
Impact:
High=100
Med.=50
Low=10
Risk Level:
Likelihood x Impact
51 to 100 = Hi.
11 to 50 = Med.
1 to 10 = Low
Stolen laptop 1 100 1 x 100 = 100 (High)
Accidental email 0.5 50 0.5 x 50 = 25 (Med.)
Hack/malware
Source: National Institute of Standards and Technology: Risk Management Guide for Information Technology Systems (SP 800-30)
Risk Level Action
High Strong need for corrective action
Medium Corrective action within reasonable amount of time
Low Assess if corrective action needed or risk acceptable
4. Destroy unwanted PII
Standards: DoD 5220.22-M, NIST SP 800-88: Guidelines for Media
Sanitization
Media types: Hard copy, Soft copy (electronic)
Sanitization types: Dispose, Clear, Purge, Destroy (disintegrate,
incinerate, pulverize, melt, shred)
Sources: NIST SP 800-88: Guidelines for Media Sanitization | http://www.ireport.com/docs/DOC-177240
5. Maximize security controls
File Share,
db
Security Admins.
Internet
Local Users
Removable Media
Partners, Customers
Remote Users
Email Encryption
Core LAN DMZ Internet Edge & Beyond
Email gateway
Email, Web
Intrusion
prevention
Firewalls
VPN
Strong
passwords
Patching
Anti-
malware
security
Web security
Access
control
Physical
security
Secure
Authentication
Monitoring
& reporting
6. Encrypt PII
Areas of concern
Loss of devices, unprotected communication
Approaches: Encrypt...
data at rest, data in motion
Technology
Full disk encryption
USB, CD/ removable media encryption
Policy based email encryption
Central key management and back up
Auditable encryption
7. Train, Train, Train!
Distribute policy
Provide initial
training
Annual refresh
Employee
signoff
Employees, business associates, administrators, helpdesk
Emails, phone, web, town halls, surveys, weekly reports
8. Document, monitor and review
Was the lost laptop encrypted?
Are endpoints compliant with
policy?
Comprehensive Security for PII
File Share
Security Admins.
Internet
Local Users
Removable Media
Central Mgmt. Server Endpoint Security &
Control, Encryption, DLP
Mgmt. Center
H/W Security Module
Partners, Customers
Endpoint Security & Control, Encryption,
DLP
Encryption & Device Control
Remote Users
Endpoint Security & Control, Encryption,
DLP
Encrypted File Shares
Email Encryption
Core LAN DMZ Internet Edge & Beyond
Email gateway
Email, Web
Email Encryption &
DLP, Web Security
Thank You
Nagraj Seshadri
Security Technologist
www.sophos.com