8 steps to protecting personally identifiable information ... · 2. identify pii in your...

8 Steps To Protecting Personally

Identifiable Information (PII)Nagraj Seshadri

Security Technologist

www.sophos.com

Agenda

About Sophos

Threats to PII and consequences

8 Steps to Protect PII

Q & A

About Sophos

Security company: threat protection and data security

Founded in 1985

1500+ employees, 600+ in R&D

Solid growth, profitable

Business focus only

Gartner Leader: Endpoint Protection & Mobile Data Protection

Data Breach Incident Types

http://datalossdb.org/statistics (Note: Similar categories have been combined and aggregated)

Hacks, Virus, 17%

Web,Email, 17.0%

Fraud, 8%PCs (inc. Laptops) Lost/Stolen , 31%

Documents Lost/Stolen, 14%

Unknown, 4%

Portable Media Lost/stolen , 10%

http://datalossdb.org/statistics

1. Define PII, Understand Regulations

First name & Last name

First initial & Last name

or &

Social Security #

State ID # or Drivers License #

or

Financial Acct # or Credit Card #

or

Medical Information

or

PII = Name & Unique Identifier

2. Identify PII in your organization

File Share,

db

Security Admins.

Internet

Local Users

Removable Media

Partners, Customers

Remote UsersEmail

Encryption

Core LAN DMZ Internet Edge & Beyond

Email gateway

Email, Web

3. Assess PII Security Risks – Sample Model

Threat

Likelihood:

High=1

Med.=0.5

Low=0.1

Impact:

High=100

Med.=50

Low=10

Risk Level:

Likelihood x Impact

51 to 100 = Hi.

11 to 50 = Med.

1 to 10 = Low

Stolen laptop 1 100 1 x 100 = 100 (High)

Accidental email 0.5 50 0.5 x 50 = 25 (Med.)

Hack/malware

Source: National Institute of Standards and Technology: Risk Management Guide for Information Technology Systems (SP 800-30)

Risk Level Action

High Strong need for corrective action

Medium Corrective action within reasonable amount of time

Low Assess if corrective action needed or risk acceptable

4. Destroy unwanted PII

Standards: DoD 5220.22-M, NIST SP 800-88: Guidelines for Media

Sanitization

Media types: Hard copy, Soft copy (electronic)

Sanitization types: Dispose, Clear, Purge, Destroy (disintegrate,

incinerate, pulverize, melt, shred)

Sources: NIST SP 800-88: Guidelines for Media Sanitization | http://www.ireport.com/docs/DOC-177240

5. Maximize security controls

File Share,

db

Security Admins.

Internet

Local Users

Removable Media

Partners, Customers

Remote Users

Email Encryption


Email gateway

Email, Web

Intrusion

prevention

Firewalls

VPN

Strong

passwords

Patching

Anti-

malware

Email

security

Web security

Access

control

Physical

security

Secure

Authentication

Monitoring

& reporting

6. Encrypt PII

Areas of concern

Loss of devices, unprotected communication

Approaches: Encrypt...

data at rest, data in motion

Technology

Full disk encryption

USB, CD/ removable media encryption

Policy based email encryption

Central key management and back up

Auditable encryption

7. Train, Train, Train!

Distribute policy

Provide initial

training

Annual refresh

Employee

signoff

Employees, business associates, administrators, helpdesk

Emails, phone, web, town halls, surveys, weekly reports

8. Document, monitor and review

Was the lost laptop encrypted?

Are endpoints compliant with

policy?

Comprehensive Security for PII

File Share

Security Admins.

Internet

Local Users

Removable Media

Central Mgmt. Server Endpoint Security &

Control, Encryption, DLP

Mgmt. Center

H/W Security Module

Partners, Customers

Endpoint Security & Control, Encryption,

DLP

Encryption & Device Control

Remote Users

Endpoint Security & Control, Encryption,

DLP

Encrypted File Shares

Email Encryption


Email gateway

Email, Web

Email Encryption &

DLP, Web Security

Thank You

Nagraj Seshadri

Security Technologist

www.sophos.com