iapp12 _ a holistic approach to protecting and securing enterprise information _ goood
DESCRIPTION
Security ISTRANSCRIPT
![Page 1: IAPP12 _ a Holistic Approach to Protecting and Securing Enterprise Information _ GOOOD](https://reader030.vdocuments.us/reader030/viewer/2022020506/56d6c0081a28ab301698ad3b/html5/thumbnails/1.jpg)
A Holistic Approach to Protecting and Securing Enterprise Information
Meenu Gupta, CISA,CISM,CISSP,CIPP,PMP ISACA, COBIT 5 Security Taskforce President, Mittal Technologies Washington, DC
1
![Page 2: IAPP12 _ a Holistic Approach to Protecting and Securing Enterprise Information _ GOOOD](https://reader030.vdocuments.us/reader030/viewer/2022020506/56d6c0081a28ab301698ad3b/html5/thumbnails/2.jpg)
Agenda
• Managing Business Information
• Challenges, Risks, Realities
• Solutions, Mitigations, Visions
• Information Governance vs Management
• Best Practices
2
![Page 3: IAPP12 _ a Holistic Approach to Protecting and Securing Enterprise Information _ GOOOD](https://reader030.vdocuments.us/reader030/viewer/2022020506/56d6c0081a28ab301698ad3b/html5/thumbnails/3.jpg)
History of Information
3
As a general rule, the most successful man in life is the man who has the best information. Benjamin Disraeli We are more thoroughly an enlightened people, with respect to our political interests, than perhaps any other under heaven. Every man among us reads, and is so easy in his circumstances as to have leisure for conversations of improvement and for acquiring information. Benjamin Franklin …knowledge has become the central, key resource that knows no geography. Peter Drucker Information technology and business are becoming inextricably interwoven. I don't think anybody can talk meaningfully about one without the talking about the other. Bill Gates
![Page 4: IAPP12 _ a Holistic Approach to Protecting and Securing Enterprise Information _ GOOOD](https://reader030.vdocuments.us/reader030/viewer/2022020506/56d6c0081a28ab301698ad3b/html5/thumbnails/4.jpg)
So, What’s the Problem?
4
EPA security breach exposes personal information of 8,000 people
The recent data breach at Massachusetts Eye and Ear Infirmary (MEEI)……
In the wake of a massive security breach on the business networking site LinkedIn, which resulted in the leaking of roughly 6.5 million user passwords……
The U.S. Federal Trade Commission has filed a lawsuit against hotel chain Wyndham Worldwide….
Managing Business Information
![Page 5: IAPP12 _ a Holistic Approach to Protecting and Securing Enterprise Information _ GOOOD](https://reader030.vdocuments.us/reader030/viewer/2022020506/56d6c0081a28ab301698ad3b/html5/thumbnails/5.jpg)
5
Managing Business Information
www.IronMountain.com
![Page 6: IAPP12 _ a Holistic Approach to Protecting and Securing Enterprise Information _ GOOOD](https://reader030.vdocuments.us/reader030/viewer/2022020506/56d6c0081a28ab301698ad3b/html5/thumbnails/6.jpg)
6
Managing Business Information
www.IronMountain.com
![Page 7: IAPP12 _ a Holistic Approach to Protecting and Securing Enterprise Information _ GOOOD](https://reader030.vdocuments.us/reader030/viewer/2022020506/56d6c0081a28ab301698ad3b/html5/thumbnails/7.jpg)
Managing Business Information
7
![Page 8: IAPP12 _ a Holistic Approach to Protecting and Securing Enterprise Information _ GOOOD](https://reader030.vdocuments.us/reader030/viewer/2022020506/56d6c0081a28ab301698ad3b/html5/thumbnails/8.jpg)
Managing Business Information
8
![Page 9: IAPP12 _ a Holistic Approach to Protecting and Securing Enterprise Information _ GOOOD](https://reader030.vdocuments.us/reader030/viewer/2022020506/56d6c0081a28ab301698ad3b/html5/thumbnails/9.jpg)
Managing Business Information
9
![Page 10: IAPP12 _ a Holistic Approach to Protecting and Securing Enterprise Information _ GOOOD](https://reader030.vdocuments.us/reader030/viewer/2022020506/56d6c0081a28ab301698ad3b/html5/thumbnails/10.jpg)
And to make matters worse…
10
![Page 11: IAPP12 _ a Holistic Approach to Protecting and Securing Enterprise Information _ GOOOD](https://reader030.vdocuments.us/reader030/viewer/2022020506/56d6c0081a28ab301698ad3b/html5/thumbnails/11.jpg)
Challenges, Risks, Realities
•Inappropriate disclosure •Lost •Stolen •Held for Ransom •Destructive •Fraud
11
![Page 12: IAPP12 _ a Holistic Approach to Protecting and Securing Enterprise Information _ GOOOD](https://reader030.vdocuments.us/reader030/viewer/2022020506/56d6c0081a28ab301698ad3b/html5/thumbnails/12.jpg)
Challenges, Risks, Realities
1. Lack of accountability 2. Carelessness 3. Lack of Awareness 4. Malware Infection 5. Hacking 6. Fraud 7. Improper Disposal of Equipment
12
![Page 13: IAPP12 _ a Holistic Approach to Protecting and Securing Enterprise Information _ GOOOD](https://reader030.vdocuments.us/reader030/viewer/2022020506/56d6c0081a28ab301698ad3b/html5/thumbnails/13.jpg)
Challenges, Risks, Realities
13
Top Management Challenges Facing the Department of Transportation – OIG Report, March 2012
“To prevent unauthorized access to PII, OMB requires agencies
to reduce the volume of and restrict access to information
collected and maintained, as well as implement other security
controls, such as encryption.
….
However, until these measures are implemented, the
Department’s systems remain vulnerable to exploitation. For
example, our ongoing audit of the United States Merchant
Marine Academy’s (USMMA) network identified and exploited a
critical vulnerability providing full access to the network,
including databases containing sensitive midshipmen
information. “
![Page 14: IAPP12 _ a Holistic Approach to Protecting and Securing Enterprise Information _ GOOOD](https://reader030.vdocuments.us/reader030/viewer/2022020506/56d6c0081a28ab301698ad3b/html5/thumbnails/14.jpg)
Challenges, Risks, Realities
14
Recommendations on technical implementation guidelines of Article 4 - ENISA
![Page 15: IAPP12 _ a Holistic Approach to Protecting and Securing Enterprise Information _ GOOOD](https://reader030.vdocuments.us/reader030/viewer/2022020506/56d6c0081a28ab301698ad3b/html5/thumbnails/15.jpg)
Solutions, Mitigations, Visions
15
What do best legally compliant organizations look like?
![Page 16: IAPP12 _ a Holistic Approach to Protecting and Securing Enterprise Information _ GOOOD](https://reader030.vdocuments.us/reader030/viewer/2022020506/56d6c0081a28ab301698ad3b/html5/thumbnails/16.jpg)
Malcolm-Baldridge National Quality Award Nestle-Purina (2010)
16
www.NIST.gov
4.2 Management of Information, Knowledge, and
Information Technology
a. Data, Information, and Knowledge Management
(1) NPPC uses a multi-faceted approach to ensuring the
integrity, accuracy, timeliness, and security of our
performance data.
![Page 17: IAPP12 _ a Holistic Approach to Protecting and Securing Enterprise Information _ GOOOD](https://reader030.vdocuments.us/reader030/viewer/2022020506/56d6c0081a28ab301698ad3b/html5/thumbnails/17.jpg)
Malcolm-Baldridge National Quality Award Bronson Methodist Hospital(2005)
17
www.NIST.gov
In 2005, BMH dedicated over $28 million to capital
investment, more than 7 percent of total budgeted
expenses, in information technology, equipment, and
facilities.
In addition, the system allows physicians to provide
patient care from off-site locations by accessing patient
information through a secure Internet connection.
![Page 18: IAPP12 _ a Holistic Approach to Protecting and Securing Enterprise Information _ GOOOD](https://reader030.vdocuments.us/reader030/viewer/2022020506/56d6c0081a28ab301698ad3b/html5/thumbnails/18.jpg)
Best Legally Compliant Programs
18
![Page 19: IAPP12 _ a Holistic Approach to Protecting and Securing Enterprise Information _ GOOOD](https://reader030.vdocuments.us/reader030/viewer/2022020506/56d6c0081a28ab301698ad3b/html5/thumbnails/19.jpg)
Best Legally Compliant Programs
• View Information as a key organization asset
• Understand the “Information Life Cycle”
• Not just “Manage” information, but “Govern” it.
• Find an approach that supports compliance with relevant laws, regulations, contractual agreements and policies
19
![Page 20: IAPP12 _ a Holistic Approach to Protecting and Securing Enterprise Information _ GOOOD](https://reader030.vdocuments.us/reader030/viewer/2022020506/56d6c0081a28ab301698ad3b/html5/thumbnails/20.jpg)
Best Legally Compliant Programs
Will have:
• A unified approach to addressing data breaches
• Best practices, policies and procedures in place
• Effective technical measures in place
• A thorough understanding of various regulations
• A good grasp on data breach trends and statistics
• A good notification plan in place
20
![Page 21: IAPP12 _ a Holistic Approach to Protecting and Securing Enterprise Information _ GOOOD](https://reader030.vdocuments.us/reader030/viewer/2022020506/56d6c0081a28ab301698ad3b/html5/thumbnails/21.jpg)
21
So how can we become a compliant organization?
![Page 22: IAPP12 _ a Holistic Approach to Protecting and Securing Enterprise Information _ GOOOD](https://reader030.vdocuments.us/reader030/viewer/2022020506/56d6c0081a28ab301698ad3b/html5/thumbnails/22.jpg)
Information a Key Asset
• Information Inventory
• Information Classification
• Information Valuation
• Information Stewards/Stakeholders
• Information Goals
22
![Page 23: IAPP12 _ a Holistic Approach to Protecting and Securing Enterprise Information _ GOOOD](https://reader030.vdocuments.us/reader030/viewer/2022020506/56d6c0081a28ab301698ad3b/html5/thumbnails/23.jpg)
Information Life Cycle Approach
• Plan/Design/Build/Acquire
• Use/Operate
• Monitor
• Disposal
23
![Page 24: IAPP12 _ a Holistic Approach to Protecting and Securing Enterprise Information _ GOOOD](https://reader030.vdocuments.us/reader030/viewer/2022020506/56d6c0081a28ab301698ad3b/html5/thumbnails/24.jpg)
Information Management Activities
• Information Management Plan
• Information Architecture
• Information Security
• Information Risk Profiles
• Information Risk Management
• Information Management Policies and Practices
• Information Audits
24
![Page 25: IAPP12 _ a Holistic Approach to Protecting and Securing Enterprise Information _ GOOOD](https://reader030.vdocuments.us/reader030/viewer/2022020506/56d6c0081a28ab301698ad3b/html5/thumbnails/25.jpg)
Information Governance vs Management
• Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed-on direction and objectives (EDM).
• Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM).
25
![Page 26: IAPP12 _ a Holistic Approach to Protecting and Securing Enterprise Information _ GOOOD](https://reader030.vdocuments.us/reader030/viewer/2022020506/56d6c0081a28ab301698ad3b/html5/thumbnails/26.jpg)
26
Information Governance vs Management
![Page 27: IAPP12 _ a Holistic Approach to Protecting and Securing Enterprise Information _ GOOOD](https://reader030.vdocuments.us/reader030/viewer/2022020506/56d6c0081a28ab301698ad3b/html5/thumbnails/27.jpg)
Best Practices
Is there such a thing?
27
![Page 28: IAPP12 _ a Holistic Approach to Protecting and Securing Enterprise Information _ GOOOD](https://reader030.vdocuments.us/reader030/viewer/2022020506/56d6c0081a28ab301698ad3b/html5/thumbnails/28.jpg)
– COBIT, COBIT5
– The Business Model for Information Security (BMIS), ISACA, USA, 2010
– The 2011 Standard of Good Practice for Information Security, Information Security Forum (ISF), UK, 2011
– Common Security Framework (CSF), Health Information Trust Alliance (HITRUST), USA, 2009
– Extended Basic Input/Output System (EBIOS), Direction Centrale de la Sécurité des Systèmes d’Information
(DCSSI), Ministry of Defense, France, 2000
– Health Insurance Portability and Accountability Act (HIPAA)/Health Information Technology for
Economic and
Clinical Health (HITECH), USA, 1996 and 2009, respectively
– ISO/IEC 27000 series, Switzerland, 2009-2012
– National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53A, Guide
for Assessing
the Information Security Controls in Federal Information Systems and Organizations, Building Effective SecurityAssessment Plans, Department of Commerce, USA, 2010
– Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVE®), Carnegie Mellon Software
Engineering Institute (SEI), USA, 2001
– Payment Card Industry Data Security Standards (PCI DSS) v2.0, PCI Security Standards Council, USA, 2010
28
Best Practices
![Page 29: IAPP12 _ a Holistic Approach to Protecting and Securing Enterprise Information _ GOOOD](https://reader030.vdocuments.us/reader030/viewer/2022020506/56d6c0081a28ab301698ad3b/html5/thumbnails/29.jpg)
COBIT 5 Information Security Enablers
• Principles, policies and frameworks enabler
• Processes enabler
• Organisational structures enabler
• Culture, ethics and behaviour enabler
• Information enabler
• Services, infrastructure and applications enabler
• People, skills and competencies enabler
29
![Page 30: IAPP12 _ a Holistic Approach to Protecting and Securing Enterprise Information _ GOOOD](https://reader030.vdocuments.us/reader030/viewer/2022020506/56d6c0081a28ab301698ad3b/html5/thumbnails/30.jpg)
COBIT 5 Enabler Model - Generic
30
www.ISACA.org COBIT 5 for Information Security
![Page 31: IAPP12 _ a Holistic Approach to Protecting and Securing Enterprise Information _ GOOOD](https://reader030.vdocuments.us/reader030/viewer/2022020506/56d6c0081a28ab301698ad3b/html5/thumbnails/31.jpg)
COBIT 5 for Information Security – Information
31
www.ISACA.org COBIT 5 for Information Security
![Page 32: IAPP12 _ a Holistic Approach to Protecting and Securing Enterprise Information _ GOOOD](https://reader030.vdocuments.us/reader030/viewer/2022020506/56d6c0081a28ab301698ad3b/html5/thumbnails/32.jpg)
Detailed Guidance – Information Types
32
www.ISACA.org COBIT 5 for Information Security
![Page 33: IAPP12 _ a Holistic Approach to Protecting and Securing Enterprise Information _ GOOOD](https://reader030.vdocuments.us/reader030/viewer/2022020506/56d6c0081a28ab301698ad3b/html5/thumbnails/33.jpg)
33
Detailed Guidance – Information Roles
www.ISACA.org COBIT 5 for Information Security
![Page 34: IAPP12 _ a Holistic Approach to Protecting and Securing Enterprise Information _ GOOOD](https://reader030.vdocuments.us/reader030/viewer/2022020506/56d6c0081a28ab301698ad3b/html5/thumbnails/34.jpg)
34
Detailed Guidance – Culture & Behavior
www.ISACA.org COBIT 5 for Information Security
![Page 35: IAPP12 _ a Holistic Approach to Protecting and Securing Enterprise Information _ GOOOD](https://reader030.vdocuments.us/reader030/viewer/2022020506/56d6c0081a28ab301698ad3b/html5/thumbnails/35.jpg)
Questions?
35