SlideShare a Scribd company logo

1.1 Data Security Presentation.pdf

C
ChunLei(peter) Che

This document provides an overview of key concepts in data security, including data types and classification, data lifecycle management, and relevant laws and industry regulations. It discusses common data types like PII, PHI, financial information and intellectual property. It also explains the process of data classification and the data lifecycle. Finally, it outlines several important regulations and standards that govern data security, such as GDPR, HIPAA, PCI DSS, ISO 27001, and SOX.

Data & Analytics
1 of 114
Downloaded 36 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Most read
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
Most read
94
95
Most read
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
DATA SECURITY PEOPLE, PROCESS, TECHNOLOGY
WHAT YOU WILL LEARN IN THIS COURSE Section 1 Data Types, Classification, Lifecycle Section 2 Law and Industry Regulations Section 3 Data Governance and Management Section 4 Data Monitoring and Incident Response Section 5 Data Security Technical Controls
SECTION 1  Data Types, Classification, Lifecycle
DIGITAL INFORMATION  Data that is created by, or prepared for, electronic systems and devices and can be stored on those devices or in the Cloud.  All companies rely on some sort of digital data to be able to operate, e.g. customer data, financial data, business plans…  Data Confidentiality, Integrity and Availability is important for the survival of any organization
DATA TYPES Digital data and Information could have different criticality for different entities. Some examples are:  Patient information is important for a healthcare company  Credit card information is important for a financial institute  Personal information is important for a retail company  Intellectual property is important for innovators  Strategic country planning is important for governments
SENSITIVE DATA TYPES  PII or Personally Identifiable Information  ePHI/PHI or (electronically) Protected Health Information  SPI or Sensitive Personal Information  NPI or Non-Public Information  IP or Intellectual Property  Financial Information  Regulatory Data  Government Information
IDENTIFIABLE INFORMATION Full name Home address Email address Social security number Passport number Medicare number Medical records Device identifiers and serial numbers Health insurance beneficiary numbers Biometric identifiers PII PHI
SENSITIVE PERSONAL INFORMATION EXAMPLES Religious or political convictions Special group membership Sex life or sexual orientation Criminal convictions or offences Philosophical believes Racial or ethnic origin
NON-PUBLIC INFORMATION  Company internal information  Strategic plans  Employee’s data (e.g., job description, resume, ID)  Supplier data  Contracts information FINANCIAL INFORMATION  Organisational Financial Data  Tax, commercial and corporate records  Employee’s salary information
INTELLECTUAL PROPERTY Patent: Recognizable license or right by a government authority on an intellectual property for a specific period.* Trademark: Refers to the specific attributes which are unique to each organization, like logos, words, slogans, or images.* Trade Secret: Company confidential and valuable information that are used for operation and growth, and are not publicly available Licensing: Legal and contractual agreement between vendor or provider and the customer Copyright: Form of intellectual property that protects the original expression of ideas * WIPO (World Intellectual Property Organization) protects patents and trademarks
STRUCTURED AND UNSTRUCTURED DATA  Structured data refers to the data that is organized and formatted in a way that is easily searchable.  Example of structured data is the data in databases like SQL or Oracle  Unstructured data refers to the data that is not organized and is not in a pre-defined format. This type of data is harder to monitor, process and analyse for security purposes..  Example of unstructured data is Microsoft Office or PDF documents.
DATA CLASSIFICATION  Data classification is the process of analysing data and categorizing them based on the business requirements in order to be able to apply relevant security controls to each category.  In data classification each category has a different sensitivity and requires protection.  A simple and well-known way of classification is categorizing data into Public, Private, Confidential and Highly Confidential categories •Public information Public •Internal non-public information Private •Sensitive and Confidential data Confidential •Highly sensitive data Highly Confidential
DATA CLASSIFICATION EXAMPLE Classification Example Business Impact Restrictions Public Public website data No impact Publicly accessible Private Employee data Low impact Only available to internal users Sensitive Customer information High impact, financial loss Only available to authorized people Highly Sensitive Regulatory data (e.g., PCI) Very high impact, loss of business operation Strictly available to authorized people with additional controls
DATA LIFECYCLE MANAGEMENT Managing data throughout its lifecycle: from creation and initial storage to when it becomes obsolete and is deleted.
DATA LIFECYCLE PROCESS  Data Creation is done by collecting or generating data from different sources. E.g., collecting customer information.  Once the data is created, needs to be stored. It could be done on a file storage, database, or other storage media.  The purpose of data creation is to use or share data for business purposes.  Depending on the business and regulatory requirements, data must be archived securely for specific period.  Once there is no need for the data anymore, it must be removed.
SECTION 2  Law and Industry Regulations
LAWS AND REGULATIONS  Global law: Any law that applies to every individual and organization globally (e.g., WIPO)  Local law: The law that applies to local state, country or region (e.g., GDPR, CCPA)  Industry regulations: The regulation that applies to specific industry (e.g., PCI-DSS, HITRUST)  Public companies: The regulation that applies to public organizations to protect shareholders (e.g., SOX)
PCI DSS (PAYMENT CARD INDUSTRY DATA SECURITY STANDARD) PCI DSS is the standard developed by PCI Security Standards Council (PCI SSC) which is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments worldwide.
PCI DSS REQUIREMENTS 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for all personnel
HIPAA (HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT) The Health Insurance Portability and Accountability. It was created primarily to modernize the flow of healthcare information and protect Personally Identifiable Information maintained by the healthcare and healthcare insurance industries.
HIPAA SECURITY REQUIREMENTS 1. Follow general security principles (Protect ePHI, Identify and protect threats, compliance) 2. Identify, Analyze and manage the security risks 3. Implement Administrative Safeguards (Security management process and personnel, Asset management, training) 4. Implement Physical Safeguards (Facility access security, Device security) 5. Implement Technical Safeguards (Access Controls, Audit Controls, Integrity Controls, Transmission Security) 6. Implement Organizational Controls (Roles and responsibilities, Contractual requirements, Policies and Standards)
GDPR (GENERAL DATA PROTECTION REGULATION) The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas.
GDPR REQUIREMENTS 1. Lawful, fair and transparent processing 2. Limitation of purpose, data and storage 3. Data subject rights (information, access, processing, erased, etc.) 4. Consent 5. Personal data breaches 6. Privacy by design 7. Data protection impact assessment 8. Data transfers 9. Data protection officer 10. Awareness and training
SOX (SARBANES– OXLEY ACT) Sarbanes-Oxley Act imposes various governance, accounting and reporting standards on US public companies (including their subsidiaries) and accounting firms. It also applies to non-US companies issuing and registering securities in the US.
SOX REQUIREMENTS (KEY CONTROLS)  Access Controls (Least privileges, Job rotation, Segregation of duty)  IT Security (Security program, policies, controls, operation)  Data Backup (Redundancy, backups, disaster recovery, testing)  Change Management (roles and responsivities, process documentation, approvals)
ISO 27001 ISO/IEC 27001 formally specifies an Information Security Management Syste m, a governance arrangement comprising a structured suite of activities with which to manage information risks (called ‘information security risks’ in the standard).
ISO 27001 CONTROLS 1. Annex A.5 – Information security policies (2 controls) 2. Annex A.6 – Organisation of information security (7 controls) 3. Annex A.7 – Human resource security (6 controls) 4. Annex A.8 – Asset management (10 controls) 5. Annex A.9 – Access control (14 controls) 6. Annex A.10 – Cryptography (2 controls) 7. Annex A.11 – Physical and environmental security (15 controls) 8. Annex A.12 – Operations security (14 controls) 9. Annex A.13 – Communications security (7 controls) 10. Annex A.14 – System acquisition, development, and maintenance (13 controls) 11. Annex A.15 – Supplier relationships (5 controls) 12. Annex A.16 – Information security incident management (7 controls) 13. Annex A.17 – Information security aspects of business continuity management (4 controls) 14. Annex A.18 – Compliance (8 controls)
LOCAL LEGISLATIONS  It is important to understand the local law applies to any type of data in each country, as there could be differences and specific requirements in that country. Some examples are:  Health Data Hosting (HDS) France  UK National Health Service (NHS)  Japan Privacy law  Australia Privacy Act  China Cyber Security Law  Etc.
SECTION 3  Data Governance and Management
WHAT IS SECURITY GOVERNANCE Security governance is the means by which you control and direct your organisation's approach to security. When done well, security governance will effectively coordinate the security activities of your organisation. It enables the flow of security information and decisions around your organisation.
SECURITY GOVERNANCE COMPONENTS  Security Policy Framework (including Roles and Responsibilities)  Security Risk Management  Security Awareness Training  Security Metrics and Improvements
SECURITY POLICY FRAMEWORK Policy: Outlines senior management’s expectation of security Standard: Formalizes mandatory security requirements to protect assets Procedure: Explains how to perform security functions within organization Guideline: Outlines recommendations, statements and instructions Baseline: Minimum security for technology specification, configurations, architecture
SECURITY DOCUMENTS Document Type Description Mandatory/Discretionary Security Policy Business expectation and requirements for security Mandatory Security Standard Detailed technology and process requirements to protect assets Mandatory Security Procedure Step by step work instruction to ensure policies and standards are followed properly Mandatory Security Guideline Best practices and recommendations about security aligned with policy Discretionary Security Baseline Minimum level of accepted security controls Minimum Mandatory, Additional Discretionary
SAMPLE SECTIONS OF INFORMATION SECURITY POLICY Purpose and the Scope of the policy Relevant Audience Roles and Responsibilities Information Security Principles and Objectives Access Controls Requirements Data Classification Security Awareness and Training Requirements
ROLES AND RESPONSIBILITIES  Senior Management  CISO/Security Professionals  Data Owners  Data Custodians  Data Users  Data Auditors
SECURITY RISK MANAGEMENT Security Risk Management is the ongoing process of identifying security risks, by evaluating threats and vulnerabilities, and implementing plans to address them. Risk is determined by considering the likelihood that known threats will exploit vulnerabilities and the impact they have on valuable assets.
EXAMPLES OF SECURITY RISKS Inappropriate access controls allows unauthorized users to access sensitive data A server with no malware protection gets infected with a virus Cyber criminals deface a vulnerable web application
THREATS AND VULNERABILITIES  Threats are potential occurrence of a harmful event.  Flood, state-sponsor attacks, cyber crimes, fire, terrorism, etc.  Vulnerabilities are the weaknesses on the environment or systems which can allow threats to do a harm.  Lack of air-conditioning in a data center  No backup power supply  No security patch installed on a server  Vulnerable software code  Etc.
EXAMPLES OF THREAT ACTORS A threat actor is anyone or anything who is either is a key driver of, or participates in, a malicious action that targets an organization.  Hacker: Malicious individual who attacks computer systems  Outsider: Attacker with no authorized access to systems  Insider: Internal user with authorized access to systems  Bot developer: A system running malware that is controlled via a central command and control called Botnet  Phisher: Malicious actor who attempts to trick users into doing something  Spear Phisher: Phisher who pretend being authorized member of company
HOW RISK IS CALCULATED  Risk is only valid when:  There is a threat for a particular asset  AND  There is a vulnerability on that particular asset  Risk = Threat x Vulnerability x Asset (value)
ASSET CLASSIFICATION AND VALUATION Asset can be tangible or intangible Hardware, IT Device Data, Application, or even Human Consider below to classify assets The monetary value for the asset itself The costs of replacing the asset if it is lost The level of impact on business if the asset is unavailable Operation, customers, stakeholders, etc.
RISK MANAGEMENT FRAMEWORK  COSO, is a corporate governance model, that a company would follow to be found compliant with the Sarbanes- Oxley Act.  ISO/IEC 27005 is a set of standards that have been documented related to information security risk management. These standard would cover risk identification, evaluation, analysis and treatment.  NIST SP 800-30 is a complete guide and information about IT risk assessment and management and steps need to reduce risks to an acceptable level.
RISK MANAGEMENT PROCESS Risk Identification Risk Assessment Risk Response and Mitigation Risk Monitoring and Reporting
RISK IDENTIFICATION  Threats or vulnerabilities alone are not considered a risk, but together they introduce risks.  Risk = Threat x Vulnerability x Asset (value)  Example:  Threat: Cyber criminals try to obtain sensitive information  Vulnerability: SQL injection possibility on an ecommerce web application  Asset: The ecommerce web application  Risk scenario: The hacker uses SQL injection vulnerability to exploit the ecommerce application and obtain sensitive customer data
RISK ASSESSMENT  Qualitative Assessment  Identifying likelihood of occurrence and impact for each risk, and calculating the criticality based on those  Quantitative Assessment  Measuring risk by monetary loss value of that
QUALITATIVE RISK ASSESSMENT Impact: What is the business impact if the risk happens Likelihood: What is the probability of risk happening Risk Scores (E.g., Low, Medium, High)
RISK MATRIX (HEAT CHART)  Red: High Risks  Yellow: Medium Risks  Green: Low Risks
QUANTITATIVE RISK ASSESSMENT  Asset Value (AV): The value of the asset  Exposure Factor (EF): Percentage of value of an asset loses  Single Loss Expectancy (SLE) = AV x EF (Cost of one Loss)  Annual Rate of Occurrence (ARO): Number of losses suffered per year  Annualized Loss Expectancy (ALE) = SLE x ARO (Cost of losses per year)
EXAMPLE – QUANTITATIVE RISK ASSESSMENT  Scenario: Losing a laptop, with 100 unencrypted personal records (PII)  Asset Value (AV): $5000 (Laptop) + $40,000 (PII data) = $45,000  Note: Each personal record costs around $400  Exposure Factor (EF): 1 (100% since the laptop is lost)  Single Loss Expectancy (SLE) = 1 x $45,000 = $45,000  Annual Rate of Occurrence (ARO): 20 (Assuming 20 laptops is lost per year)  Annualized Loss Expectancy (ALE) = 20 x $45,000 = $900,000
RISK RESPONSE  Risk Acceptance  Risk appetite: Company’s high-level stand on what is acceptable  Risk tolerance: Acceptable level on each relevant risk  Risk Mitigation: Lowering the risk to an acceptable level by implementing controls  Example: Laptop encryption, to avoid losing data when losing laptops  Risk transference: E.g., Insurance or third party  Risk avoidance: E.g., Not doing the project, or not going through acquisition
RISK COUNTERMEASURE A countermeasure is a control that is put in place to protect an asset, and reduce risks associated with that asset The value of countermeasure implementation should be less than the asset value
COUNTERMEASURE (CONTROL) TYPES  There are 3 main types of countermeasures:  Physical: Locks, gates, alarms, cameras, fire extinguishers, etc.  Technical: Malware protection, Firewalls, Encryption, etc.  Administrative: People and procedures. Who is authorized, who is approving, who is monitoring, auditing, etc.
COUNTERMEASURE (CONTROL) FUNCTIONS  Preventative controls: Antivirus, IPS, Encryption, Firewall, Fences, Locks, etc.  Detective controls: Alarms, Surveillance, SIEM, IDS, etc.  Corrective controls: AV signatures, patching, backup restores, etc.  Recovery controls: Disaster recovery, Business continuity plans  Deterrent controls: Security guards, dogs, barb wire, etc.  Compensating controls: Separation of duty, Job rotation, Insurance, etc
RETURN OF INVESTMENT  Return of Investment = Annualized Loss Expectancy - Risk Mitigation control TCO (Total Cost of Ownership)  Using previous example, laptop encryption costs $50/laptop + $10 annual maintenance, and there are 1000 laptops, the TCO for the first year would be $60,000, while the second year would be only $10,000.  In above example ROI would be as below:  First year: $900,000 - $60,000 = $840,000  following years: $900,000 - $10,000 = $890,000
RISK MONITORING AND REPORTING  Key Risk Indicator (KRI)  A metric or set of metrics that are used to provide an early signal of increasing risk exposures in various areas of the enterprise.  KRIs are used to provide an early warning, instead of measuring something that has already  Key Performance Indicator (KPI)  Measure the effectiveness of the security controls associated with the risks  happened.
THIRD PARTY AND OUTSOURCING RISKS  Risks associated with legal and regulatory compliance  Operational issues and Service Level Agreement (SLA)  Incident Response  Non Disclosure and Master Service Agreements (NDA & MSA)  Legal Contracts and obligations  Cyber Insurance
THIRD PARTY RISK ASSESSMENT AND MANAGEMENT Vendor’s security credentials and certifications Security questionnaire (e.g. SIG or Standardized Information Gathering questions) Annual review and recording Pro-active monitoring Mergers and Acquisitions security requirements
SECURITY AWARENESS TRAINING Policies and Standards Learning Management System Security Championship Newsletters, Posters, Banners Phishing tests
SECURITY METRICS AND IMPROVEMENTS  Are the current risks being monitored and managed properly?  Are the new threats and vulnerabilities being identified regularly?  Is the asset inventory and classification up-to-date and are the new assets being discovered?  Are users and management aware of their security responsibilities?  Are the security controls, tools and processes optimized and working?
SECTION 4 DATA MONITORING AND INCIDENT RESPONSE
ASSET MANAGEMENT Asset management in Cyber Security is the process of identifying, on a continuous, real-time basis, the IT assets that your organization owns and the potential security risks or gaps that affect each one. In this context, assets take many forms.
ASSET TYPES Tangible Assets Laptop mobile phone Network device Etc. Intangible Assets Data Application Human Etc.
ASSET DISCOVERY Asset Discovery is an IT term that is used to describe the process of cataloguing your IT assets and monitoring them on a regular basis
ASSET CLASSIFICATION Asset classification is the process of assigning assets into groups, based on several common characteristics and importance to business.
ASSET OWNERSHIP Identifying asset owner is important to determine required security controls, as well as being able to respond to possible security incidents on time.
ASSET MANAGEMENT TOOL DEMONSTRATION
DATA ACCESS MANAGEMENT AND MONITORING Structured Data •User Access Controls: Give access to users who need to have access •Database Security Monitoring: Monitor security of database and access violations •Logging and Auditing: Monitor activities on the database •Data Encryption: Encrypt your data and secure the keys
DATA ACCESS MANAGEMENT AND MONITORING Unstructured Data •User Permissions: Allow access to who need to have access •Data Encryption: Encrypt the files and secure the key •Metadata and Labelling: Classify data by assigning a metadata to them •Data Loss Prevention Solutions (DLP): Identify and protect sensitive data automatically •File Integrity Monitoring: Identify and detect changes to the files
DATABASE ACCESS MONITORING TOOLS
ACCESS MONITORING TOOLS Database Access Monitoring Solution  Monitor access requests to the databases and identify anomalies File Access Monitoring Solutions  Identify and monitor sensitive files for unauthorized access, and report
FILE ACCESS MONITORING TOOL DEMONSTRATION
DATA BREACH AND INCIDENT RESPONSE Companies are required to have a process in place to be able to respond to security incidents when they happen Companies are required to understand their liabilities and notify relevant authorities when sensitive data is lost.
INCIDENT VS EVENT Event  System occurrence that occurs regularly  System failure due to hardware or software malfunction Incident  Harm or intent of harm  Violates a security control  Indicates privileges greater than authorised  Exposure of an asset or privileged function to unauthorised parties Example  Backup process is failed vs Backup tape is lost
INCIDENT TEAM Incident handler: The person who managed the incident steps and progress Incident scribe: The person who documents the incident response progress Security analysts: The security specialists who perform the impact and root cause analysis, and work on the remediation steps Communication lead: The person responsible to handle internal and external communication Data owner: The person whose data is affected by the incident
INCIDENT RESPONSE PROCESS  Preparation – Ensure skills and resources are available to effectively respond to any incident.  Identification – Detect incidents in several ways, (e.g. phone call, monitoring).  Containment – Isolate the incident and prevent further damage.  Remediation – Determine cause and symptoms of incident, act to remediate.  Recovery – Restore to normal state and operational use.  Lessons Learned – Document / Debrief incident details to improve the process. Communication
PREPARATION Put in place all required documentation, education and support so the organisation is prepared for a security incident Executive Support  Sponsorship and Sign-off Understand the Assets  What information is important to business units?  What systems are important to business units?  What would cause significant reputational damage? Control framework  Access controls – administrative, physical and technical  Administrative – policies, background checks, monitoring, user management  Physical – visitor escorts, door locks, auditing access, accident management  Technical – system and application accounts, network boundaries, anti- malware, encryption
PREPARATION Infrastructure (know the playing field)  Network devices, operating systems, applications, databases  Default accounts, unneeded software/services, patching, backup, logging, time sync  Security services (SIEM, IPS, VulnM, patching, secure transfer, remote access, etc.) Incident Response Plan  Incident identification  Step-by-step approach, including communication  Roles, responsibilities and contacts  Personnel and Resources  SOC, CERT, IT Teams, Vendors, Authorities  Table top exercises
IDENTIFICATION Verify, validate and declare that an incident that requires attention of the incident handling team is occurring and dispatch resources Identifying an Attack  What is abnormal behaviour?  Network peace Detection tools  Anti-malware, IDS/IPS, Firewall logs , Security logs, File integrity monitoring Suspicious Events  Accounts – failed login attempts, use of default accounts, unauthorised account creation Files – changes to config files, permissions, web directory content, mass encryption, cracking software  Technical observations – gaps in log files, network changes, slow performance, system crashes  Social engineering – repeated password reset phone calls, phishing emails
IDENTIFICATION First Questions  Means, opportunity, motive (internal or external)  Who reported it?  What was observed? First Steps  Start gathering information – ask for logs (they rotate quickly)  Get backups if possible Determine Scope and Severity  Number of hosts compromised  Network zones involved  The data type and data owner  Access obtained by the intruder  Potential risks to assets involved  Internal and external knowledge of the incident Assign an incident handler Inform Executives and Authorities
CONTAINMENT Put in place immediate controls to ensure the impact and possibility of propagation is minimised Minimise the Impact of the Incident  The longer it persists the greater the damage  Limit outages and data loss  Limit brand damage Strategies for containment  Shut down compromised systems (forensic impact?)  Disconnect systems from the network  Disable services  Restrict network traffic  Disable accounts  Increase logging Consider the continuity of business outside the affected area
CONTAINMENT Other steps  Increase logging  Set traps or honeypots  Attack the attacker – controversial, never recommended Forensic incident response  Gather volatile evidence  Confiscate equipment, software and data  Voluntary surrender, subpoena or search warrant  Evidence acquisition and evidence analysis
REMEDIATION When damage is no longer being incurred, reverse the effects of an incident and remove the attack vectors from affected systems Clean-up  The source of the incident  The effects of the incident Technical Remediation - Unix  Suspicious processes  Key scripts have not changed (.login, .logout, .profile, etc.)  Unsure key files have not changed (netstat, ls, sum, find, etc.)  Unauthorised entries in .forward files  Check out password files (/etc/passwd, /etc/group, /etc/shadow)  No unauthorised entries in .rhosts  No unauthorised services
REMEDIATION Technical Eradication – Windows  Local accounts and groups (admins, remote desktop)  Dial-in settings  Logon scripts  Autorun registry keys  Running processes
RECOVERY Restore systems to full operation while preserving security and maintaining the integrity of evidence Full System Restore  Known good media  Clean backups  Don’t re-introduce the malware or backdoor Patching  Ensure latest security patches are applied  Test for the same vulnerability  Patch from a trusted source  Validate patches Recovery Procedures  Written well before an event – DR  Detailed so the uninitiated can understand  Record all actions conducted by technical personnel
RECOVERY Logging  Reinstate logging and monitoring services  Add incident specific rules to alert on reoccurrence Communication  Determine when systems will be back online – work with owners!  Keep users aware of progress  Validate with business owners that systems are fully operational  Communicate any actions to avoid because of the incident  Let executive management know when services and applications have been restored  Delegate a staff member responsible for communications (bridge, war room)  Out-of-band communication plan
LESSONS LEARNED Author a professional incident report and communicate recommendations with stakeholders The Most Important Step  Opportunity to identify and resolve root causes and weaknesses  Take a step back and look at the bigger picture Incident Report Contents  Executive summary  Timeline – all steps undertaken  Pictorial representation of the incident  Analysis or behaviours and observations  Recommendations – tactical and strategic Approach  Clear and concise  Prejudice or bias should not be represented  Determine the technical level of the audience  Include evidence to support opinions
LESSONS LEARNED Review  Peers  Manager  Those involved in the incident Audience  Incident response team  System owners  Business owners  Information owners  Upper management  The board of executives  Court room in the case of a forensic report
TABLETOP EXERCISE A cyber crisis tabletop exercise, also known as cyber incident response test, helps organizations to identify different risk scenarios and prepare them for cyber threats. It's an activity to evaluate whether your organization's incident response plan works effectively in the case of a cyber attack.
BREACH NOTIFICATION – GDPR EXAMPLE
BREACH NOTIFICATION – GDPR REPORTING
SECTION 5 DATA SECURITY TECHNICAL CONTROLS
ACCESS CONTROLS  Centralized  Permissions and Privileges are assigned to users centrally by administrators.  Decentralized  Permissions and privileges can be managed on each asset, and not managed centrally.  Advantages and Disadvantages  Decentralized Access Controls are easier to implement, but harder to manage and monitor for security violations.
ROLE BASED ACCESS CONTROL RBAC Centralized access-control mechanism defined around roles and privileges. Each user will have a role, and permissions are assigned to roles, not users.
POLICY BASED ACCESS CONTROL PBAC Policy-based access control, also known as Attribute-based access control (ABAC), defines an access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together. The policies can use any type of attributes.
DEFENCE IN DEPTH
DATA SECURITY CONTROLS DATA ACCESS CONTROLS (PERMISSIONS) DATA ENCRYPTION (IN MOTION, AT REST) DATA LOSS PREVENTION (DLP) DATA CLASSIFICATION TOOLS DATA INTEGRITY MONITORING
DATA ACCESS CONTROLS Identity and Access Management Privileged Access Management • Database permissions • Least privilege • Multi-factor authentication Structured data • File and folder permissions • Least privilege Unstructured data
DATABASE PERMISSION MANAGEMENT FILE PERMISSION MANAGEMENT
DATA ENCRYPTION Encryption at rest Encrypt sensitive data when it is stored on the disk. This can be done by: -Database encryption -File Encryption -Storage Encryption Encryption in transit (motion) Encrypt sensitive data while it is being transferred from one system to another. This can be done by: -Digital Certificates -Encryption keys
SYMMETRIC VS ASYMMETRIC ENCRYPTION The basic difference between these two types of encryption is that symmetric encryption uses one key for both encryption and decryption, and the asymmetric encryption uses public key for encryption and a private key for decryption.
PUBLIC KEY INFRASTRUCTURE  A public key infrastructure is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption.  A Certificate Authority (CA) that stores, issues and signs the digital certificates;  A Registration Authority (RA) which verifies the identity of entities requesting their digital certificates to be stored at the CA;  A Validation Authority (VA) is an entity that provides a service used to verify the validity of a digital certificate.
PKI – HOW IT WORKS
DATA LOSS PREVENTION  Data Loss Prevention (DLP) is the practice of detecting and preventing data breaches, exfiltration, or unwanted destruction of sensitive data. Organizations use DLP to protect and secure their data and comply with regulations.
DLP SOLUTIONS  Endpoint DLP  Normally an agent sitting on the endpoint operating system and looking for sensitive data  Network DLP  Looking for sensitive data by sniffing and listening to the network traffic  Cloud DLP  Integrates with cloud environment and monitor cloud traffic for sensitive data. Normally part of CASB, CSPM, CWPP, etc.  Email DLP  Monitor email activities for sensitive data. It is part of the email solution or email gateway.
DLP POLICY A data loss prevention policy defines how organizations can share and protect data. It controls how data can be used in decision making without it being exposed to anyone who should not have access to it. Example: No European personal data is allowed to be sored in no-EU countries.
1.1 Data Security Presentation.pdf
DATA CLASSIFICATION TOOLS  Tagging sensitive data with relevant classification labels (e.g., confidential, or internal)  Integrates with Microsoft and Adobe solutions to classify unstructured data  Microsoft Azure Information Protect (AIP) is well-known one
MICROSOFT AIP Classification and sensitivity labels Information Right management Data Encryption Native Microsoft cloud integration Internal on-premise scan agents Monitoring, tracking and reporting Scanning and Automatic labeling
FILE INTEGRITY MONITORING (FIM) While databases have better integrity controls, unstructured data is a lot harder to monitor FIM is a technology that monitors and detects file changes that could be indicative of a cyberattack.
FIM OPERATION STEPS  Policy configuration  Establishing a baseline for files  Monitoring changes (e.g., Ransomware)  Sending an alert  Reporting results
LOGGING AND MONITORING  Critical data access requests need to be logged  Data changes and movements need to be logged  All data security tools need to send security logs to SIEM  Any access violation must trigger an alert and initiate incident response process  Regular audit on data access and permissions need to be done, and risks must be remediated immediately  Logs need to be secured to prevent unauthorized access
DATA DISCOVERY AND PROTECTION
DATA DISCOVERY AND PROTECTION  Scan, classify, and index file contents and properties.  Collect file and folder structures and permissions from data stores.  Collect local users, groups, and relationships from data stores.  Collect domain users, groups, and relationships from directory services.  Aggregate, normalize, and enrich access events in real-time.  Self-heal globally exposed data.  Auto-repair broken access controls.  Auto-quarantine rogue sensitive files.
THANK YOU!

More Related Content

PPTX
Data Security Explained
Happiest Minds Technologies
 
PPTX
Data Security - English
Data Security
 
PDF
Privacy and Data Security
WilmerHale
 
PPTX
Data Leakage Prevention
Dhananjay Aloorkar
 
PDF
DATA LOSS PREVENTION OVERVIEW
Sylvain Martinez
 
PPTX
Data security
ForeSolutions
 
PPTX
dlp-sales-play-sales-customer-deck-2022.pptx
alex hincapie
 
PDF
Data Protection Predictions for 2023.pdf
DarylBallesteros3
 
Data Security Explained
Happiest Minds Technologies
 
Data Security - English
Data Security
 
Privacy and Data Security
WilmerHale
 
Data Leakage Prevention
Dhananjay Aloorkar
 
DATA LOSS PREVENTION OVERVIEW
Sylvain Martinez
 
Data security
ForeSolutions
 
dlp-sales-play-sales-customer-deck-2022.pptx
alex hincapie
 
Data Protection Predictions for 2023.pdf
DarylBallesteros3
 

What's hot (20)

PPT
Data Classification Presentation
Derroylo
 
PPTX
Cybersecurity
Eng Hasan Shamroukh CISCO Exams Author
 
PDF
DLP Data leak prevention
Ariel Evans
 
PPTX
Data Loss Prevention
dj1arry
 
PDF
Data Leakage Prevention (DLP)
Network Intelligence India
 
PDF
Data Loss Threats and Mitigations
April Mardock CISSP
 
DOCX
The CIA Triad - Assurance on Information Security
Bharath Rao
 
PDF
Overview of Data Loss Prevention (DLP) Technology
Liwei Ren任力偉
 
PDF
Data Processing - data privacy and sensitive data
OpenAIRE
 
PPTX
Data security
AbdulBasit938
 
PDF
Data Management, Metadata Management, and Data Governance – Working Together
DATAVERSITY
 
PDF
Forcepoint Dynamic Data Protection
MarketingArrowECS_CZ
 
PDF
Introducing Data Loss Prevention 14
Symantec
 
PPT
Information Security Principles - Access Control
idingolay
 
PPTX
‏‏‏‏‏‏Chapter 10: Document and Content Management
Ahmed Alorage
 
PPTX
Osint {open source intelligence }
AkshayJha40
 
PDF
Privacy-ready Data Protection Program Implementation
Eryk Budi Pratama
 
PDF
Dlp notes
anuepcet
 
PDF
Introduction on Data Science
Edureka!
 
PDF
Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Eryk Budi Pratama
 
Data Classification Presentation
Derroylo
 
Cybersecurity
Eng Hasan Shamroukh CISCO Exams Author
 
DLP Data leak prevention
Ariel Evans
 
Data Loss Prevention
dj1arry
 
Data Leakage Prevention (DLP)
Network Intelligence India
 
Data Loss Threats and Mitigations
April Mardock CISSP
 
The CIA Triad - Assurance on Information Security
Bharath Rao
 
Overview of Data Loss Prevention (DLP) Technology
Liwei Ren任力偉
 
Data Processing - data privacy and sensitive data
OpenAIRE
 
Data security
AbdulBasit938
 
Data Management, Metadata Management, and Data Governance – Working Together
DATAVERSITY
 
Forcepoint Dynamic Data Protection
MarketingArrowECS_CZ
 
Introducing Data Loss Prevention 14
Symantec
 
Information Security Principles - Access Control
idingolay
 
‏‏‏‏‏‏Chapter 10: Document and Content Management
Ahmed Alorage
 
Osint {open source intelligence }
AkshayJha40
 
Privacy-ready Data Protection Program Implementation
Eryk Budi Pratama
 
Dlp notes
anuepcet
 
Introduction on Data Science
Edureka!
 
Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Eryk Budi Pratama
 
Ad

Similar to 1.1 Data Security Presentation.pdf (20)

PPTX
Evolving regulations are changing the way we think about tools and technology
Ulf Mattsson
 
PDF
DAMA Webinar: The Data Governance of Personal (PII) Data
DATAVERSITY
 
PPTX
A practical data privacy and security approach to ffiec, gdpr and ccpa
Ulf Mattsson
 
PDF
Isaca new delhi india - privacy and big data
Ulf Mattsson
 
PPT
Information Security Framework
ssuser65fa31
 
PDF
Isaca new delhi india privacy and big data
Ulf Mattsson
 
PPTX
Isaca atlanta - practical data security and privacy
Ulf Mattsson
 
PDF
Complying with Cybersecurity Regulations for IBM i Servers and Data
Precisely
 
PDF
Cross border - off-shoring and outsourcing privacy sensitive data
Ulf Mattsson
 
PPTX
L2 - Protecting Security of Assets_.pptx
RebeccaMunasheChimhe
 
PPTX
ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...
drsajjad13
 
DOCX
crucet1crucet2crucet
MargenePurnell14
 
PPTX
Jul 16 isaca london data protection, security and privacy risks - on premis...
Ulf Mattsson
 
PPTX
Reducing cardholder data footprint with tokenization and other techniques
VISTA InfoSec
 
PPTX
Infosec policies to appsec standards ed final
eadams2330
 
PDF
Regulatory Compliance under the Information Technology Act, 2000
n|u - The Open Security Community
 
ODP
GDPR and ISO 27001 - how to be compliant
Ilesh Dattani
 
PDF
Standards & Framework.pdf
karthikvcyber
 
PPT
Data Security For Compliance 2
Flaskdata.io
 
PPTX
Data security
Tapan Khilar
 
Evolving regulations are changing the way we think about tools and technology
Ulf Mattsson
 
DAMA Webinar: The Data Governance of Personal (PII) Data
DATAVERSITY
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
Ulf Mattsson
 
Isaca new delhi india - privacy and big data
Ulf Mattsson
 
Information Security Framework
ssuser65fa31
 
Isaca new delhi india privacy and big data
Ulf Mattsson
 
Isaca atlanta - practical data security and privacy
Ulf Mattsson
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Precisely
 
Cross border - off-shoring and outsourcing privacy sensitive data
Ulf Mattsson
 
L2 - Protecting Security of Assets_.pptx
RebeccaMunasheChimhe
 
ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...
drsajjad13
 
crucet1crucet2crucet
MargenePurnell14
 
Jul 16 isaca london data protection, security and privacy risks - on premis...
Ulf Mattsson
 
Reducing cardholder data footprint with tokenization and other techniques
VISTA InfoSec
 
Infosec policies to appsec standards ed final
eadams2330
 
Regulatory Compliance under the Information Technology Act, 2000
n|u - The Open Security Community
 
GDPR and ISO 27001 - how to be compliant
Ilesh Dattani
 
Standards & Framework.pdf
karthikvcyber
 
Data Security For Compliance 2
Flaskdata.io
 
Data security
Tapan Khilar
 
Ad

More from ChunLei(peter) Che (7)

PDF
数据领导者的 数据治理和隐私 保护.pdf
ChunLei(peter) Che
 
PDF
数据领导者的多云数据集成.pdf
ChunLei(peter) Che
 
PDF
数据领导者的 Customer 360.pdf
ChunLei(peter) Che
 
PDF
数据领导者的 MLOps 和值得信赖的 AI.pdf
ChunLei(peter) Che
 
PPTX
cio_presentation_stanfords_data_governance_program_final.pptx
ChunLei(peter) Che
 
PDF
Adopting FIBO – a Practical Approach_Conrad_Toby_Laurie_Stuart.pdf
ChunLei(peter) Che
 
PDF
Best Practices and Lessons Learned in Extending FIBO for Financial Control, P...
ChunLei(peter) Che
 
数据领导者的 数据治理和隐私 保护.pdf
ChunLei(peter) Che
 
数据领导者的多云数据集成.pdf
ChunLei(peter) Che
 
数据领导者的 Customer 360.pdf
ChunLei(peter) Che
 
数据领导者的 MLOps 和值得信赖的 AI.pdf
ChunLei(peter) Che
 
cio_presentation_stanfords_data_governance_program_final.pptx
ChunLei(peter) Che
 
Adopting FIBO – a Practical Approach_Conrad_Toby_Laurie_Stuart.pdf
ChunLei(peter) Che
 
Best Practices and Lessons Learned in Extending FIBO for Financial Control, P...
ChunLei(peter) Che
 

Recently uploaded (20)

PPT
Reliability_Chapter_ presentation 1221.5784
abobaker13
 
PPTX
Business Ppt On Nestle.pptx huunnnhhgfvu
ashaurya327
 
PPTX
IB Computer Science - Internal Assessment.pptx
agarwal18harsh08
 
PDF
TRAFFIC-MANAGEMENT-AND-ACCIDENT-INVESTIGATION-WITH-DRIVING-PDF-FILE.pdf
chouziyu14
 
PPTX
Business Acumen Training GuidePresentation.pptx
stephvshelton19
 
PDF
annual-report-2024-2025 original latest.
nityanema19
 
PPTX
Database Infoormation System (DBIS).pptx
TefferiMekonnen2
 
PDF
"Python Programming for Geospatial Data Science." ...
institute of Geoinformatics and Earth Observation at PMAS ARID Agriculture University of Rawalpindi
 
PPTX
oil_refinery_comprehensive_20250804084928 (1).pptx
TusharPrajapati65
 
PPT
Quality review (1)_presentation of this 21
abobaker13
 
PDF
22.Patil - Early prediction of Alzheimer’s disease using convolutional neural...
ngaviet5
 
PPTX
01_intro xxxxxxxxxxfffffffffffaaaaaaaaaaafg
Vittaya Boon Suwansiri
 
PDF
“Getting Started with Data Analytics Using R – Concepts, Tools & Case Studies”
Nusrat Gulbarga
 
PDF
Galatica Smart Energy Infrastructure Startup Pitch Deck
Shahzaib Ajmal
 
PPTX
IBA_Chapter_11_Slides_Final_Accessible.pptx
SrikantKapoor1
 
PPTX
AI Strategy room jwfjksfksfjsjsjsjsjfsjfsj
ankitpratapsingh28
 
PPTX
mbdjdhjjodule 5-1 rhfhhfjtjjhafbrhfnfbbfnb
CHINTU5000
 
PPTX
Supervised vs unsupervised machine learning algorithms
agarwal18harsh08
 
PPTX
Introduction to Knowledge Engineering Part 1
busyprogrammersguide
 
PPTX
Data_Analytics_and_PowerBI_Presentation.pptx
ZubyrAhmed
 
Reliability_Chapter_ presentation 1221.5784
abobaker13
 
Business Ppt On Nestle.pptx huunnnhhgfvu
ashaurya327
 
IB Computer Science - Internal Assessment.pptx
agarwal18harsh08
 
TRAFFIC-MANAGEMENT-AND-ACCIDENT-INVESTIGATION-WITH-DRIVING-PDF-FILE.pdf
chouziyu14
 
Business Acumen Training GuidePresentation.pptx
stephvshelton19
 
annual-report-2024-2025 original latest.
nityanema19
 
Database Infoormation System (DBIS).pptx
TefferiMekonnen2
 
"Python Programming for Geospatial Data Science." ...
institute of Geoinformatics and Earth Observation at PMAS ARID Agriculture University of Rawalpindi
 
oil_refinery_comprehensive_20250804084928 (1).pptx
TusharPrajapati65
 
Quality review (1)_presentation of this 21
abobaker13
 
22.Patil - Early prediction of Alzheimer’s disease using convolutional neural...
ngaviet5
 
01_intro xxxxxxxxxxfffffffffffaaaaaaaaaaafg
Vittaya Boon Suwansiri
 
“Getting Started with Data Analytics Using R – Concepts, Tools & Case Studies”
Nusrat Gulbarga
 
Galatica Smart Energy Infrastructure Startup Pitch Deck
Shahzaib Ajmal
 
IBA_Chapter_11_Slides_Final_Accessible.pptx
SrikantKapoor1
 
AI Strategy room jwfjksfksfjsjsjsjsjfsjfsj
ankitpratapsingh28
 
mbdjdhjjodule 5-1 rhfhhfjtjjhafbrhfnfbbfnb
CHINTU5000
 
Supervised vs unsupervised machine learning algorithms
agarwal18harsh08
 
Introduction to Knowledge Engineering Part 1
busyprogrammersguide
 
Data_Analytics_and_PowerBI_Presentation.pptx
ZubyrAhmed
 

1.1 Data Security Presentation.pdf

  • 2. WHAT YOU WILL LEARN IN THIS COURSE Section 1 Data Types, Classification, Lifecycle Section 2 Law and Industry Regulations Section 3 Data Governance and Management Section 4 Data Monitoring and Incident Response Section 5 Data Security Technical Controls
  • 3. SECTION 1  Data Types, Classification, Lifecycle
  • 4. DIGITAL INFORMATION  Data that is created by, or prepared for, electronic systems and devices and can be stored on those devices or in the Cloud.  All companies rely on some sort of digital data to be able to operate, e.g. customer data, financial data, business plans…  Data Confidentiality, Integrity and Availability is important for the survival of any organization
  • 5. DATA TYPES Digital data and Information could have different criticality for different entities. Some examples are:  Patient information is important for a healthcare company  Credit card information is important for a financial institute  Personal information is important for a retail company  Intellectual property is important for innovators  Strategic country planning is important for governments
  • 6. SENSITIVE DATA TYPES  PII or Personally Identifiable Information  ePHI/PHI or (electronically) Protected Health Information  SPI or Sensitive Personal Information  NPI or Non-Public Information  IP or Intellectual Property  Financial Information  Regulatory Data  Government Information
  • 7. IDENTIFIABLE INFORMATION Full name Home address Email address Social security number Passport number Medicare number Medical records Device identifiers and serial numbers Health insurance beneficiary numbers Biometric identifiers PII PHI
  • 8. SENSITIVE PERSONAL INFORMATION EXAMPLES Religious or political convictions Special group membership Sex life or sexual orientation Criminal convictions or offences Philosophical believes Racial or ethnic origin
  • 9. NON-PUBLIC INFORMATION  Company internal information  Strategic plans  Employee’s data (e.g., job description, resume, ID)  Supplier data  Contracts information FINANCIAL INFORMATION  Organisational Financial Data  Tax, commercial and corporate records  Employee’s salary information
  • 10. INTELLECTUAL PROPERTY Patent: Recognizable license or right by a government authority on an intellectual property for a specific period.* Trademark: Refers to the specific attributes which are unique to each organization, like logos, words, slogans, or images.* Trade Secret: Company confidential and valuable information that are used for operation and growth, and are not publicly available Licensing: Legal and contractual agreement between vendor or provider and the customer Copyright: Form of intellectual property that protects the original expression of ideas * WIPO (World Intellectual Property Organization) protects patents and trademarks
  • 11. STRUCTURED AND UNSTRUCTURED DATA  Structured data refers to the data that is organized and formatted in a way that is easily searchable.  Example of structured data is the data in databases like SQL or Oracle  Unstructured data refers to the data that is not organized and is not in a pre-defined format. This type of data is harder to monitor, process and analyse for security purposes..  Example of unstructured data is Microsoft Office or PDF documents.
  • 12. DATA CLASSIFICATION  Data classification is the process of analysing data and categorizing them based on the business requirements in order to be able to apply relevant security controls to each category.  In data classification each category has a different sensitivity and requires protection.  A simple and well-known way of classification is categorizing data into Public, Private, Confidential and Highly Confidential categories •Public information Public •Internal non-public information Private •Sensitive and Confidential data Confidential •Highly sensitive data Highly Confidential
  • 13. DATA CLASSIFICATION EXAMPLE Classification Example Business Impact Restrictions Public Public website data No impact Publicly accessible Private Employee data Low impact Only available to internal users Sensitive Customer information High impact, financial loss Only available to authorized people Highly Sensitive Regulatory data (e.g., PCI) Very high impact, loss of business operation Strictly available to authorized people with additional controls
  • 14. DATA LIFECYCLE MANAGEMENT Managing data throughout its lifecycle: from creation and initial storage to when it becomes obsolete and is deleted.
  • 15. DATA LIFECYCLE PROCESS  Data Creation is done by collecting or generating data from different sources. E.g., collecting customer information.  Once the data is created, needs to be stored. It could be done on a file storage, database, or other storage media.  The purpose of data creation is to use or share data for business purposes.  Depending on the business and regulatory requirements, data must be archived securely for specific period.  Once there is no need for the data anymore, it must be removed.
  • 16. SECTION 2  Law and Industry Regulations
  • 17. LAWS AND REGULATIONS  Global law: Any law that applies to every individual and organization globally (e.g., WIPO)  Local law: The law that applies to local state, country or region (e.g., GDPR, CCPA)  Industry regulations: The regulation that applies to specific industry (e.g., PCI-DSS, HITRUST)  Public companies: The regulation that applies to public organizations to protect shareholders (e.g., SOX)
  • 18. PCI DSS (PAYMENT CARD INDUSTRY DATA SECURITY STANDARD) PCI DSS is the standard developed by PCI Security Standards Council (PCI SSC) which is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments worldwide.
  • 19. PCI DSS REQUIREMENTS 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for all personnel
  • 20. HIPAA (HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT) The Health Insurance Portability and Accountability. It was created primarily to modernize the flow of healthcare information and protect Personally Identifiable Information maintained by the healthcare and healthcare insurance industries.
  • 21. HIPAA SECURITY REQUIREMENTS 1. Follow general security principles (Protect ePHI, Identify and protect threats, compliance) 2. Identify, Analyze and manage the security risks 3. Implement Administrative Safeguards (Security management process and personnel, Asset management, training) 4. Implement Physical Safeguards (Facility access security, Device security) 5. Implement Technical Safeguards (Access Controls, Audit Controls, Integrity Controls, Transmission Security) 6. Implement Organizational Controls (Roles and responsibilities, Contractual requirements, Policies and Standards)
  • 22. GDPR (GENERAL DATA PROTECTION REGULATION) The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas.
  • 23. GDPR REQUIREMENTS 1. Lawful, fair and transparent processing 2. Limitation of purpose, data and storage 3. Data subject rights (information, access, processing, erased, etc.) 4. Consent 5. Personal data breaches 6. Privacy by design 7. Data protection impact assessment 8. Data transfers 9. Data protection officer 10. Awareness and training
  • 24. SOX (SARBANES– OXLEY ACT) Sarbanes-Oxley Act imposes various governance, accounting and reporting standards on US public companies (including their subsidiaries) and accounting firms. It also applies to non-US companies issuing and registering securities in the US.
  • 25. SOX REQUIREMENTS (KEY CONTROLS)  Access Controls (Least privileges, Job rotation, Segregation of duty)  IT Security (Security program, policies, controls, operation)  Data Backup (Redundancy, backups, disaster recovery, testing)  Change Management (roles and responsivities, process documentation, approvals)
  • 26. ISO 27001 ISO/IEC 27001 formally specifies an Information Security Management Syste m, a governance arrangement comprising a structured suite of activities with which to manage information risks (called ‘information security risks’ in the standard).
  • 27. ISO 27001 CONTROLS 1. Annex A.5 – Information security policies (2 controls) 2. Annex A.6 – Organisation of information security (7 controls) 3. Annex A.7 – Human resource security (6 controls) 4. Annex A.8 – Asset management (10 controls) 5. Annex A.9 – Access control (14 controls) 6. Annex A.10 – Cryptography (2 controls) 7. Annex A.11 – Physical and environmental security (15 controls) 8. Annex A.12 – Operations security (14 controls) 9. Annex A.13 – Communications security (7 controls) 10. Annex A.14 – System acquisition, development, and maintenance (13 controls) 11. Annex A.15 – Supplier relationships (5 controls) 12. Annex A.16 – Information security incident management (7 controls) 13. Annex A.17 – Information security aspects of business continuity management (4 controls) 14. Annex A.18 – Compliance (8 controls)
  • 28. LOCAL LEGISLATIONS  It is important to understand the local law applies to any type of data in each country, as there could be differences and specific requirements in that country. Some examples are:  Health Data Hosting (HDS) France  UK National Health Service (NHS)  Japan Privacy law  Australia Privacy Act  China Cyber Security Law  Etc.
  • 29. SECTION 3  Data Governance and Management
  • 30. WHAT IS SECURITY GOVERNANCE Security governance is the means by which you control and direct your organisation's approach to security. When done well, security governance will effectively coordinate the security activities of your organisation. It enables the flow of security information and decisions around your organisation.
  • 31. SECURITY GOVERNANCE COMPONENTS  Security Policy Framework (including Roles and Responsibilities)  Security Risk Management  Security Awareness Training  Security Metrics and Improvements
  • 32. SECURITY POLICY FRAMEWORK Policy: Outlines senior management’s expectation of security Standard: Formalizes mandatory security requirements to protect assets Procedure: Explains how to perform security functions within organization Guideline: Outlines recommendations, statements and instructions Baseline: Minimum security for technology specification, configurations, architecture
  • 33. SECURITY DOCUMENTS Document Type Description Mandatory/Discretionary Security Policy Business expectation and requirements for security Mandatory Security Standard Detailed technology and process requirements to protect assets Mandatory Security Procedure Step by step work instruction to ensure policies and standards are followed properly Mandatory Security Guideline Best practices and recommendations about security aligned with policy Discretionary Security Baseline Minimum level of accepted security controls Minimum Mandatory, Additional Discretionary
  • 34. SAMPLE SECTIONS OF INFORMATION SECURITY POLICY Purpose and the Scope of the policy Relevant Audience Roles and Responsibilities Information Security Principles and Objectives Access Controls Requirements Data Classification Security Awareness and Training Requirements
  • 35. ROLES AND RESPONSIBILITIES  Senior Management  CISO/Security Professionals  Data Owners  Data Custodians  Data Users  Data Auditors
  • 36. SECURITY RISK MANAGEMENT Security Risk Management is the ongoing process of identifying security risks, by evaluating threats and vulnerabilities, and implementing plans to address them. Risk is determined by considering the likelihood that known threats will exploit vulnerabilities and the impact they have on valuable assets.
  • 37. EXAMPLES OF SECURITY RISKS Inappropriate access controls allows unauthorized users to access sensitive data A server with no malware protection gets infected with a virus Cyber criminals deface a vulnerable web application
  • 38. THREATS AND VULNERABILITIES  Threats are potential occurrence of a harmful event.  Flood, state-sponsor attacks, cyber crimes, fire, terrorism, etc.  Vulnerabilities are the weaknesses on the environment or systems which can allow threats to do a harm.  Lack of air-conditioning in a data center  No backup power supply  No security patch installed on a server  Vulnerable software code  Etc.
  • 39. EXAMPLES OF THREAT ACTORS A threat actor is anyone or anything who is either is a key driver of, or participates in, a malicious action that targets an organization.  Hacker: Malicious individual who attacks computer systems  Outsider: Attacker with no authorized access to systems  Insider: Internal user with authorized access to systems  Bot developer: A system running malware that is controlled via a central command and control called Botnet  Phisher: Malicious actor who attempts to trick users into doing something  Spear Phisher: Phisher who pretend being authorized member of company
  • 40. HOW RISK IS CALCULATED  Risk is only valid when:  There is a threat for a particular asset  AND  There is a vulnerability on that particular asset  Risk = Threat x Vulnerability x Asset (value)
  • 41. ASSET CLASSIFICATION AND VALUATION Asset can be tangible or intangible Hardware, IT Device Data, Application, or even Human Consider below to classify assets The monetary value for the asset itself The costs of replacing the asset if it is lost The level of impact on business if the asset is unavailable Operation, customers, stakeholders, etc.
  • 42. RISK MANAGEMENT FRAMEWORK  COSO, is a corporate governance model, that a company would follow to be found compliant with the Sarbanes- Oxley Act.  ISO/IEC 27005 is a set of standards that have been documented related to information security risk management. These standard would cover risk identification, evaluation, analysis and treatment.  NIST SP 800-30 is a complete guide and information about IT risk assessment and management and steps need to reduce risks to an acceptable level.
  • 43. RISK MANAGEMENT PROCESS Risk Identification Risk Assessment Risk Response and Mitigation Risk Monitoring and Reporting
  • 44. RISK IDENTIFICATION  Threats or vulnerabilities alone are not considered a risk, but together they introduce risks.  Risk = Threat x Vulnerability x Asset (value)  Example:  Threat: Cyber criminals try to obtain sensitive information  Vulnerability: SQL injection possibility on an ecommerce web application  Asset: The ecommerce web application  Risk scenario: The hacker uses SQL injection vulnerability to exploit the ecommerce application and obtain sensitive customer data
  • 45. RISK ASSESSMENT  Qualitative Assessment  Identifying likelihood of occurrence and impact for each risk, and calculating the criticality based on those  Quantitative Assessment  Measuring risk by monetary loss value of that
  • 46. QUALITATIVE RISK ASSESSMENT Impact: What is the business impact if the risk happens Likelihood: What is the probability of risk happening Risk Scores (E.g., Low, Medium, High)
  • 47. RISK MATRIX (HEAT CHART)  Red: High Risks  Yellow: Medium Risks  Green: Low Risks
  • 48. QUANTITATIVE RISK ASSESSMENT  Asset Value (AV): The value of the asset  Exposure Factor (EF): Percentage of value of an asset loses  Single Loss Expectancy (SLE) = AV x EF (Cost of one Loss)  Annual Rate of Occurrence (ARO): Number of losses suffered per year  Annualized Loss Expectancy (ALE) = SLE x ARO (Cost of losses per year)
  • 49. EXAMPLE – QUANTITATIVE RISK ASSESSMENT  Scenario: Losing a laptop, with 100 unencrypted personal records (PII)  Asset Value (AV): $5000 (Laptop) + $40,000 (PII data) = $45,000  Note: Each personal record costs around $400  Exposure Factor (EF): 1 (100% since the laptop is lost)  Single Loss Expectancy (SLE) = 1 x $45,000 = $45,000  Annual Rate of Occurrence (ARO): 20 (Assuming 20 laptops is lost per year)  Annualized Loss Expectancy (ALE) = 20 x $45,000 = $900,000
  • 50. RISK RESPONSE  Risk Acceptance  Risk appetite: Company’s high-level stand on what is acceptable  Risk tolerance: Acceptable level on each relevant risk  Risk Mitigation: Lowering the risk to an acceptable level by implementing controls  Example: Laptop encryption, to avoid losing data when losing laptops  Risk transference: E.g., Insurance or third party  Risk avoidance: E.g., Not doing the project, or not going through acquisition
  • 51. RISK COUNTERMEASURE A countermeasure is a control that is put in place to protect an asset, and reduce risks associated with that asset The value of countermeasure implementation should be less than the asset value
  • 52. COUNTERMEASURE (CONTROL) TYPES  There are 3 main types of countermeasures:  Physical: Locks, gates, alarms, cameras, fire extinguishers, etc.  Technical: Malware protection, Firewalls, Encryption, etc.  Administrative: People and procedures. Who is authorized, who is approving, who is monitoring, auditing, etc.
  • 53. COUNTERMEASURE (CONTROL) FUNCTIONS  Preventative controls: Antivirus, IPS, Encryption, Firewall, Fences, Locks, etc.  Detective controls: Alarms, Surveillance, SIEM, IDS, etc.  Corrective controls: AV signatures, patching, backup restores, etc.  Recovery controls: Disaster recovery, Business continuity plans  Deterrent controls: Security guards, dogs, barb wire, etc.  Compensating controls: Separation of duty, Job rotation, Insurance, etc
  • 54. RETURN OF INVESTMENT  Return of Investment = Annualized Loss Expectancy - Risk Mitigation control TCO (Total Cost of Ownership)  Using previous example, laptop encryption costs $50/laptop + $10 annual maintenance, and there are 1000 laptops, the TCO for the first year would be $60,000, while the second year would be only $10,000.  In above example ROI would be as below:  First year: $900,000 - $60,000 = $840,000  following years: $900,000 - $10,000 = $890,000
  • 55. RISK MONITORING AND REPORTING  Key Risk Indicator (KRI)  A metric or set of metrics that are used to provide an early signal of increasing risk exposures in various areas of the enterprise.  KRIs are used to provide an early warning, instead of measuring something that has already  Key Performance Indicator (KPI)  Measure the effectiveness of the security controls associated with the risks  happened.
  • 56. THIRD PARTY AND OUTSOURCING RISKS  Risks associated with legal and regulatory compliance  Operational issues and Service Level Agreement (SLA)  Incident Response  Non Disclosure and Master Service Agreements (NDA & MSA)  Legal Contracts and obligations  Cyber Insurance
  • 57. THIRD PARTY RISK ASSESSMENT AND MANAGEMENT Vendor’s security credentials and certifications Security questionnaire (e.g. SIG or Standardized Information Gathering questions) Annual review and recording Pro-active monitoring Mergers and Acquisitions security requirements
  • 58. SECURITY AWARENESS TRAINING Policies and Standards Learning Management System Security Championship Newsletters, Posters, Banners Phishing tests
  • 59. SECURITY METRICS AND IMPROVEMENTS  Are the current risks being monitored and managed properly?  Are the new threats and vulnerabilities being identified regularly?  Is the asset inventory and classification up-to-date and are the new assets being discovered?  Are users and management aware of their security responsibilities?  Are the security controls, tools and processes optimized and working?
  • 60. SECTION 4 DATA MONITORING AND INCIDENT RESPONSE
  • 61. ASSET MANAGEMENT Asset management in Cyber Security is the process of identifying, on a continuous, real-time basis, the IT assets that your organization owns and the potential security risks or gaps that affect each one. In this context, assets take many forms.
  • 62. ASSET TYPES Tangible Assets Laptop mobile phone Network device Etc. Intangible Assets Data Application Human Etc.
  • 63. ASSET DISCOVERY Asset Discovery is an IT term that is used to describe the process of cataloguing your IT assets and monitoring them on a regular basis
  • 64. ASSET CLASSIFICATION Asset classification is the process of assigning assets into groups, based on several common characteristics and importance to business.
  • 65. ASSET OWNERSHIP Identifying asset owner is important to determine required security controls, as well as being able to respond to possible security incidents on time.
  • 66. ASSET MANAGEMENT TOOL DEMONSTRATION
  • 67. DATA ACCESS MANAGEMENT AND MONITORING Structured Data •User Access Controls: Give access to users who need to have access •Database Security Monitoring: Monitor security of database and access violations •Logging and Auditing: Monitor activities on the database •Data Encryption: Encrypt your data and secure the keys
  • 68. DATA ACCESS MANAGEMENT AND MONITORING Unstructured Data •User Permissions: Allow access to who need to have access •Data Encryption: Encrypt the files and secure the key •Metadata and Labelling: Classify data by assigning a metadata to them •Data Loss Prevention Solutions (DLP): Identify and protect sensitive data automatically •File Integrity Monitoring: Identify and detect changes to the files
  • 70. ACCESS MONITORING TOOLS Database Access Monitoring Solution  Monitor access requests to the databases and identify anomalies File Access Monitoring Solutions  Identify and monitor sensitive files for unauthorized access, and report
  • 71. FILE ACCESS MONITORING TOOL DEMONSTRATION
  • 72. DATA BREACH AND INCIDENT RESPONSE Companies are required to have a process in place to be able to respond to security incidents when they happen Companies are required to understand their liabilities and notify relevant authorities when sensitive data is lost.
  • 73. INCIDENT VS EVENT Event  System occurrence that occurs regularly  System failure due to hardware or software malfunction Incident  Harm or intent of harm  Violates a security control  Indicates privileges greater than authorised  Exposure of an asset or privileged function to unauthorised parties Example  Backup process is failed vs Backup tape is lost
  • 74. INCIDENT TEAM Incident handler: The person who managed the incident steps and progress Incident scribe: The person who documents the incident response progress Security analysts: The security specialists who perform the impact and root cause analysis, and work on the remediation steps Communication lead: The person responsible to handle internal and external communication Data owner: The person whose data is affected by the incident
  • 75. INCIDENT RESPONSE PROCESS  Preparation – Ensure skills and resources are available to effectively respond to any incident.  Identification – Detect incidents in several ways, (e.g. phone call, monitoring).  Containment – Isolate the incident and prevent further damage.  Remediation – Determine cause and symptoms of incident, act to remediate.  Recovery – Restore to normal state and operational use.  Lessons Learned – Document / Debrief incident details to improve the process. Communication
  • 76. PREPARATION Put in place all required documentation, education and support so the organisation is prepared for a security incident Executive Support  Sponsorship and Sign-off Understand the Assets  What information is important to business units?  What systems are important to business units?  What would cause significant reputational damage? Control framework  Access controls – administrative, physical and technical  Administrative – policies, background checks, monitoring, user management  Physical – visitor escorts, door locks, auditing access, accident management  Technical – system and application accounts, network boundaries, anti- malware, encryption
  • 77. PREPARATION Infrastructure (know the playing field)  Network devices, operating systems, applications, databases  Default accounts, unneeded software/services, patching, backup, logging, time sync  Security services (SIEM, IPS, VulnM, patching, secure transfer, remote access, etc.) Incident Response Plan  Incident identification  Step-by-step approach, including communication  Roles, responsibilities and contacts  Personnel and Resources  SOC, CERT, IT Teams, Vendors, Authorities  Table top exercises
  • 78. IDENTIFICATION Verify, validate and declare that an incident that requires attention of the incident handling team is occurring and dispatch resources Identifying an Attack  What is abnormal behaviour?  Network peace Detection tools  Anti-malware, IDS/IPS, Firewall logs , Security logs, File integrity monitoring Suspicious Events  Accounts – failed login attempts, use of default accounts, unauthorised account creation Files – changes to config files, permissions, web directory content, mass encryption, cracking software  Technical observations – gaps in log files, network changes, slow performance, system crashes  Social engineering – repeated password reset phone calls, phishing emails
  • 79. IDENTIFICATION First Questions  Means, opportunity, motive (internal or external)  Who reported it?  What was observed? First Steps  Start gathering information – ask for logs (they rotate quickly)  Get backups if possible Determine Scope and Severity  Number of hosts compromised  Network zones involved  The data type and data owner  Access obtained by the intruder  Potential risks to assets involved  Internal and external knowledge of the incident Assign an incident handler Inform Executives and Authorities
  • 80. CONTAINMENT Put in place immediate controls to ensure the impact and possibility of propagation is minimised Minimise the Impact of the Incident  The longer it persists the greater the damage  Limit outages and data loss  Limit brand damage Strategies for containment  Shut down compromised systems (forensic impact?)  Disconnect systems from the network  Disable services  Restrict network traffic  Disable accounts  Increase logging Consider the continuity of business outside the affected area
  • 81. CONTAINMENT Other steps  Increase logging  Set traps or honeypots  Attack the attacker – controversial, never recommended Forensic incident response  Gather volatile evidence  Confiscate equipment, software and data  Voluntary surrender, subpoena or search warrant  Evidence acquisition and evidence analysis
  • 82. REMEDIATION When damage is no longer being incurred, reverse the effects of an incident and remove the attack vectors from affected systems Clean-up  The source of the incident  The effects of the incident Technical Remediation - Unix  Suspicious processes  Key scripts have not changed (.login, .logout, .profile, etc.)  Unsure key files have not changed (netstat, ls, sum, find, etc.)  Unauthorised entries in .forward files  Check out password files (/etc/passwd, /etc/group, /etc/shadow)  No unauthorised entries in .rhosts  No unauthorised services
  • 83. REMEDIATION Technical Eradication – Windows  Local accounts and groups (admins, remote desktop)  Dial-in settings  Logon scripts  Autorun registry keys  Running processes
  • 84. RECOVERY Restore systems to full operation while preserving security and maintaining the integrity of evidence Full System Restore  Known good media  Clean backups  Don’t re-introduce the malware or backdoor Patching  Ensure latest security patches are applied  Test for the same vulnerability  Patch from a trusted source  Validate patches Recovery Procedures  Written well before an event – DR  Detailed so the uninitiated can understand  Record all actions conducted by technical personnel
  • 85. RECOVERY Logging  Reinstate logging and monitoring services  Add incident specific rules to alert on reoccurrence Communication  Determine when systems will be back online – work with owners!  Keep users aware of progress  Validate with business owners that systems are fully operational  Communicate any actions to avoid because of the incident  Let executive management know when services and applications have been restored  Delegate a staff member responsible for communications (bridge, war room)  Out-of-band communication plan
  • 86. LESSONS LEARNED Author a professional incident report and communicate recommendations with stakeholders The Most Important Step  Opportunity to identify and resolve root causes and weaknesses  Take a step back and look at the bigger picture Incident Report Contents  Executive summary  Timeline – all steps undertaken  Pictorial representation of the incident  Analysis or behaviours and observations  Recommendations – tactical and strategic Approach  Clear and concise  Prejudice or bias should not be represented  Determine the technical level of the audience  Include evidence to support opinions
  • 87. LESSONS LEARNED Review  Peers  Manager  Those involved in the incident Audience  Incident response team  System owners  Business owners  Information owners  Upper management  The board of executives  Court room in the case of a forensic report
  • 88. TABLETOP EXERCISE A cyber crisis tabletop exercise, also known as cyber incident response test, helps organizations to identify different risk scenarios and prepare them for cyber threats. It's an activity to evaluate whether your organization's incident response plan works effectively in the case of a cyber attack.
  • 91. SECTION 5 DATA SECURITY TECHNICAL CONTROLS
  • 92. ACCESS CONTROLS  Centralized  Permissions and Privileges are assigned to users centrally by administrators.  Decentralized  Permissions and privileges can be managed on each asset, and not managed centrally.  Advantages and Disadvantages  Decentralized Access Controls are easier to implement, but harder to manage and monitor for security violations.
  • 93. ROLE BASED ACCESS CONTROL RBAC Centralized access-control mechanism defined around roles and privileges. Each user will have a role, and permissions are assigned to roles, not users.
  • 94. POLICY BASED ACCESS CONTROL PBAC Policy-based access control, also known as Attribute-based access control (ABAC), defines an access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together. The policies can use any type of attributes.
  • 96. DATA SECURITY CONTROLS DATA ACCESS CONTROLS (PERMISSIONS) DATA ENCRYPTION (IN MOTION, AT REST) DATA LOSS PREVENTION (DLP) DATA CLASSIFICATION TOOLS DATA INTEGRITY MONITORING
  • 97. DATA ACCESS CONTROLS Identity and Access Management Privileged Access Management • Database permissions • Least privilege • Multi-factor authentication Structured data • File and folder permissions • Least privilege Unstructured data
  • 99. DATA ENCRYPTION Encryption at rest Encrypt sensitive data when it is stored on the disk. This can be done by: -Database encryption -File Encryption -Storage Encryption Encryption in transit (motion) Encrypt sensitive data while it is being transferred from one system to another. This can be done by: -Digital Certificates -Encryption keys
  • 100. SYMMETRIC VS ASYMMETRIC ENCRYPTION The basic difference between these two types of encryption is that symmetric encryption uses one key for both encryption and decryption, and the asymmetric encryption uses public key for encryption and a private key for decryption.
  • 101. PUBLIC KEY INFRASTRUCTURE  A public key infrastructure is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption.  A Certificate Authority (CA) that stores, issues and signs the digital certificates;  A Registration Authority (RA) which verifies the identity of entities requesting their digital certificates to be stored at the CA;  A Validation Authority (VA) is an entity that provides a service used to verify the validity of a digital certificate.
  • 102. PKI – HOW IT WORKS
  • 103. DATA LOSS PREVENTION  Data Loss Prevention (DLP) is the practice of detecting and preventing data breaches, exfiltration, or unwanted destruction of sensitive data. Organizations use DLP to protect and secure their data and comply with regulations.
  • 104. DLP SOLUTIONS  Endpoint DLP  Normally an agent sitting on the endpoint operating system and looking for sensitive data  Network DLP  Looking for sensitive data by sniffing and listening to the network traffic  Cloud DLP  Integrates with cloud environment and monitor cloud traffic for sensitive data. Normally part of CASB, CSPM, CWPP, etc.  Email DLP  Monitor email activities for sensitive data. It is part of the email solution or email gateway.
  • 105. DLP POLICY A data loss prevention policy defines how organizations can share and protect data. It controls how data can be used in decision making without it being exposed to anyone who should not have access to it. Example: No European personal data is allowed to be sored in no-EU countries.
  • 107. DATA CLASSIFICATION TOOLS  Tagging sensitive data with relevant classification labels (e.g., confidential, or internal)  Integrates with Microsoft and Adobe solutions to classify unstructured data  Microsoft Azure Information Protect (AIP) is well-known one
  • 108. MICROSOFT AIP Classification and sensitivity labels Information Right management Data Encryption Native Microsoft cloud integration Internal on-premise scan agents Monitoring, tracking and reporting Scanning and Automatic labeling
  • 109. FILE INTEGRITY MONITORING (FIM) While databases have better integrity controls, unstructured data is a lot harder to monitor FIM is a technology that monitors and detects file changes that could be indicative of a cyberattack.
  • 110. FIM OPERATION STEPS  Policy configuration  Establishing a baseline for files  Monitoring changes (e.g., Ransomware)  Sending an alert  Reporting results
  • 111. LOGGING AND MONITORING  Critical data access requests need to be logged  Data changes and movements need to be logged  All data security tools need to send security logs to SIEM  Any access violation must trigger an alert and initiate incident response process  Regular audit on data access and permissions need to be done, and risks must be remediated immediately  Logs need to be secured to prevent unauthorized access
  • 112. DATA DISCOVERY AND PROTECTION
  • 113. DATA DISCOVERY AND PROTECTION  Scan, classify, and index file contents and properties.  Collect file and folder structures and permissions from data stores.  Collect local users, groups, and relationships from data stores.  Collect domain users, groups, and relationships from directory services.  Aggregate, normalize, and enrich access events in real-time.  Self-heal globally exposed data.  Auto-repair broken access controls.  Auto-quarantine rogue sensitive files.