SlideShare a Scribd company logo

Your data is your business: Secure it or Lose it!

Download as PPTX, PDF
Performance Tuning Corporation, profile picture
Performance Tuning Corporation

The document outlines a webinar focusing on data security challenges faced by IT management and highlights the importance of securing sensitive data amidst growing threats. It discusses various regulatory requirements, common pitfalls in security practices, and strategies to establish effective governance, risk management, and compliance frameworks. The concluding sections emphasize the urgent need for proactive security measures to mitigate risks and the value of seeking expert assistance.

Technology
Related topics:
Oracle Database InsightsIT Infrastructure OverviewData Breach Insights Data SecurityIT Management Insights
1 of 50
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
Your data is your business... Secure it or lose it! A Lunch & Learn webinar for IT Management Brought to you by Performance Tuning Corporation www.perftuning.com
Panelists Mark Swanholm Chief Strategy Officer Performance Tuning Corporation https://www.linkedin.com/in/mswanholm Dan Morgan Oracle ACE Director Performance Tuning Corporation https://www.linkedin.com/pub/dan-morgan/0/aa9/a5
Agenda  Introduction  Getting It Wrong  Selling FUD (fear, uncertainty, and doubt)  Solution Roadmap  Q&A  Conclusion photo by Scott Schiller
• Founded in 1997 – Team spun out of Compaq Performance Lab – Focused on solving the tough/complex and messy data architecture problems – Very Senior team of EXPERTS • Over 1000 clients & counting • Key industries: Financial Services, Telecom, Oil & Gas, Healthcare • Oracle Platinum Partner: Oracle Ace Director and Oracle Ace on staff About PTC Select Clients • Database & Engineered Sys. • Storage, Server and Network • Consulting, Managed Services & Training Focus on: High Performance Architectures
Introduction: Daniel Morgan • Oracle ACE Director • Wrote Oracle curriculum and primary program instructor at University of Washington • Oracle consultant to Harvard University • The Morgan behind Morgan's Library on the web www.morganslibrary.org • 10g, 11g, and 12c Beta tester • Member: New York Oracle Users Group • Retired chair Washington Software Assoc. Database SIG • Co-Founder International GoldenGate Users Group • Never an employee of Oracle Corp.
Your data is your business: Secure it or Lose it!
Source: http://xkcd.com/936/
Source: http://xkcd.com/538/
Getting It Wrong! photo by Miles Tsang
What's The Worst That Can Happen? Source: http://www.reuters.com/article/2009/08/17/us-crime-identity-idUSTRE57G4GC20090817
What's The Worst That Can Happen?
What's The Worst That Can Happen? Source: http://arstechnica.com/security/2014/12/iranian-hackers-used-visual-basic-malware-to-wipe-vegas-casinos-network/
What's The Worst That Can Happen? Source: http://krebsonsecurity.com/2014/12/banks-card-breach-at-some-chick-fil-as/
What's The Worst That Can Happen? Source: http://arstechnica.com/security/2014/07/wsj-website-hacked-data-offered-for-sale-for-1-bitcoin/
What's The Worst That Can Happen? The movie was a side show: Source: http://arstechnica.com/security/2014/11/sony-pictures-hackers-release-list-of-stolen-corporate-files/
Why Is This Happening? IT staff is untrained in security beyond the a superficial level They do not appreciate the real threat level They do not have job-specific security training They do not have sufficient time in their work-day to take on additional tasks
Misdirection and False Positives Source: https://www.damballa.com/ponemon-institute-survey-the-cost-of-malware-containment/
Where Is Your Squeaky Wheel? Have you validated last night's backup? Reports are too slow We need to have the new system online by next week Has that bug been patched yet? We need the new data warehouse online by Wednesday next week No one can log into the HR system Why does that system keep going down? We are moving the QA systems to new hardware Development needs another database refresh There is a gap in our security threat but so far no one has exploited it Any warnings in the alert log?
FUD (Fear, Uncertainty & Doubt)
Sarbanes Oxley Act (SOX, SarbOx) • Passed by Congress on January 23rd, 2002 and signed by President Bush on July 30th, 2002
HIPAA Requirements • Gives patients access to their information and ability to request change • Must restrict access to a patients information to others • Must restrict disclosure of protected information to minimum required for healthcare treatments & transitions • Establish controls for access to records by researchers • Assign a privacy officer that will administer the privacy policy programs and enforce compliance • Maintain confidentiality, integrity and availability of healthcare information
Storage of Broker-Dealer Records • Electronic records must be preserved exclusively in a non-rewriteable and non-erasable format • Broker-dealers may employ a storage system that prevents alteration or erasure of the records for their required retention period
FACTA Requirements • Fair Credit Reporting Act • Required as of June 1, 2005 • Requirements for consumer reporting agencies and users of consumer report • Who must comply • Mortgage brokers • Automobile dealers • Attorneys and private investigators • Debt collectors • Lenders • Insurers • Employers • Landlords • Government agencies
Gramm-Leach-Bliley Requirements (GLB) • The FTC, the federal banking agencies, and the National Credit Union Administration (NCUA) have published final regulations to implement the new FACTA Disposal Rule. • The FTC's disposal rule applies to consumer reporting agencies as well as individuals and any sized business that uses consumer reports
PCI Requirements • Payment Card Industry Data Security Standard • Required by September 2007 if your organization accepts credit cards • The TJX Companies breach – The TJX Companies Inc. breach is the largest known data theft to date. Hackers invaded the TJX systems resulting in at least 45.7 million credit and debit card numbers stolen over an 18-month period. As well as the stolen personal data, including driver's license numbers of another 455,000 customers who returned merchandise without receipts
PIPEDA Requirements • [Canada] A multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures
Basel II Requirements • [EU] To be in compliance with Basel II, a banking institution must deliver appropriate reporting of operational risk exposures and loss data to its board of directors and senior management. These reports must: – Address both company-wide and line of business results – Summarize operational risk exposure, loss experience, relevant business environment and internal control assessments – Identify and assess the operational risk inherent in all material products, activities, processes and systems
Expanding Regulatory Requirements AMERICAS • HIPAA • FDA CFR 21 Part 11 • OMB Circular A-123 • SEC and DoD Records Retention • USA PATRIOT Act • Gramm-Leach-Bliley Act • Federal Sentencing Guidelines • Foreign Corrupt Practices Act • Market Instruments 52 (Canada) EMEA • EU Privacy Directives • UK Companies Law • Restriction of Hazardous Substances (ROHS/WEE) APAC • J-SOX (Japan) • CLERP 9: Audit Reform and Corporate Disclosure Act (Australia) • Stock Exchange of Thailand Code on Corporate Governance GLOBAL • International Accounting Standards • Basel II (Global Banking) • OECD Guidelines on Corporate Governance
The US Is An Unsafe Harbor Brussels, 17 August 2007 ARTICLE 29 DATA PROTECTION WORKING PARTY Following the conclusion of the new long-term PNR agreement between the EU and the US, the Art. 29 Data Protection Working Party has issued today an opinion analyzing the privacy impact of the transfer of passenger data to the US on fundamental rights and freedoms and in particular the passengers’ rights to data protection. The opinion concludes that the safeguards of the new agreement are markedly lower than those of the previous deal and serious questions and shortcomings remain unaddressed. The level of data protection of the new agreement must be considered unsatisfactory Accepted data protection standards such as those enshrined in Convention 108 of the Council of Europe or the EU Data Protection Directive are not fully respected
What They Have In Common • Establish information security programs to assess and control risks • Protect against any anticipated threats or hazards to the security or integrity of records • Protect against unauthorized access or use that could result in harm or inconvenience to any customer • Install access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals as well as prevent employees from providing • Document disposal procedures
The Cost A study conducted by Ponemon Institute estimates an average cost of $14 million per security breach incident, with costs ranging as high as $50 million
Solution Roadmap
Goals Don’t Always Align What Management Wants •Know who did what and when •Know who accessed what data both generally and under specified conditions •Protect the audit trail from tampering and be able to prove it is authentic •Adequately guard against security threats without choking the business What Auditors Wants •Separation of duties •Reporting •Notification •Proven audit data integrity What IT Wants •Performance and scalability •Minimal constraints while getting the job done •Evenings and weekends off
Process? A Good First Step • Most regulatory frameworks require a detailed, documented process or “controls” – Most companies have these processes in place – but have not done a comprehensive review of how these impact the overall security of the company – Gaps between processes are the perfect spot for hackers, corporate espionage and other threats to grow • An overall security audit needs to be conducted – This needs to be revisited at least annually • Once an audit is complete processes should be reviewed and updated – Consider using a governance framework as a starting point – Process change is often the hardest and longest change a company can undertake
Governance, Risk, and Compliance (GRC) Governance • Set and evaluate performance against objectives • Authorize business strategy & model to achieve objectives Risk Management • Identify, assess, and address potential obstacles to achieving objectives • Identify / address violation of mandated and voluntary boundaries Culture • Establish organizational climate and mindset that promote trust, integrity, & accountability Compliance • Encourage / require compliance with established policies and boundaries • Detect non-compliance and respond accordingly
COSO Cube & Compliance Model Monitoring • Continuous Exception Detection & Monitoring • Periodic Reports and Attestations Event Identification • Exception thresholds Risk Assessment • Model Risk assessment around resources with sensitive data – financial, ePHI, NPI • Electronic Transactions • Application, Application Server, DB, OS • Predictive Risk Analysis Information & Communication • Approval Workflows • Attestation Workflows • Exception Notifications • Delegated Administration • Automated Provisioning • Password Reset Risk Response • Corrective Workflows Control Activities • Entitlement Policies: RBAC, ABAC, SoD • Strong Authentication • Exception Detection & Remediation • Employee termination • Policy Retrofits & Revocations
What’s Most Important: Getting to Secure • Process change will take time • Threats won’t wait for you to get your entire company aligned • Some (obvious) things can be done immediately – You’d be surprised how often the aren’t pho photo by Scott Schiller
Getting to Secure: Step 1 – Identify Value • What do we have that is of value? • Prioritize the valuables ... determine what needs to be secured first from the standpoint of risk to your organization and customers • Identify the vectors ... what threats exist in the wild that could put our valuable at risk? photo by Scott Schiller
Getting to Secure: Step 2 – Evaluate Risks • Determine what risks have been mitigated ... through an outside, independent, audit • Determine what risks need to be addressed • Obtain both internal and external assessments of how to most cost-effectively mitigate remaining threats photo by Scott Schiller
Getting to Secure: Step 3 - Acquire Resources • Locate resources to address the priority risks • Based on a careful balancing of risks and costs build a plan and get the budget approved • Put actions into your 2015 plan photo by Scott Schiller
Getting to Secure Are You As Secure As You Think?
Firewall Rules: Application Access 41 HTTP&HTTPS Allowed from outside “specific Networks” to XXX 192.168.1.247 set security policies from-zone UNTRUST to-zone Business-App policy UN-BA- 443 match source-address HSC_PUBLIC 157.142.0.0/16 set security policies from-zone UNTRUST to-zone Business-App policy UN-BA- 443 match source-address HSC_PRIVATE_SPACE 10.64.0.0/10 set security policies from-zone UNTRUST to-zone Business-App policy UN-BA- 443 match application junos-http set security policies from-zone UNTRUST to-zone Business-App policy UN-BA- 443 then permit
Firewall Rules: Database Access 42 ICMP Allowed from outside to Business-Data Zone set security policies from-zone UNTRUST to-zone Business-Data policy BD- Ping match source-address any set security policies from-zone UNTRUST to-zone Business-Data policy BD- Ping match destination-address any set security policies from-zone UNTRUST to-zone Business-Data policy BD- Ping match application junos-ping set security policies from-zone UNTRUST to-zone Business-Data policy BD- Ping then permit
Getting to Secure Low Hanging Fruit
What Objects Must Be Secured? • Segment data – Tables and indexes containing sensitive data • which tables ... which columns ... what do they contain? – Views that expose sensitive data • Backup Files • Redo logs • Archived redo logs • Operating system files • Development, Test, and Staging Systems
What Infrastructure Must Be Secured? • Primary Databases • Standby Databases at DR Sites • Web and Application Servers • Storage Arrays • Network Communications • Data Centers • Backup Tape Storage
WRAP-UP
Conclusions • Internal and external threats are multiplying – and getting more sophisticated • Ignoring security can be extremely costly – it can cost your job or even put your company out of business • Security happens within an array of regulations and guidelines – that complicate how you approach the task • You need governance for the long term – but you shouldn’t wait for that process to be complete, the stakes are too high! • Most companies don’t understand security – and even those that do need a second opinion to make sure they haven’t missed something. …Get HELP!
Any Questions?
Thank you! EXPERTS Expert Data Services team with deep performance tuning and Oracle technology backgrounds. More info: www.perftuning.com info@perftuning.com @perftuning

More Related Content

PDF
#HR and #GDPR: Preparing for 2018 Compliance
Dovetail Software
 
PDF
How technology and innovative processes can make your legal team more efficient
Eversheds Sutherland
 
PDF
Antitrust Case Study
Albert Kassis
 
PPTX
William A. Tanenbaum Association of Benefit Administrators April 2015
William Tanenbaum
 
PDF
8MAN-Public_Sector_Data_and_Information_Security_Survey 2016
Andi Robinson
 
PDF
Looking Forward - Regulators and Data Incidents
Resilient Systems
 
PDF
E-discovery
Prof. Jacques Folon (Ph.D)
 
PPTX
Securing and Modernizing Technology in the Commonwealth: Better Together
EOTSS
 
#HR and #GDPR: Preparing for 2018 Compliance
Dovetail Software
 
How technology and innovative processes can make your legal team more efficient
Eversheds Sutherland
 
Antitrust Case Study
Albert Kassis
 
William A. Tanenbaum Association of Benefit Administrators April 2015
William Tanenbaum
 
8MAN-Public_Sector_Data_and_Information_Security_Survey 2016
Andi Robinson
 
Looking Forward - Regulators and Data Incidents
Resilient Systems
 
E-discovery
Prof. Jacques Folon (Ph.D)
 
Securing and Modernizing Technology in the Commonwealth: Better Together
EOTSS
 

What's hot (20)

PPT
The impact of regulatory compliance on DBA(latest)
Craig Mullins
 
PDF
Protecting Your Business From Cyber Risks
This account is closed
 
PPTX
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
saurnou
 
PPTX
Best practices to mitigate data breach risk
Livingstone Advisory
 
PDF
SNW Fall 2009
Jeff Kubacki
 
PDF
FFIEC Regulatory Training
Brad Garland
 
PPTX
Trends in Law Practice Management – Calculating the Risks
Nicole Garton
 
PDF
[Presentation] GDPR - How to Ensure Compliance
AIIM International
 
PDF
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
SecureDocs
 
PDF
Regulatory intelligence
Tim Felgate
 
PDF
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
Casey Ellis
 
PPT
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Lisa Abe-Oldenburg, B.Comm., JD.
 
PPTX
Jisc GDPR conference
Jisc
 
PDF
The Diamond Datascram Diaries: Diamond Datascram Development
Polsinelli PC
 
PDF
IAM
Prof. Jacques Folon (Ph.D)
 
PPTX
Regulatory Intelligence
Shruti Kargutkar
 
PPTX
Deconstructing Data Breach Cost
Resilient Systems
 
PPTX
Date Use Rules in Different Business Scenarios: It's All Contextual
William Tanenbaum
 
PPT
Database auditing essentials
Craig Mullins
 
PPTX
Cyber Insurance CLE
Sarah Stogner
 
The impact of regulatory compliance on DBA(latest)
Craig Mullins
 
Protecting Your Business From Cyber Risks
This account is closed
 
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
saurnou
 
Best practices to mitigate data breach risk
Livingstone Advisory
 
SNW Fall 2009
Jeff Kubacki
 
FFIEC Regulatory Training
Brad Garland
 
Trends in Law Practice Management – Calculating the Risks
Nicole Garton
 
[Presentation] GDPR - How to Ensure Compliance
AIIM International
 
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
SecureDocs
 
Regulatory intelligence
Tim Felgate
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
Casey Ellis
 
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Lisa Abe-Oldenburg, B.Comm., JD.
 
Jisc GDPR conference
Jisc
 
The Diamond Datascram Diaries: Diamond Datascram Development
Polsinelli PC
 
IAM
Prof. Jacques Folon (Ph.D)
 
Regulatory Intelligence
Shruti Kargutkar
 
Deconstructing Data Breach Cost
Resilient Systems
 
Date Use Rules in Different Business Scenarios: It's All Contextual
William Tanenbaum
 
Database auditing essentials
Craig Mullins
 
Cyber Insurance CLE
Sarah Stogner
 
Ad

Viewers also liked (20)

PPTX
Máximas Para Mi Hija
Sebastian135790
 
PPTX
Máximas Para Mi Hija
Sebastian135790
 
PPS
Despedida uma pequena maravilha
Jorge de Moura
 
PDF
Christopha vixamar
tofa1017
 
PDF
Ngs2017 pub 092014 ppp
NGSedu
 
PPTX
Christopha vixamar ppp
tofa1017
 
PPTX
The Business of Security: The Nitty Gritty of Running a Multi-Million Dollar ...
Sucuri
 
PDF
Advantages of running Oracle 11g on Microsoft Windows Server x64
Performance Tuning Corporation
 
PPTX
Analyser vos logs avec Ingensi
Cyrès
 
PPTX
Deep web (amatuer level)
Ali Saif Mirza
 
PPTX
CamStudio
andrexitojrm
 
PPTX
Diapositiva Ast. Julio Taipe
juliocesarr93
 
PDF
Migrating to Database 12c Multitenant - New Opportunities To Get It Right!
Performance Tuning Corporation
 
PPTX
ToR - Deep Web
Murray Security Services
 
PPTX
Big Data: How does it fit in your data strategy?
Performance Tuning Corporation
 
PPTX
Database 12c is ready for you... Are you ready for 12c?
Performance Tuning Corporation
 
PDF
Are You Ready for 12c? Data Migration and Upgrade Best Practices
Performance Tuning Corporation
 
PDF
Deep web
athandz - Infoserve (Pvt) Ltd
 
PPTX
Deep-Dive: Secure API Management
Apigee | Google Cloud
 
PPT
Deep Web
St John
 
Máximas Para Mi Hija
Sebastian135790
 
Máximas Para Mi Hija
Sebastian135790
 
Despedida uma pequena maravilha
Jorge de Moura
 
Christopha vixamar
tofa1017
 
Ngs2017 pub 092014 ppp
NGSedu
 
Christopha vixamar ppp
tofa1017
 
The Business of Security: The Nitty Gritty of Running a Multi-Million Dollar ...
Sucuri
 
Advantages of running Oracle 11g on Microsoft Windows Server x64
Performance Tuning Corporation
 
Analyser vos logs avec Ingensi
Cyrès
 
Deep web (amatuer level)
Ali Saif Mirza
 
CamStudio
andrexitojrm
 
Diapositiva Ast. Julio Taipe
juliocesarr93
 
Migrating to Database 12c Multitenant - New Opportunities To Get It Right!
Performance Tuning Corporation
 
ToR - Deep Web
Murray Security Services
 
Big Data: How does it fit in your data strategy?
Performance Tuning Corporation
 
Database 12c is ready for you... Are you ready for 12c?
Performance Tuning Corporation
 
Are You Ready for 12c? Data Migration and Upgrade Best Practices
Performance Tuning Corporation
 
Deep web
athandz - Infoserve (Pvt) Ltd
 
Deep-Dive: Secure API Management
Apigee | Google Cloud
 
Deep Web
St John
 
Ad

Similar to Your data is your business: Secure it or Lose it! (20)

PDF
Complying with Cybersecurity Regulations for IBM i Servers and Data
Precisely
 
PPTX
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
centralohioissa
 
PPTX
Deeper Security, Broader Privacy - how firms use the latest Co3 features to a...
Resilient Systems
 
PDF
Cloud Regulations and Security Standards by Ran Adler
Idan Tohami
 
PDF
Michael Josephs
daveGBE
 
PDF
TrustArc Webinar - Cross-Border Data Transfers in 2025: Regulatory Changes, A...
TrustArc
 
PPTX
Final Presentation
chris odle
 
PDF
Secure and Compliant Data Management in FinTech Applications
Lionel Briand
 
PPTX
Information Security Assessment Offering
eeaches
 
PPTX
MYTHBUSTERS: Can You Secure Payments in the Cloud?
Kurt Hagerman
 
PPTX
NARCA Presentation - IT Best Practice
Brenda Majewski
 
PPTX
ISStateGovtProposal
Dale White
 
PDF
Compliance policies and procedures followed in data centers
Livin Jose
 
PPTX
Improve IT Security and Compliance with Mainframe Data in Splunk
Precisely
 
PPTX
Analytics in Action - Data Protection
Lee Schlenker
 
PDF
GDPR- The Buck Stops Here
Kellyn Pot'Vin-Gorman
 
PDF
Is it time for an IT Assessment?
Raffa Learning Community
 
PDF
A Breach Carol: 2013 Review, 2014 Predictions
Resilient Systems
 
PDF
Facility Environmental Audit Guidelines
amburyj3c9
 
PPT
Data Privacy - What the CIO and CISO know
KemalKacapor1
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Precisely
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
centralohioissa
 
Deeper Security, Broader Privacy - how firms use the latest Co3 features to a...
Resilient Systems
 
Cloud Regulations and Security Standards by Ran Adler
Idan Tohami
 
Michael Josephs
daveGBE
 
TrustArc Webinar - Cross-Border Data Transfers in 2025: Regulatory Changes, A...
TrustArc
 
Final Presentation
chris odle
 
Secure and Compliant Data Management in FinTech Applications
Lionel Briand
 
Information Security Assessment Offering
eeaches
 
MYTHBUSTERS: Can You Secure Payments in the Cloud?
Kurt Hagerman
 
NARCA Presentation - IT Best Practice
Brenda Majewski
 
ISStateGovtProposal
Dale White
 
Compliance policies and procedures followed in data centers
Livin Jose
 
Improve IT Security and Compliance with Mainframe Data in Splunk
Precisely
 
Analytics in Action - Data Protection
Lee Schlenker
 
GDPR- The Buck Stops Here
Kellyn Pot'Vin-Gorman
 
Is it time for an IT Assessment?
Raffa Learning Community
 
A Breach Carol: 2013 Review, 2014 Predictions
Resilient Systems
 
Facility Environmental Audit Guidelines
amburyj3c9
 
Data Privacy - What the CIO and CISO know
KemalKacapor1
 

Recently uploaded (20)

PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
A Presentation on Artificial Intelligence
memembruh336
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Teaching material agriculture food technology
LiaRayya
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 

Your data is your business: Secure it or Lose it!

  • 1. Your data is your business... Secure it or lose it! A Lunch & Learn webinar for IT Management Brought to you by Performance Tuning Corporation www.perftuning.com
  • 2. Panelists Mark Swanholm Chief Strategy Officer Performance Tuning Corporation https://www.linkedin.com/in/mswanholm Dan Morgan Oracle ACE Director Performance Tuning Corporation https://www.linkedin.com/pub/dan-morgan/0/aa9/a5
  • 3. Agenda  Introduction  Getting It Wrong  Selling FUD (fear, uncertainty, and doubt)  Solution Roadmap  Q&A  Conclusion photo by Scott Schiller
  • 4. • Founded in 1997 – Team spun out of Compaq Performance Lab – Focused on solving the tough/complex and messy data architecture problems – Very Senior team of EXPERTS • Over 1000 clients & counting • Key industries: Financial Services, Telecom, Oil & Gas, Healthcare • Oracle Platinum Partner: Oracle Ace Director and Oracle Ace on staff About PTC Select Clients • Database & Engineered Sys. • Storage, Server and Network • Consulting, Managed Services & Training Focus on: High Performance Architectures
  • 5. Introduction: Daniel Morgan • Oracle ACE Director • Wrote Oracle curriculum and primary program instructor at University of Washington • Oracle consultant to Harvard University • The Morgan behind Morgan's Library on the web www.morganslibrary.org • 10g, 11g, and 12c Beta tester • Member: New York Oracle Users Group • Retired chair Washington Software Assoc. Database SIG • Co-Founder International GoldenGate Users Group • Never an employee of Oracle Corp.
  • 10. What's The Worst That Can Happen? Source: http://www.reuters.com/article/2009/08/17/us-crime-identity-idUSTRE57G4GC20090817
  • 11. What's The Worst That Can Happen?
  • 12. What's The Worst That Can Happen? Source: http://arstechnica.com/security/2014/12/iranian-hackers-used-visual-basic-malware-to-wipe-vegas-casinos-network/
  • 13. What's The Worst That Can Happen? Source: http://krebsonsecurity.com/2014/12/banks-card-breach-at-some-chick-fil-as/
  • 14. What's The Worst That Can Happen? Source: http://arstechnica.com/security/2014/07/wsj-website-hacked-data-offered-for-sale-for-1-bitcoin/
  • 15. What's The Worst That Can Happen? The movie was a side show: Source: http://arstechnica.com/security/2014/11/sony-pictures-hackers-release-list-of-stolen-corporate-files/
  • 16. Why Is This Happening? IT staff is untrained in security beyond the a superficial level They do not appreciate the real threat level They do not have job-specific security training They do not have sufficient time in their work-day to take on additional tasks
  • 17. Misdirection and False Positives Source: https://www.damballa.com/ponemon-institute-survey-the-cost-of-malware-containment/
  • 18. Where Is Your Squeaky Wheel? Have you validated last night's backup? Reports are too slow We need to have the new system online by next week Has that bug been patched yet? We need the new data warehouse online by Wednesday next week No one can log into the HR system Why does that system keep going down? We are moving the QA systems to new hardware Development needs another database refresh There is a gap in our security threat but so far no one has exploited it Any warnings in the alert log?
  • 20. Sarbanes Oxley Act (SOX, SarbOx) • Passed by Congress on January 23rd, 2002 and signed by President Bush on July 30th, 2002
  • 21. HIPAA Requirements • Gives patients access to their information and ability to request change • Must restrict access to a patients information to others • Must restrict disclosure of protected information to minimum required for healthcare treatments & transitions • Establish controls for access to records by researchers • Assign a privacy officer that will administer the privacy policy programs and enforce compliance • Maintain confidentiality, integrity and availability of healthcare information
  • 22. Storage of Broker-Dealer Records • Electronic records must be preserved exclusively in a non-rewriteable and non-erasable format • Broker-dealers may employ a storage system that prevents alteration or erasure of the records for their required retention period
  • 23. FACTA Requirements • Fair Credit Reporting Act • Required as of June 1, 2005 • Requirements for consumer reporting agencies and users of consumer report • Who must comply • Mortgage brokers • Automobile dealers • Attorneys and private investigators • Debt collectors • Lenders • Insurers • Employers • Landlords • Government agencies
  • 24. Gramm-Leach-Bliley Requirements (GLB) • The FTC, the federal banking agencies, and the National Credit Union Administration (NCUA) have published final regulations to implement the new FACTA Disposal Rule. • The FTC's disposal rule applies to consumer reporting agencies as well as individuals and any sized business that uses consumer reports
  • 25. PCI Requirements • Payment Card Industry Data Security Standard • Required by September 2007 if your organization accepts credit cards • The TJX Companies breach – The TJX Companies Inc. breach is the largest known data theft to date. Hackers invaded the TJX systems resulting in at least 45.7 million credit and debit card numbers stolen over an 18-month period. As well as the stolen personal data, including driver's license numbers of another 455,000 customers who returned merchandise without receipts
  • 26. PIPEDA Requirements • [Canada] A multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures
  • 27. Basel II Requirements • [EU] To be in compliance with Basel II, a banking institution must deliver appropriate reporting of operational risk exposures and loss data to its board of directors and senior management. These reports must: – Address both company-wide and line of business results – Summarize operational risk exposure, loss experience, relevant business environment and internal control assessments – Identify and assess the operational risk inherent in all material products, activities, processes and systems
  • 28. Expanding Regulatory Requirements AMERICAS • HIPAA • FDA CFR 21 Part 11 • OMB Circular A-123 • SEC and DoD Records Retention • USA PATRIOT Act • Gramm-Leach-Bliley Act • Federal Sentencing Guidelines • Foreign Corrupt Practices Act • Market Instruments 52 (Canada) EMEA • EU Privacy Directives • UK Companies Law • Restriction of Hazardous Substances (ROHS/WEE) APAC • J-SOX (Japan) • CLERP 9: Audit Reform and Corporate Disclosure Act (Australia) • Stock Exchange of Thailand Code on Corporate Governance GLOBAL • International Accounting Standards • Basel II (Global Banking) • OECD Guidelines on Corporate Governance
  • 29. The US Is An Unsafe Harbor Brussels, 17 August 2007 ARTICLE 29 DATA PROTECTION WORKING PARTY Following the conclusion of the new long-term PNR agreement between the EU and the US, the Art. 29 Data Protection Working Party has issued today an opinion analyzing the privacy impact of the transfer of passenger data to the US on fundamental rights and freedoms and in particular the passengers’ rights to data protection. The opinion concludes that the safeguards of the new agreement are markedly lower than those of the previous deal and serious questions and shortcomings remain unaddressed. The level of data protection of the new agreement must be considered unsatisfactory Accepted data protection standards such as those enshrined in Convention 108 of the Council of Europe or the EU Data Protection Directive are not fully respected
  • 30. What They Have In Common • Establish information security programs to assess and control risks • Protect against any anticipated threats or hazards to the security or integrity of records • Protect against unauthorized access or use that could result in harm or inconvenience to any customer • Install access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals as well as prevent employees from providing • Document disposal procedures
  • 31. The Cost A study conducted by Ponemon Institute estimates an average cost of $14 million per security breach incident, with costs ranging as high as $50 million
  • 33. Goals Don’t Always Align What Management Wants •Know who did what and when •Know who accessed what data both generally and under specified conditions •Protect the audit trail from tampering and be able to prove it is authentic •Adequately guard against security threats without choking the business What Auditors Wants •Separation of duties •Reporting •Notification •Proven audit data integrity What IT Wants •Performance and scalability •Minimal constraints while getting the job done •Evenings and weekends off
  • 34. Process? A Good First Step • Most regulatory frameworks require a detailed, documented process or “controls” – Most companies have these processes in place – but have not done a comprehensive review of how these impact the overall security of the company – Gaps between processes are the perfect spot for hackers, corporate espionage and other threats to grow • An overall security audit needs to be conducted – This needs to be revisited at least annually • Once an audit is complete processes should be reviewed and updated – Consider using a governance framework as a starting point – Process change is often the hardest and longest change a company can undertake
  • 35. Governance, Risk, and Compliance (GRC) Governance • Set and evaluate performance against objectives • Authorize business strategy & model to achieve objectives Risk Management • Identify, assess, and address potential obstacles to achieving objectives • Identify / address violation of mandated and voluntary boundaries Culture • Establish organizational climate and mindset that promote trust, integrity, & accountability Compliance • Encourage / require compliance with established policies and boundaries • Detect non-compliance and respond accordingly
  • 36. COSO Cube & Compliance Model Monitoring • Continuous Exception Detection & Monitoring • Periodic Reports and Attestations Event Identification • Exception thresholds Risk Assessment • Model Risk assessment around resources with sensitive data – financial, ePHI, NPI • Electronic Transactions • Application, Application Server, DB, OS • Predictive Risk Analysis Information & Communication • Approval Workflows • Attestation Workflows • Exception Notifications • Delegated Administration • Automated Provisioning • Password Reset Risk Response • Corrective Workflows Control Activities • Entitlement Policies: RBAC, ABAC, SoD • Strong Authentication • Exception Detection & Remediation • Employee termination • Policy Retrofits & Revocations
  • 37. What’s Most Important: Getting to Secure • Process change will take time • Threats won’t wait for you to get your entire company aligned • Some (obvious) things can be done immediately – You’d be surprised how often the aren’t pho photo by Scott Schiller
  • 38. Getting to Secure: Step 1 – Identify Value • What do we have that is of value? • Prioritize the valuables ... determine what needs to be secured first from the standpoint of risk to your organization and customers • Identify the vectors ... what threats exist in the wild that could put our valuable at risk? photo by Scott Schiller
  • 39. Getting to Secure: Step 2 – Evaluate Risks • Determine what risks have been mitigated ... through an outside, independent, audit • Determine what risks need to be addressed • Obtain both internal and external assessments of how to most cost-effectively mitigate remaining threats photo by Scott Schiller
  • 40. Getting to Secure: Step 3 - Acquire Resources • Locate resources to address the priority risks • Based on a careful balancing of risks and costs build a plan and get the budget approved • Put actions into your 2015 plan photo by Scott Schiller
  • 41. Getting to Secure Are You As Secure As You Think?
  • 42. Firewall Rules: Application Access 41 HTTP&HTTPS Allowed from outside “specific Networks” to XXX 192.168.1.247 set security policies from-zone UNTRUST to-zone Business-App policy UN-BA- 443 match source-address HSC_PUBLIC 157.142.0.0/16 set security policies from-zone UNTRUST to-zone Business-App policy UN-BA- 443 match source-address HSC_PRIVATE_SPACE 10.64.0.0/10 set security policies from-zone UNTRUST to-zone Business-App policy UN-BA- 443 match application junos-http set security policies from-zone UNTRUST to-zone Business-App policy UN-BA- 443 then permit
  • 43. Firewall Rules: Database Access 42 ICMP Allowed from outside to Business-Data Zone set security policies from-zone UNTRUST to-zone Business-Data policy BD- Ping match source-address any set security policies from-zone UNTRUST to-zone Business-Data policy BD- Ping match destination-address any set security policies from-zone UNTRUST to-zone Business-Data policy BD- Ping match application junos-ping set security policies from-zone UNTRUST to-zone Business-Data policy BD- Ping then permit
  • 44. Getting to Secure Low Hanging Fruit
  • 45. What Objects Must Be Secured? • Segment data – Tables and indexes containing sensitive data • which tables ... which columns ... what do they contain? – Views that expose sensitive data • Backup Files • Redo logs • Archived redo logs • Operating system files • Development, Test, and Staging Systems
  • 46. What Infrastructure Must Be Secured? • Primary Databases • Standby Databases at DR Sites • Web and Application Servers • Storage Arrays • Network Communications • Data Centers • Backup Tape Storage
  • 48. Conclusions • Internal and external threats are multiplying – and getting more sophisticated • Ignoring security can be extremely costly – it can cost your job or even put your company out of business • Security happens within an array of regulations and guidelines – that complicate how you approach the task • You need governance for the long term – but you shouldn’t wait for that process to be complete, the stakes are too high! • Most companies don’t understand security – and even those that do need a second opinion to make sure they haven’t missed something. …Get HELP!
  • 50. Thank you! EXPERTS Expert Data Services team with deep performance tuning and Oracle technology backgrounds. More info: www.perftuning.com info@perftuning.com @perftuning