WHAT IS SENSITIVE DATA?
What’s the Risk and What Do We
Do About It?
Weston Nelson
Steve Fineberg
Steven Gin
MOSS ADAMS LLP | 1
Disclosure Statement
The material appearing in this presentation is for
informational purposes only and is not legal or accounting
advice. Communication of this information is not intended to
create, and receipt does not constitute, a legal relationship,
including, but not limited to, an accountant-client
relationship. Although these materials may have been
prepared by professionals, they should not be used as a
substitute for professional services. If legal, accounting, or
other professional advice is required, the services of a
professional should be sought.
MOSS ADAMS LLP | 2
Moss Adams LLP
o Moss Adams is one of the 15 largest accounting and
consulting firms in the U.S.
o 21 locations; 1,800 personnel
o Industry-focused service groups
o IT consulting specialists
3
MOSS ADAMS LLP | 3
Agenda
o What is sensitive data? Why do we care?
o Define the states of data in the data lifecycle
o How is your data at risk?
o Discuss what your organization is doing
o Review possible controls to protect your
sensitive data
o Questions and Answers
MOSS ADAMS LLP | 4
What is Sensitive Data?
o
What is important to your
organization?
o
Who owns or is responsible
for sensitive data?
o
Where does your sensitive
data reside?
o
Are there multiple versions of
your sensitive data?
o
Where does your date go and
how is it protected?
MOSS ADAMS LLP | 5
What is Sensitive Data? (cont.)
o What is important to your organization?
o Student records
o Employee records
o Payment transactions
o Grades and examinations
o Faculty research
o Grant and donor data
o Other data?
MOSS ADAMS LLP | 6
What is Sensitive Data? (cont.)
o How are these data classified?
o Student records (PII, ePHI)
o Employee records (PII, ePHI)
o Payment transactions (PCI)
o Grades and examinations (operational data)
o Faculty research (intellectual property)
o Grant and donor data (competitive information)
o Other data?
MOSS ADAMS LLP | 7
What is Sensitive Data? (cont.)
o Who owns or is responsible for sensitive data?
o
Administration
o
Enrollment
o
Test centers
o
Research personnel
o
Grants and funding departments
o
Medical staff
o
Professors
MOSS ADAMS LLP | 8
What is Sensitive Data? (cont.)
o Where does your sensitive data reside?
o
o
Internal
o
Campus Network
o
Local workstations
External
o
o
Cloud
o
o
Hosted co-location
??? (Do you really know?)
Mobile devices
MOSS ADAMS LLP | 9
What is Sensitive Data? (cont.)
o Are there multiple versions of your data?
o
Network file shares
o
Workstations, laptops
o
Third-party vendors
o
Removable media
o
E-mail
o
Cloud
o
Mobile devices
o
Hard copies
MOSS ADAMS LLP | 10
What is Sensitive Data? (cont.)
o Where does your data go and how is it protected?
o Where is your data?
o Data Marts
o File shares/servers
o How is it transmitted?
o Encrypted
o Trusted Recipient
MOSS ADAMS LLP | 11
What is Sensitive Data? (cont.)
o Where does your data go and how is it protected?
o Who can access it?
o Appropriate Access
o Authorized User
MOSS ADAMS LLP | 12
The Data Lifecycle
o From a data loss perspective, the industry has
adopted three standard terms to describe the states
of data in the data lifecycle:
o Data at rest
o Data in motion
o Data in use
MOSS ADAMS LLP | 13
The Data Lifecycle (cont.)
o Data at rest
o Data that is in storage and accessible by your
organization. These data may be in disparate locations
and stored on various types of media.
o
Examples include:
o
Spreadsheets, databases, application configuration files
MOSS ADAMS LLP | 14
The Data Lifecycle (cont.)
o Data in motion
o Data that is in transit, flowing across internal networks
and to the outside world
o Includes data on wired and wireless networks
o Examples
o
File being opened from a network drive on a workstation,
network packet data
MOSS ADAMS LLP | 15
The Data Lifecycle (cont.)
o Data in use
o Data that is being accessed or used by a system at
a point in time
o Examples
o
Data in temporary memory on a local machine
o
File being copied to a USB drive
o
Data being copied and pasted from one file to another
MOSS ADAMS LLP | 16
How Is Your Data At Risk?
o Risks related to data states
o Inappropriate access, theft (data at rest)
o Interception (data in motion)
o Misuse, abuse of access (data in use)
o Risks related to data location
o Unintentional transmission (mobile devices)
MOSS ADAMS LLP | 17
Establishing an Understanding of the Data
o Education and communication as to what is critical to
the organization
o Protocols or procedures for data usage
o What is internal use only?
o What is public?
o What is restricted or used only be a few groups or
individuals?
o Security protocols around data classes
MOSS ADAMS LLP | 18
What is your organization doing?
o Policies and procedures
o IT general controls
o Third-party vendor controls
o Education of users
MOSS ADAMS LLP | 19
Sensitive Data Controls
o To adequately protect against data loss, you should
consider both systematic and manual controls, to be
applied at each data state
o Data state-specific controls
o Data at rest
o Data in motion
o Data in use
o Supporting controls
MOSS ADAMS LLP | 20
Sensitive Data Controls (cont.)
o Data at rest
o Encryption
o Physical security
o Physical media security and destruction
o Mobile device protection
o Endpoint security
o Continuous discovery
MOSS ADAMS LLP | 21
Sensitive Data Controls (cont.)
o Data in motion
o Perimeter security
o Network monitoring
o Internet access controls
o Messaging
o Remote access controls
o Data collection and exchange
MOSS ADAMS LLP | 22
Sensitive Data Controls (cont.)
o Data in use
o Access controls and monitoring
o Privileged user monitoring
o Export/save controls
o Use of test data
o Change and version controls
o Data anonymization
MOSS ADAMS LLP | 23
Sensitive Data Controls (cont.)
o Supporting Controls
o Disaster recovery plan / business continuity plan
o Training and awareness
o Third-party management
o Change management / SDLC
o Identity / access management
MOSS ADAMS LLP | 24
Sensitive Data Controls (cont.)
o Supporting Controls
o Security information / event monitoring
o Physical security
o Employee screening
o Regulatory compliance management
MOSS ADAMS LLP | 25
Other Control Considerations
o Tailor controls to each specific set of data
o Data location
o Breadth of access
o Frequency of use or access
o Organizational risk
MOSS ADAMS LLP | 26
What else can be done by Internal Audit?
o
Annual risk assessments
o
o
A major overhaul of your risk assessment process isn’t
required
Consider asking the following questions for each area of the
audit universe:
o
What is the associated data?
o
Is it sensitive data?
o
How frequently is sensitive data created for this area?
o
Where does is reside? (data at rest)
o
Who can access it? (data in use)
o
What is its vulnerability to theft, abuse, and misuse? (data
in motion)
MOSS ADAMS LLP | 27
What else can be done by Internal Audit?
o Full Organizational Involvement
o Administration
o Enrollment
o Test centers
o Research personnel
o Grants and funding departments
o Medical staff
o Professors
MOSS ADAMS LLP | 28
Key Points
o Sensitive data exists throughout and externally to your
organization
o Different states of data have different risks and controls
o Specific controls can be implemented to address the
varying states of data
o Everyone in your organization has a responsibility for
protecting sensitive data
o By asking the right questions, your organization can
ensure that sensitive data is identified and properly
controlled
MOSS ADAMS LLP | 29
Questions and Answers
MOSS ADAMS LLP | 30
Thank You For Attending!
Weston Nelson
Director, Business Risk Management
[email protected]
Office: (503) 478-2144
Steve Fineberg
Manager, Business Risk Management
[email protected]
Office: (916) 503-8175
Steven Gin
Manager, Business Risk Management
[email protected]
Office: (310) 295-3780
MOSS ADAMS LLP | 31