Sensitive Data
advertisement
WHAT IS SENSITIVE DATA? What’s the Risk and What Do We Do About It? Weston Nelson Steve Fineberg Steven Gin MOSS ADAMS LLP | 1 Disclosure Statement The material appearing in this presentation is for informational purposes only and is not legal or accounting advice. Communication of this information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant-client relationship. Although these materials may have been prepared by professionals, they should not be used as a substitute for professional services. If legal, accounting, or other professional advice is required, the services of a professional should be sought. MOSS ADAMS LLP | 2 Moss Adams LLP o Moss Adams is one of the 15 largest accounting and consulting firms in the U.S. o 21 locations; 1,800 personnel o Industry-focused service groups o IT consulting specialists 3 MOSS ADAMS LLP | 3 Agenda o What is sensitive data? Why do we care? o Define the states of data in the data lifecycle o How is your data at risk? o Discuss what your organization is doing o Review possible controls to protect your sensitive data o Questions and Answers MOSS ADAMS LLP | 4 What is Sensitive Data? o What is important to your organization? o Who owns or is responsible for sensitive data? o Where does your sensitive data reside? o Are there multiple versions of your sensitive data? o Where does your date go and how is it protected? MOSS ADAMS LLP | 5 What is Sensitive Data? (cont.) o What is important to your organization? o Student records o Employee records o Payment transactions o Grades and examinations o Faculty research o Grant and donor data o Other data? MOSS ADAMS LLP | 6 What is Sensitive Data? (cont.) o How are these data classified? o Student records (PII, ePHI) o Employee records (PII, ePHI) o Payment transactions (PCI) o Grades and examinations (operational data) o Faculty research (intellectual property) o Grant and donor data (competitive information) o Other data? MOSS ADAMS LLP | 7 What is Sensitive Data? (cont.) o Who owns or is responsible for sensitive data? o Administration o Enrollment o Test centers o Research personnel o Grants and funding departments o Medical staff o Professors MOSS ADAMS LLP | 8 What is Sensitive Data? (cont.) o Where does your sensitive data reside? o o Internal o Campus Network o Local workstations External o o Cloud o o Hosted co-location ??? (Do you really know?) Mobile devices MOSS ADAMS LLP | 9 What is Sensitive Data? (cont.) o Are there multiple versions of your data? o Network file shares o Workstations, laptops o Third-party vendors o Removable media o E-mail o Cloud o Mobile devices o Hard copies MOSS ADAMS LLP | 10 What is Sensitive Data? (cont.) o Where does your data go and how is it protected? o Where is your data? o Data Marts o File shares/servers o How is it transmitted? o Encrypted o Trusted Recipient MOSS ADAMS LLP | 11 What is Sensitive Data? (cont.) o Where does your data go and how is it protected? o Who can access it? o Appropriate Access o Authorized User MOSS ADAMS LLP | 12 The Data Lifecycle o From a data loss perspective, the industry has adopted three standard terms to describe the states of data in the data lifecycle: o Data at rest o Data in motion o Data in use MOSS ADAMS LLP | 13 The Data Lifecycle (cont.) o Data at rest o Data that is in storage and accessible by your organization. These data may be in disparate locations and stored on various types of media. o Examples include: o Spreadsheets, databases, application configuration files MOSS ADAMS LLP | 14 The Data Lifecycle (cont.) o Data in motion o Data that is in transit, flowing across internal networks and to the outside world o Includes data on wired and wireless networks o Examples o File being opened from a network drive on a workstation, network packet data MOSS ADAMS LLP | 15 The Data Lifecycle (cont.) o Data in use o Data that is being accessed or used by a system at a point in time o Examples o Data in temporary memory on a local machine o File being copied to a USB drive o Data being copied and pasted from one file to another MOSS ADAMS LLP | 16 How Is Your Data At Risk? o Risks related to data states o Inappropriate access, theft (data at rest) o Interception (data in motion) o Misuse, abuse of access (data in use) o Risks related to data location o Unintentional transmission (mobile devices) MOSS ADAMS LLP | 17 Establishing an Understanding of the Data o Education and communication as to what is critical to the organization o Protocols or procedures for data usage o What is internal use only? o What is public? o What is restricted or used only be a few groups or individuals? o Security protocols around data classes MOSS ADAMS LLP | 18 What is your organization doing? o Policies and procedures o IT general controls o Third-party vendor controls o Education of users MOSS ADAMS LLP | 19 Sensitive Data Controls o To adequately protect against data loss, you should consider both systematic and manual controls, to be applied at each data state o Data state-specific controls o Data at rest o Data in motion o Data in use o Supporting controls MOSS ADAMS LLP | 20 Sensitive Data Controls (cont.) o Data at rest o Encryption o Physical security o Physical media security and destruction o Mobile device protection o Endpoint security o Continuous discovery MOSS ADAMS LLP | 21 Sensitive Data Controls (cont.) o Data in motion o Perimeter security o Network monitoring o Internet access controls o Messaging o Remote access controls o Data collection and exchange MOSS ADAMS LLP | 22 Sensitive Data Controls (cont.) o Data in use o Access controls and monitoring o Privileged user monitoring o Export/save controls o Use of test data o Change and version controls o Data anonymization MOSS ADAMS LLP | 23 Sensitive Data Controls (cont.) o Supporting Controls o Disaster recovery plan / business continuity plan o Training and awareness o Third-party management o Change management / SDLC o Identity / access management MOSS ADAMS LLP | 24 Sensitive Data Controls (cont.) o Supporting Controls o Security information / event monitoring o Physical security o Employee screening o Regulatory compliance management MOSS ADAMS LLP | 25 Other Control Considerations o Tailor controls to each specific set of data o Data location o Breadth of access o Frequency of use or access o Organizational risk MOSS ADAMS LLP | 26 What else can be done by Internal Audit? o Annual risk assessments o o A major overhaul of your risk assessment process isn’t required Consider asking the following questions for each area of the audit universe: o What is the associated data? o Is it sensitive data? o How frequently is sensitive data created for this area? o Where does is reside? (data at rest) o Who can access it? (data in use) o What is its vulnerability to theft, abuse, and misuse? (data in motion) MOSS ADAMS LLP | 27 What else can be done by Internal Audit? o Full Organizational Involvement o Administration o Enrollment o Test centers o Research personnel o Grants and funding departments o Medical staff o Professors MOSS ADAMS LLP | 28 Key Points o Sensitive data exists throughout and externally to your organization o Different states of data have different risks and controls o Specific controls can be implemented to address the varying states of data o Everyone in your organization has a responsibility for protecting sensitive data o By asking the right questions, your organization can ensure that sensitive data is identified and properly controlled MOSS ADAMS LLP | 29 Questions and Answers MOSS ADAMS LLP | 30 Thank You For Attending! Weston Nelson Director, Business Risk Management Weston.Nelson@mossadams.com Office: (503) 478-2144 Steve Fineberg Manager, Business Risk Management Stephen.Fineberg@mossadams.com Office: (916) 503-8175 Steven Gin Manager, Business Risk Management Steven.Gin@mossadams.com Office: (310) 295-3780 MOSS ADAMS LLP | 31
