Booz Allen Hamilton
Data-Centric Protection Services
Service Offering Overview
July, 2014
This document contains Booz Allen Hamilton Inc. proprietary and confidential business information – Intended Only for the Recipient
1
Overview
Booz Allen – Data Protection Solutions Overview
Do you really understand your sensitive data and
know how to define it?
What type of data is most important to my
business (e.g. PII, PHI, IP, and Trade Secrets)?
Agenda
Data Protection Threats and
Challenges
Is there consensus across the enterprise on data
priority and valuation?
Are there clearly defined policies and rules for
the handling, processing, and storage of data?
Booz Allen Blueprints
Are authorized and restricted data stores
identified for sensitive data (structured,
unstructured, and “big” data)?
The Booz Allen Data-Centric
Protection Blueprint
Are there awareness and training programs to
encourage best data practices?
Do I have the necessary controls in place to protect
and enforce data protection policies?
Data-Centric Protection
Program Solutions
Have I considered tools and techniques to
protect sensitive information at the data level?
How can I protect my data efficiently, while still
extracting maximum business value?
Qualifications
Sample of the Blueprint
How do I effectively respond to a Data Incident?
Do I have the capability to respond to a data
incident in a coordinated fashion?
Contacts
Can I control data once it leaves my
organization's perimeter ?
Where do I begin?
This document contains Booz Allen Hamilton Inc. proprietary and confidential business information – Intended Only for the Recipient
2
Table of Contents
 Data-Centric Threats and Challenges
 Booz Allen Blueprints
 Data-Centric Protection Program Solutions
 Qualifications
 Sample Blueprint
 Contacts
This document contains Booz Allen Hamilton Inc. proprietary and confidential business information – Intended Only for the Recipient
3
Simply Waiting Until Something Happens is Not an Option
The Cost of a single successful cyber-security attack exploit is
Significant and the Cost of Prevention is 1/10 the cost of an exploit.
Advanced
persistent threats
have collected data
for years before
discovery**
Data theft
can go on
for years
unknown
The Cost of Post
Exploit Remediation
is 10X the Cost
of Prevention
The
Average
Cost of an
Exploit is
over
$5M USD
Prevention
is 10X More
CostEffective
than
Remediation
Banks worldwide
are victimized by
cyber crime
Trust &
Reputational
Damage can
Dwarf Actual
Direct Data
Loss Costs
Wide-spread Loss of
Customer Confidence
Can Destroy Significant
Market Value Overnight
* TJX data breech lasted for over five years resulting in an estimated $100M loss and fines
** Banks have seen as much as a 15% loss in market cap resulting from a widely publicized security breach
Source: The cost benefits of information security – Gartner; Booz Allen Hamilton Analysis
This document contains Booz Allen Hamilton Inc. proprietary and confidential business information – Intended Only for the Recipient
4
Data-Centric Protection Threats
to add header
(Up
to two
lines, 22
AsClick
the complexity
of cyber
attacks
continues
to pt)
increase exponentially, the need
for a robust data protection program has never been greater
Threats Actors
Vulnerabilities
Insider Threats
Lone Wolves
Hactivists
Organized Crime
Nation States
Motivations
Self-Promotion
For the Challenge
Competition Advantage
Financial Gain
Revenge
Politics
Infrastructure
Cloud
BYOD
Third Party Vendors
Supply Chain
Accidental Insiders
Data-Centric
Protection
Intentions
IP and Data Theft
Reputational Damage
Financial Damage
Supply Chain Attack
Operational Disruption
Data Destruction
Attack Vectors
Social Engineering
Remote Access
Inside Access
Phishing
Wireless
Mobile
Capabilities
Booz Allen is a market leader in
the emerging discipline of
data-centric protection
Malware
Trojans
Botnets
DDoS
Zero Day Exploits
Many Others
This document contains Booz Allen Hamilton Inc. proprietary and confidential business information – Intended Only for the Recipient
5
Data-Centric Protection Challenges
Numerous challenges exist in order for companies to identify, protect
and control their most sensitive information assets
Financial Impacts
• Average annual cost to US companies due to a single data leakage incident was $7.2M in
2009
• Data breaches lead to degradation of brand equity
Borderless Enterprises
• Data is less centralized than ever before due to dis-aggregated supply chains, outsourcing,
and a mobile workforce
Consumerization of IT
• Users are increasingly defining the IT environment by bringing their productivity tools (USB
sticks, flash drives, etc.) into work
Insider Threats
• ~50% of all data breach incidents are sparked by insiders
• 59% of insiders admitting they would steal sensitive data if they leave or are asked to leave
their current employer
Professional Infrastructure
Organized Crime
Regulators
• Over three quarters of organizations have had a laptop lost or stolen
• 56% report that it resulted in a data breach
• 58% of these laptop losses happened at work
• Sophisticated organized criminal networks are shifting their focus from credit card data to
corporate IP
• Concern over data loss/theft spawned a myriad of regulations ranging from global and
country, to industry-specific and local government
• Multiple regulations to be compliant: SOX, HIPAA, HITECH and PCI
This document contains Booz Allen Hamilton Inc. proprietary and confidential business information – Intended Only for the Recipient
6
Table of Contents
 Data-Centric Threats and Challenges
 Booz Allen Blueprints
 Data-Centric Protection Program Solutions
 Qualifications
 Sample Blueprint
 Contacts
This document contains Booz Allen Hamilton Inc. proprietary and confidential business information – Intended Only for the Recipient
7
Booz Allen Blueprints
Click
to add header
(Up toprovide
two lines,
22 pt)
Our
customized
blueprints
a core
data-centric protection
framework of proven practices that add fidelity to your capability
while reducing development time and expense
CyberM3 Maturity Model
Data-Centric Protection
Capability Blueprint
Customized Blueprint
Solutions
From our deep Federal
Government and Commercial
experience, we have developed
a proprietary maturity model that
has been adopted by 6 of the
top 10 banks
Detailed solution blueprints
enable us to conduct robust
diagnostics and jump-start the
design of your program
Our customized blueprints will
provide you with the appropriate
breadth and depth to fit your
operational needs, commercial
requirements and the realities of
your business environment
This document contains Booz Allen Hamilton Inc. proprietary and confidential business information – Intended Only for the Recipient
8
Data Centric Protection Solution Blueprint
Booz Allen can jump-start the design of your DCP program and DLP
capability via our Solution Blueprint
People, Process, & Technology Maps
1
Process Descriptions & RACI Charts
2
 Defines roles required to
support a successful program
 Summarizes descriptions of each
process step
 Outlines specific process
requirements and flows
 Provides data protection
organizational definitions
 Highlights data protection
technology to enable the
required capabilities (e.g.
encryption and tokenization)
 Aligns specific data protection
process steps to roles and
responsibilities
Capability / Vendor Solutions Matrix
Capability Requirements
3
 Breaks down the distinct
technology and people skill
requirements to have a
successful program
 Technical requirements align
against a holistic system view
 Skill requirements align against
a human capital framework
4
 Map of data protection capability
requirements against industry
leading services, products, and
techniques
 Specific guidance for addressing
key challenge areas to jump-start
implementation project
 Helps identify redundant
technology and gaps
Implementation Action Plan: Near, mid, and long-term implementation milestones
This document contains Booz Allen Hamilton Inc. proprietary and confidential business information – Intended Only for the Recipient
9
Booz Allen Blueprints
Building your program against a high quality blueprint offers
significant advantages over an ad-hoc approach
Blueprint Advantages
 Holistic view of the problem and solution allowing leadership and staff to
easily visualize and consider options
 Defined target / goal state to reduce investments and overall spend
 Smarter hiring against exactly the right skill requirements for your specific
program
 Intelligent and planned use of your existing technology sets, with a clear
understanding of gaps and the need for technology investments
 Clearly defined program processes to guide your policy portfolio, specific
playbooks, and other key program documentation
 You would not build a house or a bridge without a blueprint, so why an
important aspect of your security program?
This document contains Booz Allen Hamilton Inc. proprietary and confidential business information – Intended Only for the Recipient
10
Table of Contents
 Data-Centric Threats and Challenges
 Booz Allen Blueprints
 Data-Centric Protection Program Solutions
 Qualifications
 Sample Blueprint
 Contacts
This document contains Booz Allen Hamilton Inc. proprietary and confidential business information – Intended Only for the Recipient
11
Data-Centric Protection Program Solutions
Our team can provide a custom program blueprint, develop a specific
program service, or solve technical challenges
 Customized blueprint for your organization
Custom Program
Blueprint
 Identifies and articulates all process requirements, people
roles/skills, organization, structure and technical solutions
 Ideal starting point for emerging programs
 Policy development
Program Service
Development
 Data loss risk assessments
 Data classification and definition
 Staff augmentation
Technical
Implementation
 Data Loss Prevention (DLP) implementation and operation
 Tokenization and encryption implementation
 Data tagging implementation
 Focused tool analysis and design optimization
This document contains Booz Allen Hamilton Inc. proprietary and confidential business information – Intended Only for the Recipient
12
Custom Program Blueprint Solutions
Click
to add
header
(Up to
two
lines, 22 pt)
Booz
Allen
offers
custom
data
protection
blueprint levels to meet
your organization’s needs
Custom Data Protection Program Blueprint
Custom Blueprint
Capability Enhancement
Description
A framework of proven practices customized to the needs of your
organization
Development of additional components key to a strong DCP
capability
Outcome
Add fidelity to your capability development while reducing
development time and expense
Enhancement and implementation of core DCP capabilities and
overall data protection program improvement
Deliverables
Custom DCP Program Blueprint; Prioritized Roadmap
Level 1 + additional components as defined and prioritized by the
Implementation Strategy
People
• Job/Role descriptions
• RACI Charts (Responsible-Accountable, Consulted, Informed)
•
•
•
•
•
•
•
•
Job profiles (roles, tasks & expertise)
Hiring plans
Training plans (core curriculum)
Competency models
Career roadmaps
Training plans (advanced curriculum)
Performance criteria
Salary analysis
Process
• Process maps
• Process step descriptions
•
•
•
•
•
•
Organizational charts
Stakeholder requirements plan
Key metric descriptions
Governance review
Strategic communication plans
Performance metrics and management plans
Technology
• Technology requirements (high-level descriptions)
• Service comparison matrix
•
•
•
•
•
Hardware & software specifications
Sourcing analysis (with price estimates)
Detailed architecture review
DLP analysis
Technology Deployment planning and Implementation
$150K
Highly Variable
Cost Estimate
This document contains Booz Allen Hamilton Inc. proprietary and confidential business information – Intended Only for the Recipient
13
Custom Program Blueprint Solutions
Click
to add
header (Up
to two lines,
22 pt) to deliver Voltage's
Booz
Allen
maintains
a strategic
relationship
Secure Stateless Tokenization (SST) technology solution to clients
No software pre-requisites. Voltage SST works with virtually all languages and platforms
Key Features / Benefits*
Voltage SST technology is a secure,
high-performance solution*
No Pre-requisites -- works with all platforms and languages; easily
integrates with existing IT environments
Data Integrity -- Added servers never introduce data integrity issues or a
need for synchronization
(1) Meets carrier-grade and paymentprocessor grade high availability
requirements
Rapid Key Rollover -- single, efficient, high-speed process that takes just
minutes to execute, even during live operations
(2) Provides 100% data consistency
Rich Formatting Options -- format of tokens can be configured to preserve
functionality in applications that previously used actual card numbers
Data Mapping – 1:1 Mapping of token to protected number. Same number
always returns the same token
(3) Will scale linearly -- can generate
hundreds of millions of tokens to
represent card numbers for internal
use or to provide tokenization
service to merchants
Front-door PCI Scope Reduction -- Voltage SecureData Web takes ecommerce web servers up to 100% out of scope
*Adapted from Voltage Security - Data Sheet: Voltage Secure Stateless Tokenization (SST) Technology
Voltage Security®, Inc. is a leading data protection provider, delivering secure, scalable, and proven data-centric
encryption and key management solutions, enabling clients to effectively combat new and emerging security threats
This document contains Booz Allen Hamilton Inc. proprietary and confidential business information – Intended Only for the Recipient
14
Custom Program Blueprint Solutions
Click to
add header
(Up to two
lines, 22
pt) security, enhanced
Secure
stateless
tokenization
provides
greater
performance, and a decrease in systems subject to compliance
Booz Allen’s recommended approach provides significant benefits
Enhanced encryption
Stateless key management
Compliance benefits
• Format preserving encryption
• Secure stateless tokenization
• Data masking; lookup tables cannot be related back to sensitive data
• Eliminates token database
• Eliminates cost of external database hardware and software acquisition
• No database growth over time  often cause of performance degradation
• Primary account number (PAN) input  token has no relationship
• Removes storage of cardholder or other sensitive data
• Reduced number of applications / systems in-scope for compliance
(1) Dramatically reduced compliance scope, cost, and complexity
(2) Increased protection of sensitive data and reduced risks of breach
(3) Support the business with high performance, carrier-grade and payment-processor grade high
availability, data consistency, and linear scalability
This document contains Booz Allen Hamilton Inc. proprietary and confidential business information – Intended Only for the Recipient
15
Custom Program Blueprint Solutions
Click toconcerns
add header
to costs
two lines,
pt)generation encryption and
Security
and(Up
high
with 22
first
tokenization can be negated with a secure stateless solution
Traditional approach to data
protection
New approach to data
protection
Conventional, first-generation
encryption, tokenization, and
masking
Secure stateless tokenization
-- combines data encryption
and masking technology
Limited traditional technology / approach
Highly beneficial new technology
• Token database central to tokenization solutions
• Costly to maintain
• Mapped to the underlying card data
• Protects sensitive data upon acquisition used, transferred, stored in protected form
• Storage of cardholder and sensitive data
• Highly complex development; cumbersome IT
administration
• Use of high-risk production data in test /
outsourced environments often occurs
• Improved speed, scalability, security, and
manageability of the tokenization process
• Reduced compliance scope, cut costs and
complexity, and maintains business
processes with advanced security
• Dramatically reduced PCI DSS compliance
scope and audit costs
This document contains Booz Allen Hamilton Inc. proprietary and confidential business information – Intended Only for the Recipient
16
Custom Program Blueprint Solutions
Click to add header
two lines,
22 pt)
Implementing
Voltage(Up
SSTtorequires
more
than a typical system install
for maximum effectiveness and value across the enterprise
Typical implementation approach
1. Identify the high-priority data elements to protect
2. Inventory applications that rely upon this data
3. Install Voltage and link to the enterprise identity management system, (e.g., Active Directory)
4. Verify that applications can function unchanged, using encrypted data
5. Integrate Voltage with identified applications that need access to either fully or partially decrypted masked data
Booz Allen‘s added value proposition
Enterprise-wide view
• Holistic enterprise-wide approach to data protection
Industry best practices • Best practices gained from multiple data protection projects
Integrated approach
• Seamless implementation and coordination across databases
End-to-end support
• Support from design through deployment and ongoing support
This document contains Booz Allen Hamilton Inc. proprietary and confidential business information – Intended Only for the Recipient
17
Click to
add header
(Up
to two lines,solutions
22 pt) exist and have been
Several
proven,
scalable
Tokenization
widely adopted in the market today.
Most solutions offer flexibility for environment customization.
Key Tokenization Solution Statistics
Sample Companies utilizing Tokenization Technology*
• Tokenization software in its current state was unveiled in
2005; many vendors are on their third or fourth solution
generations today
• The PCI SSC fully endorses Tokenization as a way to
protect card data if done properly
• Deployment models are flexible to accommodate
preference for on- and off-premise implementations
• An estimated 20% of all merchants are deploying
Tokenization, with a higher percentage among
eCommerce merchants
Flexible Token Format Examples
Payment Card Number
Token
Usage Comments
6011 0009 9013 9424
6011 9837 6653 9424
3782 8224631 0005
2akerCenwWSKmnebde
Alphanumeric tokenization of Amex card with different string
length
4012 8888 8888 1881
8723 88237408323432
Numeric tokenization of VISA card with different string length
Numeric tokenization of Discover card with same string length,
retaining the first and last 4 digits of the payment card number
* Based on publicly available information
This document contains Booz Allen Hamilton Inc. proprietary and confidential business information – Intended Only for the Recipient
18
DCP – Program Service Development
As a supplement to our custom blueprint solutions, we also assist
clients in program services they wish to develop or enhance
• Policy Development – Our policy experts can craft policies, standards
and guidelines specific to your organization and its challenges
• Data Loss Risk Assessments – A detailed, technical assessment of the
risks surrounding your most sensitive data that includes scanning and
network monitoring to understand how your data is being used and if
policy violations are occurring
• Incident Response – Rapid deployment of a team to eradicate
malicious presence, restore business operations and capture lessons
learned
• Staff Augmentation – Add resource capabilities to your existing
services
This document contains Booz Allen Hamilton Inc. proprietary and confidential business information – Intended Only for the Recipient
19
DCP – Technical Implementation
In addition, well-qualified Booz Allen resources can help implement
technical solutions in your DCP environment
• Booz Allen Automated Tagging Technology (BAATT) – Our internallydeveloped, automated solution for Intelligence Community clients
ensures that data is tagged with appropriate classification levels and
applies defined security protections (e.g. encryption) where required
• Data Loss Prevention (DLP) Implementation – Many companies
struggle to make DLP solutions a useful and practical part of their
business. We have experts that can implement DLP correctly the first
time, or fine-tune existing implementations
• Focused tool analysis and design optimization – Whatever
technology you use, it is likely we have experts that know how to
optimize it. Our technology design resources specialize in performing
analysis of existing technical implementations and making improvements
This document contains Booz Allen Hamilton Inc. proprietary and confidential business information – Intended Only for the Recipient
20
Table of Contents
 Data-Centric Threats and Challenges
 Booz Allen Blueprints
 Data-Centric Protection Program Solutions
 Qualifications
 Sample Blueprint
 Contacts
This document contains Booz Allen Hamilton Inc. proprietary and confidential business information – Intended Only for the Recipient
21
Data-Centric Protection Qualifications
Booz Allen has unrivaled experience helping sophisticated clients
ensure protection of their most important data
• Coordinated with Intelligence Community (IC)
CIO to develop and standardize machine
readable rule-sets to enforce data labeling
policy
• Developed tools with a major US Intelligence
Agency to enable automatic application of valid,
policy-compliant data labels and ensure the
discoverability of data across disparate
networks
• Enabled data in a US IC cloud deployment to
be protected and support a secure method of
exchange between widely differing system
infrastructures
• Facilitated attribute-based access control in an
IC Cloud according to the dynamic nature of
information management policy
This document contains Booz Allen Hamilton Inc. proprietary and confidential business information – Intended Only for the Recipient
22
Table of Contents
 Data-Centric Threats and Challenges
 Booz Allen Blueprints
 Data-Centric Protection Program Solutions
 Qualifications
 Sample Blueprint
 Contacts
This document contains Booz Allen Hamilton Inc. proprietary and confidential business information – Intended Only for the Recipient
23
Capability Toolkit
CyberM3 Data-Centric Protection Blueprint
This document includes Privileged and Confidential information that shall not be disclosed outside of Booz Allen Hamilton and
shall not be duplicated, used, or disclosed—in whole or in part—for any purpose other than to evaluate these discussions.
Data-Centric
Protection
thelines,
Information
Click to add
header aligns
(Up toto
two
22 pt) Protection and IdAM
control families of Booz Allen’s CyberM3 Security Model
CyberM3 Control Decomposition
Data-Centric Protection
25
This document includes Privileged and Confidential information that shall not be disclosed outside of Booz Allen Hamilton Booz
and
shall not be duplicated, used, or disclosed—in whole or in part—for any purpose other than to evaluate these discussions.
Allen Proprietary
25
Data-Centric Protection is about understanding data, defining and
enforcing data security policies
P1.1
P1.3
Information
Security
P1.5
Network
Operations
P1.7
Privacy
P1.9
End User
Business
Leads
PEOPLE
P1.2
P1.4
Incident
Response
P1.6
Systems
Operations
P1.8
Legal
Compliance
Office
MX
MX.4
MX.2
Data-Centric
Protection
Data Handing Policy
and Rules
Implementation
MX.6
Implementation,
Monitoring, &
Baselining
MX.8
Data Loss
Containment &
Response
Prevention &
Protection
PROCESS
Data Definition &
Characterization
DT1
TECHNOLOGY
26
Data Loss
Notification
Planning and
Architecture
DT2
DLP Protection
Suite
MX.7
MX.5
MX.3
MX.1
Remediation
DT4
DT3
GRC
IDAM
This document includes Privileged and Confidential information that shall not be disclosed outside of Booz Allen Hamilton Booz
and
shall not be duplicated, used, or disclosed—in whole or in part—for any purpose other than to evaluate these discussions.
Data-Level
Security
Allen Proprietary
26
Data-Centric Protection: RACI CHART
High-Level Process
Key Roles
Key Processes
IS
IR
Net Ops
Sys Ops
Privacy
Legal
MX.1 – Data Definition & Characterization – Defining policy
and requirements for data categorization, discovery and analysis
of data
R
C
R
R
C
C
I
A
C
MX.2 – Data Handling Guidelines & Policy Development –
Development of data handling policy based off data
categorization. Develop Incident (leakage) response policies and
procedures
R
R
C
C
C
C
C
A
C
MX.3 – Planning & Architecture- Gather and analyze data
storage, transmission and processing requirements. Design
DLP deployment leveraging information categories and
metadata tags. Define success metrics and targets.
A
C
C
C
C
C
-
C
C
R Responsible
A Accountable
The individual or group responsible
The individual with yes/no authority
for completing/ implementing the
and veto power that is ultimately
task at hand. Responsibility may be
accountable. Only one “A” per
shared.
activity.
27
C Consulted
The individual(s) and/or group(s) to
be consulted prior to a final decision
or support one or more actions.
I
End-User Compliance Business
Informed
The individual(s) and/or group(s) that
should be informed after decisions
are made and actions are taken.
This document includes Privileged and Confidential information that shall not be disclosed outside of Booz Allen Hamilton Booz
and
shall not be duplicated, used, or disclosed—in whole or in part—for any purpose other than to evaluate these discussions.
Allen Proprietary
27
Data-Centric Protection: People Descriptions
Roles for a DCP Program
People
28
Description
P1.1
Information Security
Responsible for overseeing the entire Data-Centric Protection Program. Typically, there will be a team lead who is a
member of the Information Security group
P1.2
Incident Response
A senior incident response team member will treat any data leakage similarly to any other security incident using incident
response business processes. They will help gather forensics to help determine the objectives on the attack, help with
messaging to consumers of system’s services and assist law enforcement with the preservation of evidence (if need be)
P1.3
Network Operations
Responsible for establishing a baseline of standard network activity. Monitoring of the network to identify anomalies that
might indicate a potential data leak on the system
P1.4
Systems Operations
Responsible for establishing a baseline of standard system utilization. Monitoring system logs and resource levels to
identify anomalies that might indicate data exfiltration
P1.5
Privacy Group
Responsible for developing and ensuring compliance with policies which ensure that PII and other personally sensitive
data objects are appropriate labeled and protected
P1.6
Legal
The Legal department will be involved to help coordinate the efforts of law enforcement, to ensue the preservation of
evidence, and watching out for the legal interests of the organization
P1.7
End User
The end-user will be corporate staff, who will need a combination of training, technologies and processes to ensure their
ability to appropriately mark and protect data at the time of data creation, or while in that individuals’ stewardship
P1.8
Compliance
The group charged with overall responsibility of ensuring the organization is compliant with any regulatory and compliance
mandates (e.g. healthcare organization with HIPAA, FS with SEC and CFPB regulations)
P1.9
Business Leaders
The business leads are charged with ensuring the success of their business units and must have input into data protection
decisions to ensure business operations
This document includes Privileged and Confidential information that shall not be disclosed outside of Booz Allen Hamilton Booz
and
shall not be duplicated, used, or disclosed—in whole or in part—for any purpose other than to evaluate these discussions.
Allen Proprietary
28
Data-Centric Protection: Process and Technology Descriptions
Process
Description
MX.1 – Data Definition & Characterization
Defining policy and requirements for data categorization, analysis of data repositories
MX.2 – Data Handling Guidelines & Policy
Development
Development of data handling policy based on data categorization. Develop Incident response policies
and procedures
MX.3 – Planning & Architecture
Gather, analyze and architect data storage, transmission and processing controls
MX.4 – Implementation, Monitoring, and
Baselining
Implement technologies; define and ensure compliance with performance metrics
MX.5 – Data Loss Notification
Notify appropriate individuals when incidents occur
MX.6 – Data Leakage Containment and
Response
Execute response plan based on documentation
MX.7 – Remediation
Analyze vulnerabilities; apply patches to prevent similar incidents
MX.8 – Prevention and Protection
Gather lessons learned and revise program as necessary
Technology
Description
DT.1 – DLP Technology Suite
Technologies that perform network crawling, information analysis and attempt to label data and discover
inappropriate data flows
DT.2 – GRC
A suite of automated and semi-automated tools that help business leads track risk and manage
exposure based on a set of established controls
DT.3 – IDAM
IDAM technologies ensure efficient and secure identification, authentication, authorization, credentialing
and provisioning of users with appropriate access rights
DT.4 – Data-Centric Security
Ensure that data is protected, controlled and accessible in a system-agnostic way. These technologies
ensure that a properly deployed IDAM system can enable Attribute Based Access Control (ABAC) to
individual data assets
29
This document includes Privileged and Confidential information that shall not be disclosed outside of Booz Allen Hamilton Booz
and
shall not be duplicated, used, or disclosed—in whole or in part—for any purpose other than to evaluate these discussions.
Allen Proprietary
29
Data Handling Policy and Rules Implementation is the process of
implementing data categorizations across enterprise systems
P1.1
P1.3
Information
Security
P1.5
Network
Operations
P1.7
Privacy
Office
End User
PEOPLE
P1.2
P1.4
Incident
Response
MX.2
MX.2.1
PROCESS
Draft Data Handling
Policies
Categorize Data
Ensure Storage
Repositories are
Categorization-Aware
MX.2.3.1
Formalize Data
Categorization &
Handling Policies
MX.2.2.2
Define Required
Controls
DT1
30
MX.2.4
MX.2.3
Storage and
Transmission Category
Interpretation
MX.2.2.1
Determine Data
Categorization
Schema
MX.2.1.1
TECHNOLOGY
Compliance
Office
Legal
MX.2.2
Data Handing Policy
and Rules
Implementation
Business
Leads
P1.8
P1.6
Systems
Operations
P1.9
Ensure Transmission
and Storage Schemes
are Consistent
DT2
DLP Protection
Suite
DT4
DT3
GRC
IDAM
This document includes Privileged and Confidential information that shall not be disclosed outside of Booz Allen Hamilton Booz
and
shall not be duplicated, used, or disclosed—in whole or in part—for any purpose other than to evaluate these discussions.
Data-Level
Security
Allen Proprietary
30
Data
Handling
and
Rules
Implementation:
Click
to addPolicy
header
(Up
to two
lines, 22 pt) RACI CHART
High-Level Process
Key Roles
Key Processes
IS
IR
Net Ops
Sys Ops
Privacy
Legal
MX.2.1 – Determine Data Classification Schema – Identify a
consistent schema for labeling data in accordance with the previously
defined data categories. Schema may vary based on data types, but
must have consistent, translatable concepts
A
C
R
R
C
C
-
C
I
MX.2.1.1 – Define Required Controls – Define information security
controls for implementing the classification schema (will certain
categories need to be encrypted based on national standards, e.g.
HIPAA).
A
C
R
R
C
C
-
R
I
MX.2.2 – Storage and Transmission Category Interpretations –
Ensure that processes exist to efficiently and securely translate
between data in transit and data at rest/in processing.
A
R
C
C
R
I
-
C
I
R Responsible
A Accountable
The individual or group responsible
The individual with yes/no authority
for completing/ implementing the
and veto power that is ultimately
task at hand. Responsibility may be
accountable. Only one “A” per
shared.
activity.
31
C Consulted
The individual(s) and/or group(s) to
be consulted prior to a final decision
or support one or more actions.
I
End-User Compliance Business
Informed
The individual(s) and/or group(s) that
should be informed after decisions
are made and actions are taken.
This document includes Privileged and Confidential information that shall not be disclosed outside of Booz Allen Hamilton Booz
and
shall not be duplicated, used, or disclosed—in whole or in part—for any purpose other than to evaluate these discussions.
Allen Proprietary
31
Derived
Generalized
DCP
Requirements
and
Vendors/Service
Click to
add header
(Up
to two lines,
22Leading
pt)
Providers
Legend
X
X
X
2)
Centralized Dashboard with Metrics
x
X
X
X
3)
Automated Data Tagging / Categorization
X
X
X
X
4)
Custom System Monitoring
5)
Network Services Monitoring
6)
Service Health Monitoring (Processes,
Threads)
7)
Information Rights Management
X
8)
Policy Management for Compliance (HIPAA,
PCI, etc.)
S
X
9)
Robust Alerting Mechanism
X
X
X
X
X
X
X
11) Mobile / BYOD Monitoring
X
12) Enterprise File Level Access Control
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
S
X
X
X
X
X
13) Automated Business Rule Validation
32
X
X
10) Automated Blocking and Quarantine
14) Digital Policy Generation
X
X
X
S = Service
X
X
X
BAH
McAfee
X
X = Solution
Microsoft
Cisco IronPort
X
Symantec
Trustwave
X
kCura
CA Tech
Automated Data Discovery
WatchDox
Verdasys
1)
Derived Requirements
RSA
Websense
Leading Vendors/Service Providers
X
X
S
S
X
S
This document includes Privileged and Confidential information that shall not be disclosed outside of Booz Allen Hamilton Booz
and
shall not be duplicated, used, or disclosed—in whole or in part—for any purpose other than to evaluate these discussions.
Allen Proprietary
32
Table of Contents
 Data-Centric Threats and Challenges
 Booz Allen Blueprints
 Data-Centric Protection Program Solutions
 Qualifications
 Sample Blueprint
 Contacts
This document contains Booz Allen Hamilton Inc. proprietary and confidential business information – Intended Only for the Recipient
33
Booz Allen Contacts
Bill Stewart
Jeff Lunglhofer
Senior Vice President
Principal
Booz | Allen | Hamilton
Booz | Allen | Hamilton
Booz Allen Hamilton, Inc.
Booz Allen Hamilton, Inc.
13200 Woodland Park Rd
Herndon, VA 20171
900 Elkridge Landing Rd
Linthicum, MD 21090
Tel (410) 684-6473
Stewart_Bill@bah.com
Tel (619) 721-3114
Lunglhofer_Jeff@bah.com
Ernie Anderson
Stephen Coraggio
Senior Associate
Senior Associate
Booz | Allen | Hamilton
Booz | Allen | Hamilton
Booz Allen Hamilton, Inc.
Booz Allen Hamilton, Inc.
1615 Murray Canyon Rd.
Suite 140
San Diego, CA 92120
1095 Ave of the Americas
New York, NY 10035
Tel (619) 663-7757
Anderson_Ernie@bah.com
Tel (201) 407-9224
Coraggio_Stephen@bah.com
This document contains Booz Allen Hamilton Inc. proprietary and confidential business information – Intended Only for the Recipient
34