Data Classification Presentation

Data Classification & MonitoringA SOx requirement

SECURITY AWARENESS PRESENTATION

May 2005

Presented by:

Dan Formica, CISM

IT Security Services

SECURITY AWARENESS PRESENTATION

May 2005

Presented by:

Dan Formica, CISM

IT Security Services

2

Data Classification & Monitoring Agenda

• Data Classification & Monitoring– WHY

• Drivers, Goals and Benefits– WHAT

• Process of Data Classification• Security Considerations

– HOW• Tools to Help Classify Data• Monitoring Tools• Processes

• Q&A

3

Data Classification & Monitoring

Key Terms

• Data Classification– The process that

groups data that possess similar characteristics into categories

– The value of each sample of data is determined and recorded according to company standards

4


Key Terms cont’d

• Monitoring– Managing internal control

through continuous and point-in-time assessment processes.

e.g.• client access &

violations• who has access and do

they still require it

5

Data Classification & Monitoring - The Why

Goals of Data Classification

• Identify WHAT information exists, and WHO needs it

• Understand how valuable the information is to each of the individuals, groups and business processes that require it

• Provide a system for protecting information critical to the organization

6


Goals of File Access Monitoring

• Provide a clear picture of:– who accessed data– what data was accessed– when the data was accessed

• Provide protection to the Access Reports• Provide adequate log retention• Minimize the time to create, review and store

reports

7


Benefits of Data Classification

• Provide a clear picture of the categories of data that exist in the corporation

• Enable the design and development of a shared grouping of clients for each category of data

8


Benefits of Data Classification cont’d

• Once Data Classification has been determined, the appropriate control activities can be established

• Control Activities are the policies, procedures and practices that are put into place to ensure that business objectives are achieved and risk mitigation strategies are carried out

• Without reliable information systems and effective IT control activities, public companies would not be able to generate accurate reports

9


Benefits of Data Classification cont’d

• Demonstrate economic value of data to the business

• Eliminate misuse or theft of data and reducing associated costs

• Comply with:

– business policies & procedures

– legislation

10


The WHAT - Data Classification

Is the data considered CONFIDENTIAL to the Company?

Does the data fall under PIPEDA?Does the data fall under the Sarbanes-Oxley

Act?Does the data fall under HIPAA?

Answering YES to one of the following questions constitutes a requirement to classify data:

11


The What cont’d

• Security Considerations– How important is the information?– Does it contain personal

information?– Does it contain customer

information?– Is it financial data?– Who is the data owner?– Does the business unit and

Internal Audit agree with your assessment of the data?

12


The What cont’d

• Data Protection– Your data is controlled by

granting access to groups– Your data is only protected by

monitoring who are in the groups

– Any logon id with supervisory authority to servers can view and change any data (Security personnel and server technicians)

13


The HOW - Data Classification

• WHO– Requires access to

data

• WHAT– application, folder,

directory– business process &

role– how is the data being

used in the organization

• WHEN– frequency

• WHERE– physical data location

• WHY– confidential– PIPEDA– SOx– HIPAA

Establish a clear, data access related goal:

14

Data Classification & Monitoring - The HOW

Monitoring Tools

• Internal Audits• Software

– Real-time surveillance (monitoring access)

– Monitor Reporting

• Forensic analysis – Security Services adhoc

review

15


Monitoring Tools

• Software Controls– Establish data to be monitored– Establish who requires access

(need to know basis)– Arrange for monitoring and

reporting– Establish alert criteria on

unauthorized access– Collect, review and file reports

(according to company policies)

16


Monitoring example

SHARED Folder

Dan’s data folder - Install monitoring at this level

Access Reports (create new folder)

Sensitive doc1

Sensitive doc2

Sensitive doc3

Data access is logged, automatic daily reports are produced, Owner is emailed a copy of the report, a copy of the report is stored in Access Reports.

Reports are backed up as per server back ups.

Report retention is under the owners control.

17


Monitoring Tools

• Report on who accessed data– Date of incident– Time of incident– User - who accessed the data– Operation - Read, Modify,

Delete…etc– Performed on - What data was

accessed– Remarks - Details on the data

access– Save the report in a secure area

18


Monitoring Tools

• Report on who has access to data– Obtain an automated report on who

has access to your data (who is in the security groups)

– Receive report weekly (?)– Review report– Scrutinize all access (temporary

employees!)– Take action on all redundant access– File and protect reports as per

standards

19


Processes

• In order to be able to withstand an audit, you must have a documented process that includes:– Identification of data– Who will be allowed access to data– Who must approve a request for

access – Verification that only authorized

personnel are accessing data (automated reports & alerts)

– Verification that the authorized list is being monitored

20


Security Considerations

• Involve IT Security Services and Internal Audit as early in the process as possible

21


Security Considerations cont’d

• IT Security Requirements– Authentication

• Example - WEB applications authenticate against LDAP

– Access• Access to data is on a need-to-know basis• Access to sensitive data in Development

protected the same as Production

– Ids• Generic Ids are not allowed in Production• Application Ids must be identified and

accounted for

22

Security Checklist for new applications

Documentation• A brief description of what the application entails.• How will the application be accessed?• Define the process for a client to request access.• Define the components required to grant a client

access to the application• Is the application accessible from the Internet?

Does it require SSL?• Is there an application administrator? If so who?

23


Data Classification• Classify the data as per Data

Classification Standards (confidential if financial or personal)

• Description of the data that will be accessed

24


Data Ownership• Identify the owner (department) of the data

to be accessed.• Identify the key contact for data ownership

questions.• Who authorizes or approves access?

25


Access Controls• Clear access groups for different roles• IT support group must be used by IT

support employees only• All application logon ids must be

documented as to the ownership, purpose, and access gained

• All application ids must be password protected.

26


Access Controls (cont)

• The effects of changing an application logon id password should be tested and documented.

• The password of application logon ids must be strictly controlled and changed as per security standards (employee termination…etc)

• All access is on a need to know bases• Define the procedure to follow for unauthorized

access

27


Monitoring• Access logs to capture date, time and logon id of

access to the application• Timely reports on security violations• Define the log retention period and storage of the

logs• Quarterly reviews of clients with access. Is

access still required?• What tools are available to examine the logs

28


Processes• A process must be in place to define all of

the above issues.

29

Data Classification & Monitoring - Considerations Case Study - LAMPS Project

• Data Classification– “LAMPS data is classified as confidential

under the Sarbanes-Oxley Act.”

• Access– Business process & approvals– Support Team access defined differently for

Development and Production– Client defined roles for access

30


?

Q & A

Data Classification Presentation

Technology