Data Classification & Monitoring A SOx requirement SECURITY AWARENESS PRESENTATION May 2005 Presented by: Dan Formica, CISM IT Security Services
Data Classification & MonitoringA SOx requirement
SECURITY AWARENESS PRESENTATION
May 2005
Presented by:
Dan Formica, CISM
IT Security Services
SECURITY AWARENESS PRESENTATION
May 2005
Presented by:
Dan Formica, CISM
IT Security Services
2
Data Classification & Monitoring Agenda
• Data Classification & Monitoring– WHY
• Drivers, Goals and Benefits– WHAT
• Process of Data Classification• Security Considerations
– HOW• Tools to Help Classify Data• Monitoring Tools• Processes
• Q&A
3
Data Classification & Monitoring
Key Terms
• Data Classification– The process that
groups data that possess similar characteristics into categories
– The value of each sample of data is determined and recorded according to company standards
4
Data Classification & Monitoring
Key Terms cont’d
• Monitoring– Managing internal control
through continuous and point-in-time assessment processes.
e.g.• client access &
violations• who has access and do
they still require it
5
Data Classification & Monitoring - The Why
Goals of Data Classification
• Identify WHAT information exists, and WHO needs it
• Understand how valuable the information is to each of the individuals, groups and business processes that require it
• Provide a system for protecting information critical to the organization
6
Data Classification & Monitoring - The Why
Goals of File Access Monitoring
• Provide a clear picture of:– who accessed data– what data was accessed– when the data was accessed
• Provide protection to the Access Reports• Provide adequate log retention• Minimize the time to create, review and store
reports
7
Data Classification & Monitoring - The Why
Benefits of Data Classification
• Provide a clear picture of the categories of data that exist in the corporation
• Enable the design and development of a shared grouping of clients for each category of data
8
Data Classification & Monitoring - The Why
Benefits of Data Classification cont’d
• Once Data Classification has been determined, the appropriate control activities can be established
• Control Activities are the policies, procedures and practices that are put into place to ensure that business objectives are achieved and risk mitigation strategies are carried out
• Without reliable information systems and effective IT control activities, public companies would not be able to generate accurate reports
9
Data Classification & Monitoring - The Why
Benefits of Data Classification cont’d
• Demonstrate economic value of data to the business
• Eliminate misuse or theft of data and reducing associated costs
• Comply with:
– business policies & procedures
– legislation
10
Data Classification & Monitoring
The WHAT - Data Classification
Is the data considered CONFIDENTIAL to the Company?
Does the data fall under PIPEDA?Does the data fall under the Sarbanes-Oxley
Act?Does the data fall under HIPAA?
Answering YES to one of the following questions constitutes a requirement to classify data:
11
Data Classification & Monitoring
The What cont’d
• Security Considerations– How important is the information?– Does it contain personal
information?– Does it contain customer
information?– Is it financial data?– Who is the data owner?– Does the business unit and
Internal Audit agree with your assessment of the data?
12
Data Classification & Monitoring
The What cont’d
• Data Protection– Your data is controlled by
granting access to groups– Your data is only protected by
monitoring who are in the groups
– Any logon id with supervisory authority to servers can view and change any data (Security personnel and server technicians)
13
Data Classification & Monitoring
The HOW - Data Classification
• WHO– Requires access to
data
• WHAT– application, folder,
directory– business process &
role– how is the data being
used in the organization
• WHEN– frequency
• WHERE– physical data location
• WHY– confidential– PIPEDA– SOx– HIPAA
Establish a clear, data access related goal:
14
Data Classification & Monitoring - The HOW
Monitoring Tools
• Internal Audits• Software
– Real-time surveillance (monitoring access)
– Monitor Reporting
• Forensic analysis – Security Services adhoc
review
15
Data Classification & Monitoring - The HOW
Monitoring Tools
• Software Controls– Establish data to be monitored– Establish who requires access
(need to know basis)– Arrange for monitoring and
reporting– Establish alert criteria on
unauthorized access– Collect, review and file reports
(according to company policies)
16
Data Classification & Monitoring - The HOW
Monitoring example
SHARED Folder
Dan’s data folder - Install monitoring at this level
Access Reports (create new folder)
Sensitive doc1
Sensitive doc2
Sensitive doc3
Data access is logged, automatic daily reports are produced, Owner is emailed a copy of the report, a copy of the report is stored in Access Reports.
Reports are backed up as per server back ups.
Report retention is under the owners control.
17
Data Classification & Monitoring - The HOW
Monitoring Tools
• Report on who accessed data– Date of incident– Time of incident– User - who accessed the data– Operation - Read, Modify,
Delete…etc– Performed on - What data was
accessed– Remarks - Details on the data
access– Save the report in a secure area
18
Data Classification & Monitoring - The HOW
Monitoring Tools
• Report on who has access to data– Obtain an automated report on who
has access to your data (who is in the security groups)
– Receive report weekly (?)– Review report– Scrutinize all access (temporary
employees!)– Take action on all redundant access– File and protect reports as per
standards
19
Data Classification & Monitoring - The HOW
Processes
• In order to be able to withstand an audit, you must have a documented process that includes:– Identification of data– Who will be allowed access to data– Who must approve a request for
access – Verification that only authorized
personnel are accessing data (automated reports & alerts)
– Verification that the authorized list is being monitored
20
Data Classification & Monitoring
Security Considerations
• Involve IT Security Services and Internal Audit as early in the process as possible
21
Data Classification & Monitoring
Security Considerations cont’d
• IT Security Requirements– Authentication
• Example - WEB applications authenticate against LDAP
– Access• Access to data is on a need-to-know basis• Access to sensitive data in Development
protected the same as Production
– Ids• Generic Ids are not allowed in Production• Application Ids must be identified and
accounted for
22
Security Checklist for new applications
Documentation• A brief description of what the application entails.• How will the application be accessed?• Define the process for a client to request access.• Define the components required to grant a client
access to the application• Is the application accessible from the Internet?
Does it require SSL?• Is there an application administrator? If so who?
23
Security Checklist for new applications
Data Classification• Classify the data as per Data
Classification Standards (confidential if financial or personal)
• Description of the data that will be accessed
24
Security Checklist for new applications
Data Ownership• Identify the owner (department) of the data
to be accessed.• Identify the key contact for data ownership
questions.• Who authorizes or approves access?
25
Security Checklist for new applications
Access Controls• Clear access groups for different roles• IT support group must be used by IT
support employees only• All application logon ids must be
documented as to the ownership, purpose, and access gained
• All application ids must be password protected.
26
Security Checklist for new applications
Access Controls (cont)
• The effects of changing an application logon id password should be tested and documented.
• The password of application logon ids must be strictly controlled and changed as per security standards (employee termination…etc)
• All access is on a need to know bases• Define the procedure to follow for unauthorized
access
27
Security Checklist for new applications
Monitoring• Access logs to capture date, time and logon id of
access to the application• Timely reports on security violations• Define the log retention period and storage of the
logs• Quarterly reviews of clients with access. Is
access still required?• What tools are available to examine the logs
28
Security Checklist for new applications
Processes• A process must be in place to define all of
the above issues.
29
Data Classification & Monitoring - Considerations Case Study - LAMPS Project
• Data Classification– “LAMPS data is classified as confidential
under the Sarbanes-Oxley Act.”
• Access– Business process & approvals– Support Team access defined differently for
Development and Production– Client defined roles for access
30
Data Classification & Monitoring
?
Q & A