Page 1
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 1/27
Strategies in the
Game of
Keith Hartranft, CISSPInformation Security and Policy Officer
Library and Technology Services
Sara RodgersChief Information Security Officer
Library and Technology Services
Data Stewards vs. Data Hoarders
Page 2
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 2/27
Playing the Wrong Game
• Prioritize initiatives
• Classify data
• Analyze risk
Page 3
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 3/27
A Three Pronged Approach
SANS 20 Critical Controls
Objectives:
• Implement controlsproven to block knownattacks
• Map specific actions to
implement the controls• Associate activitieswith NIST & NSAnetwork security tasks
• Utilize procedures &tools for implementationand automation.
• Assess through provenmetrics & testing
ISO 27002 Policy Administration
Objectives:
To provide Managementdirection and supportfor information securityin accordance withbusiness requirementsand relevant laws andregulations throughInformation SecurityPolicy.
Security Awareness
Objectives of SETA:
• Integrate skills and
competencies into acommon body ofknowledge
• Produce relevant andneeded security skillsand competencies
• Change behavior orreinforce good securitypractices
Security Framework
Page 4
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 4/27
Page 5
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 5/27
Measuring Risk
Severity/Impact
L i k e l i h o o d / P r
o b a b i l i t y
Collecting/storing restricted
data on a large population
with multiple copies and/or
accessible by a large
number of people
Reducing number of people
records with restricted data
Reducing
storage
locations
or limiting
accessRemoving or redacting
restricted data
Page 6
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 6/27
Knowing the Board and the Rules
• Laws• Regulations
• Asset Valuation
& Risk• The Players
Page 7
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 7/27
Page 8
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 8/27
Risk Reduct ion
Restrict
Redact
Remove
Executives
Risk Management
Legal
Information Security
Data User
Data Custodians
Page 9
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 9/27
The Strategy of the 3 R’s
• Remove
– Do we evenneed to collect it? Or can
we dispose of?
• Redact – If we store it,
can we redact or
obfuscate?
• Restr ict – Who should
see it? Access it? What
views?
Page 10
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 10/27
Security as the Ambassador
Be the liaisonin the process
of Data Risk
Reduction
Risk Reduct ion
Restrict
Redact
Remove
Data Stewards
Data Hoarder
Page 11
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 11/27
ROCK - The Process
R. – Recruit the appropriateteam(s) members
O. – Organize Assets,
Policies, and Possible
Solutions
C. – Communicate with the
Data Users
K. – Kickstart the process
with Quick Wins!
Data Stewards
Page 12
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 12/27
Recruit - Build Your Armies
Executives
Risk Management
LegalData Users
Data Custodians
GovernanceRegulationComplianceCommittee (GRC)
Data E-Security
Page 13
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 13/27
Page 14
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 14/27
Organize - Arm Yourself With Policies
• Data Classification
• Retention Policies
• Other?
Page 15
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 15/27
Page 16
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 16/27
Data Retention Policy
Attributes of a Good Retention Policy:• Value Based
• Clear goals for retention and
accountabilities
• Defined Categories of Data• Properly vetted with cross functional buy-
in by the community
• Directs technology to support lifecycle
sustainability• Includes monitoring and compliance
Page 17
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 17/27
Communicate - the Strategy of the 3 R’s
• Remove
– Do we evenneed to collect it? Or can
we dispose of?
• Redact – If we store it,
can we redact or
obfuscate?
• Restr ict – Who should
see it? Access it? What
views?
Page 18
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 18/27
Communicate - AND I MEAN IT!!!
• Remove – Can simply
remove it or do without?• Redact – Who should be
able to view it?
• Restr ict – Who shouldaccess it? And HOW?
Examine a “Fountain” effect. What are some consequences?
Page 19
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 19/27
Communicate – How to Comply With Data
Retention
• Bring Strategies forStorage solutions
• Being a GOOD Steward –
Disposing of Data Properly• Know your Retention
times• Treat E-records like paper
records
Page 20
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 20/27
Communicate – Once We Reach Restrict,Protecting Access Controls
• 76% of breaches were theresult of weak or stolenaccount credentials
• What’s the cost? Approx.
$200 per record.
Page 21
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 21/27
Communicate with the Leaders and Troops
• Meet with the Data Stewards and Users andpitch the steps and the consequences and
results of each step
• Do your homework for proposals regardingwhat you think are “Quick Wins” and ask
others to identify other “Quick Win” areas.
• Explain that greater Access Controls
implemented by InfoSec are often the result
of exhaustion of the first 2 R’s
Page 22
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 22/27
KICKSTART! - Go for QUICK WINS!!!
• Propose some key
targets for data
removal
• Ask your Stewards
to identify “Quick
Wins” or Gains
• Monitor and maintain
momentum forproposed projects
Page 23
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 23/27
KICKSTART! - QUICK WIN Stories!
• F&A Review of DataRepositories
• PII in more globally
viewable locations
removed
• Duplicated Data in
Test instances
reduced
Page 24
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 24/27
Deploy the Custodians - Technology
• Automating scans and
searches for records
dates
• Automated purges
• Provide end user tools
• Deploying data redaction
or access control
limitations
• MFA
Page 25
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 25/27
Sustain Your Strategy – ROCK(S)?
• Repeatable processes• Review technology
tools for process
automation
• Revist timelines and
record schedules
• Report annual recordscounts and reductions
Page 26
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 26/27
Page 27
8/11/2019 Data Stewards vs. Digital Hoarders in a Game of RISK (237149651)
http://slidepdf.com/reader/full/data-stewards-vs-digital-hoarders-in-a-game-of-risk-237149651 27/27
WIN!!! With Strategies in the
Game of