SlideShare ist ein Scribd-Unternehmen logo

Tape vaulting audit and encryption usage analysis

Thomas Bronack
Thomas Bronack

How and how you should audit your tape vaults, compliance and the penalties, encrypting data.

1 von 21
Downloaden Sie, um offline zu lesen
Data Center Assistance Group, Inc. DCAG Tape Vaulting Audit And Encryption Usage Analysis Prepared for Public Presentation (includes “SB 1386”, “Gramm Leach Bliley”, and “Personal Data Protection and Security Act of 2005” Customer Information Protection and loss reporting requirements review and analysis) Presented by: Tom Bronack, Phone: (718) 591-5553 Email: bronackt@dcag.com Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 1
Data Center Assistance Group, Inc. DCAG Abstract  Loss of media events have happened frequently and could result in Identify Theft to customers whose information was on lost media or exposed to data breach.  Potential monetary losses are great for company and individuals, through civil charges, and potentially criminal charges.  Personal Data Privacy and Security Act of 2005; Gramm, Leach, Bliley (GLB); and CA State Bill 1386 all require that customers be immediately informed of a data breach or lost media event.  The cost associated with the Tape Vaulting Audit and Encryption Usage Analysis engagement is very small in relationship to the amount that can be lost.  Project identifies Gaps and Exposures and results in implemented Procedures and Response Plans that help the organization adhere to laws and regulations in a controlled manner.  Better customer safeguards though controls, procedures, and response plans. Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 2
Data Center Assistance Group, Inc. DCAG ChoicePoint losses due to Personal Data Breach  Fined $15 million by FTC.  Lost 25% market cap, or $750 million.  Lost $15-20 million in Core Revenue.  Lost 10-20 cents per share.  Spending $2 million on credit bureau memberships for customers affected by data breach.  Will suffer more scrutiny in the future.  Will never regain reputation lost due to data breach. Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 3
Data Center Assistance Group, Inc. DCAG Goals and Objectives  Review Laws and Regulations affecting Tape Transport To/From data center and remote locations.  Review the Tape transportation process between the data center and remote locations (i.e., Vaults, Customers, Credit Bureaus, other).  Evaluate vendors included in the media transportation process, including those used for purchase and disposal of media.  Perform an Audit of the Local and Remote Vaults.  Research existing Insurance over loss of media.  Review Procedures and the Response Plan for lost media or a Data Breach.  Investigate the use of Encryption to protect data from misuse.  Identify Exposures and Gaps, define impact, draw conclusions, and make recommendations to mitigate and remedy identified problems.  Prepare a Final Report with findings and recommendations. Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 4
Data Center Assistance Group, Inc. DCAG Gramm Leach Bliley Safeguard Rule  Effective – May 23, 2002  Covered Entities include - Financial institutions as defined in the Bank Holding Company Act that possess, process, or transmit private customer information.  Purpose – Protect Customer Information from unauthorized disclosure or use.  Operative Mechanisms – Information Security Program:  Responsible Employee Selection and Assignment;  Risk Assessment performed;  Information safeguards and controls implemented;  Oversight of “Service Providers”; and  Testing and Monitoring.  Criminal Consequence of Non Compliance – Fines and imprisonment of up to Five (5) years. Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 5
Data Center Assistance Group, Inc. DCAG California SB 1386 (State Bill)  California SB 1386 became effective on July 1, 2003, amending civil codes 1798.29, 1798.82 and 1798.84. It is a serious bill, with far reaching implications.  Designed to force any public or private entity that maintains electronic customer data to report the misuse, loss, or destruction of such data immediately upon the discovery.  Purpose is to reduce, or eliminate, personal identify theft.  Essentially, it requires an agency, person, or business entity that conducts business in California and owns or licenses computerized 'personal information' to disclose any breach of security (to any resident whose unencrypted data is believed to have been disclosed).  If company’s fail to notify, they will be subject to civil penalties and suit by each of the people who have had their identity records compromised.  In order to reduce or eliminate the potential for media loss during transport, the Tape Vaulting Audit and Encryption Usage Analysis engagement has been requested.  This engagement will review how media is presently transported between the data center and remote locations, vendor operations, and the potential use of Encryption. Making recommendations to eliminate exposures and gaps. Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 6
Data Center Assistance Group, Inc. DCAG Personal Data Privacy And Security Act of 2005  Designed to replace California SB 1386 nationwide.  Introduced by Sen. Arlen Specter (R-Pa.) and Sen. Patrick Leahy (D- Vt.)  Key Features include: • Requires companies that have databases with personal information on more than 10,000 Americans to establish and implement data privacy and security programs, and vet third-party contractors hired to process data; • Increasing criminal penalties for identity theft involving electronic personal data by (1) increasing penalties for computer fraud when such fraud involves personal data, (2) adding fraud involving unauthorized access to personal information as a predicate offense for RICO and (3) making it a crime to intentionally or willfully conceal a security breach involving personal data; • Giving individuals access to, and the opportunity to correct, any personal information held by data brokers; • Requiring entities that maintain personal data to establish internal policies that protect such data and vet third-parties they hire to process that data; Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 7
Data Center Assistance Group, Inc. DCAG Personal Data Privacy And Security Act of 2005 continued  Key Features include: continued • Requires notice to law enforcement, consumers and credit reporting agencies when digitized sensitive personal information has been compromised. The trigger for notice is tied to risk of harm, and there are exemptions for notice where the risk is de minimis or where fraud prevention techniques prevent harm to consumers. Also requires that companies provide victim protection assistance, specifically free access to credit reports and credit monitoring services, to individuals notified that their personal data has been breached ; • Limits the buying, selling or displaying of a social security number without consent from the individual whose number it is, prohibits companies from requiring individuals to use social security numbers as their account numbers and places limits on when companies can force individuals to turn over those numbers in order to obtain goods or services, and bars government agencies from posting public records that contain Social Security numbers on the Internet; and • Requiring the government to establish rules protecting privacy and security when it uses data broker information, to conduct audits of government contracts with data brokers and impose penalties on government contractors that fail to meet data privacy and security requirements. Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 8
Data Center Assistance Group, Inc. DCAG Defining a GLB or 1386 type of violation  These guidelines are the only Arkansas Louisiana North ones requiring notification if a Carolina “Breach” occurs, whether it be electronic or paper. Connecticut Maine North Dakota  Combination of “Sensitive” Delaware Minnesota Rhode Customer Information, Island including: Florida Montana Tennessee • Name, Address, Telephone Number, PLUS • Social Security Number, Account Number, Georgia Nevada Texas Credit / Debit Card Number and associated PIN, or any combination of components that would allow access to individuals account. Illinois New Jersey Washington States that are enacting similar Indiana New York Maybe bill as 1386 include: Federal Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 9
Data Center Assistance Group, Inc. DCAG Companies experiencing a 1386 or GLB Breach include: ABN Amro CitiGroup, Inc People’s Bank Mortgage Group Ameritrade Dept. of Justice Several Universities Holding Corp. Bank of America Ford Motor Time Warner Corp. Company CardSystems HSBC North Sam’s Club – a Solutions, Inc. America division of Wal Mart Choicepoint, Inc Marriott American Express Corporation Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 10
Data Center Assistance Group, Inc. DCAG Tape Vaulting Audit  Define Scope and Deliverables:  Define off-site locations receiving media, including:  Remote Vendor Vaults;  Credit Bureaus; and  Customers, etc.  Evaluate Backup and Vaulting Procedures.  Define Goals and Objectives:  Identify media to be safeguarded during transport to/from remote locations;  Review and Optimize procedures governing media transport;  Review and suggest methods for optimizing protection for media being transported between locations; and  Recommend updates to standards and Procedures, as needed. Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 11
Data Center Assistance Group, Inc. DCAG Project Phases and Assignments  Assign Team Members  Define functions to be performed;  Select personnel with required skills to perform functions;  Assign personnel to project functions;  Establish schedule for periodic reviews (Communication Plan);  Review project purpose and deliverables with team members;  Gain consensus with team members;  Agree upon deliverables and schedule (Detailed Work Program); and  Develop Action Plan for team members. Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 12
Data Center Assistance Group, Inc. DCAG Environment Overview  Define locations included in study, such as:  Data Centers, Remote Vaults, and Credit Bureaus;  Other locations.  Define Operating Systems Used.  Define Tape Management Systems Used.  Review Tape Management Organization and Staff.  Review Staff Functional Responsibilities.  Review Staff Job Descriptions.  Review Tape Management Standards and Procedures Manual. Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 13
Data Center Assistance Group, Inc. DCAG External Relationship Review  Define Vendor Relationships:  Vaulting; and  Media purchase and disposal.  Review Vendor Contracts.  Review insurance related to media loss.  Review company response to media loss (CA 1386).  Review media re-use and disposal policies and practices. Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 14
Data Center Assistance Group, Inc. DCAG Selecting Media for Backup and Vaulting  Review Vital Records Management procedures:  Identifying files for backup and vaulting;  Determining the best time to perform backups;  Review vaulting procedures; and  Discuss operations with management and staff.  Review file naming conventions.  Review Standards and Procedures for this area of work.  Review vaulting schedule and past history. Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 15
Data Center Assistance Group, Inc. DCAG Review How Backups are Created  Review Operating System requirements.  Review Tape Management System.  Review Backup Job Stream and Schedule:  Weekly and Monthly backup schedule;  Daily Incremental Backups;  Other types of backup; and  Backup Schedule as it relates to production schedule.  Review physical movement of media to backup machine and then to storage area in preparation for vaulting company pickup.  Review Backup logs, tracking, and reporting for both customer and remote location to synchronize file location. Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 16
Data Center Assistance Group, Inc. DCAG Review Media Transportation Procedures  Define where media is stored before pick-up.  Determine if the location is secure.  Review Vault Management System and its usage.  Review vaulting procedures for:  Local Vault;  Customer off-site vault; and  Vendor off-site vault.  Review associated standards and Procedures Manual sections relating to the above operation. Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 17
Data Center Assistance Group, Inc. DCAG Audit Vaulting Vendor Location and Procedures  Review pickup and delivery procedures.  Review log-in and log-out procedures.  Review how media is packed, shipped, and received at vendor location.  Review vendor procedures when receiving media for vaulting.  Review Vault Management System and its reports.  Review any methods for customer to validate vaulted media has arrived and is placed in storage rack via remote access or hard copy reports.  Identify Gaps and Exposures associated with process and documentation.  Compare process with other vendors. Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 18
Data Center Assistance Group, Inc. DCAG Evaluate Current Vaulting Procedures  Evaluate findings and documentation.  Identify Gaps and Exposures.  Rate impact of Gaps and Exposures.  Make recommendations for improvement.  Prepare supportive documentation to make it easier for the customer and vendor to more easily correct mistakes.  Present findings to customer for review.  Make any changes deemed necessary.  Create final media vaulting evaluation document. Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 19
Data Center Assistance Group, Inc. DCAG Evaluate the Need for Encryption  Define the types of files that are candidates for Encryption, including: • Long-term files may not be good candidates. • Short-term sensitive files may be excellent candidates. • Financial, Compliance, and other critical files.  Define and research the Types of Encryption available: • Encryption Key Methodology (128 bit, etc.). • Encryption Key escrow and usage procedures. • Duration associated with Encryption Jobs and their impact on production schedules. • Define Encryption Selection and Usage criteria. Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 20
Data Center Assistance Group, Inc. DCAG Final Report  Management Report.  Management Presentation.  Discussion of Findings.  Working with the customer after final report.  Where do we go from here. Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 21

Empfohlen

Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...Jim Brashear
 
Under Lock And Key
Under Lock And KeyUnder Lock And Key
Under Lock And KeyYarko Petriw
 
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...IBM Security
 
Cloud Privacy Update: What You Need to Know
Cloud Privacy Update: What You Need to KnowCloud Privacy Update: What You Need to Know
Cloud Privacy Update: What You Need to KnowAct-On Software
 
Cloud Privacy
Cloud PrivacyCloud Privacy
Cloud PrivacyAct-On Software
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3Meg Weber
 
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)AltheimPrivacy
 
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...TrustArc
 

Empfohlen

Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...Jim Brashear
 
Under Lock And Key
Under Lock And KeyUnder Lock And Key
Under Lock And KeyYarko Petriw
 
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...IBM Security
 
Cloud Privacy Update: What You Need to Know
Cloud Privacy Update: What You Need to KnowCloud Privacy Update: What You Need to Know
Cloud Privacy Update: What You Need to KnowAct-On Software
 
Cloud Privacy
Cloud PrivacyCloud Privacy
Cloud PrivacyAct-On Software
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3Meg Weber
 
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)AltheimPrivacy
 
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...TrustArc
 
Building Consumer Trust through Individual Rights / DSAR Management
Building Consumer Trust through Individual Rights / DSAR ManagementBuilding Consumer Trust through Individual Rights / DSAR Management
Building Consumer Trust through Individual Rights / DSAR ManagementTrustArc
 
Takshashila Blue Paper: Charting a New Framework for Data Protection in India
Takshashila Blue Paper: Charting a New Framework for Data Protection in IndiaTakshashila Blue Paper: Charting a New Framework for Data Protection in India
Takshashila Blue Paper: Charting a New Framework for Data Protection in IndiaThe Takshashila Institution
 
Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)Arpin Consulting
 
Breached! The First 48
Breached! The First 48Breached! The First 48
Breached! The First 48Resilient Systems
 
What is in store for e-discovery in 2015?
What is in store for e-discovery in 2015?What is in store for e-discovery in 2015?
What is in store for e-discovery in 2015?Logikcull.com
 
Data Leakage Prevention - K. K. Mookhey
Data Leakage Prevention - K. K. MookheyData Leakage Prevention - K. K. Mookhey
Data Leakage Prevention - K. K. MookheyNetwork Intelligence India
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaA practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaUlf Mattsson
 
Defining a Legal Strategy ... The Value in Early Case Assessment
Defining a Legal Strategy ... The Value in Early Case AssessmentDefining a Legal Strategy ... The Value in Early Case Assessment
Defining a Legal Strategy ... The Value in Early Case AssessmentAubrey Owens
 
Mulin Holstein PKI-strategy
Mulin Holstein PKI-strategyMulin Holstein PKI-strategy
Mulin Holstein PKI-strategyfEngel
 
GDPR - 5 Months On!
GDPR - 5 Months On!GDPR - 5 Months On!
GDPR - 5 Months On!BrightPay Payroll and Auto Enrolment Software
 
Pci compliance without compensating controls how to take your mainframe out ...
Pci compliance without compensating controls how to take your mainframe out ...Pci compliance without compensating controls how to take your mainframe out ...
Pci compliance without compensating controls how to take your mainframe out ...Ulf Mattsson
 
How to Secure Your Files with DLP and FAM
How to Secure Your Files with DLP and FAMHow to Secure Your Files with DLP and FAM
How to Secure Your Files with DLP and FAMImperva
 
What I learned at the Infosecurity ISACA North America Conference 2019
What I learned at the Infosecurity ISACA North America Conference 2019What I learned at the Infosecurity ISACA North America Conference 2019
What I learned at the Infosecurity ISACA North America Conference 2019Ulf Mattsson
 
GDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsGDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsUlf Mattsson
 
Cyber safe lambeth | GDPR taster
Cyber safe lambeth | GDPR tasterCyber safe lambeth | GDPR taster
Cyber safe lambeth | GDPR tasterThe Integrate Agency CIC
 
Privacy Implications of Biometric Data - Kevin Nevias
Privacy Implications of Biometric Data - Kevin NeviasPrivacy Implications of Biometric Data - Kevin Nevias
Privacy Implications of Biometric Data - Kevin NeviasKevin Nevias
 
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10Ulf Mattsson
 
Cloud computing : legal , privacy and contract issues
Cloud computing : legal , privacy and contract issuesCloud computing : legal , privacy and contract issues
Cloud computing : legal , privacy and contract issuesLilian Edwards
 
Post US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsPost US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsTrustArc
 
Electronic data & record management
Electronic data & record managementElectronic data & record management
Electronic data & record managementGreenLeafInst
 
Data Privacy
Data PrivacyData Privacy
Data Privacycliff_rudolph
 
California Consumer Privacy Act (CCPA)
California Consumer Privacy Act (CCPA)California Consumer Privacy Act (CCPA)
California Consumer Privacy Act (CCPA)Happiest Minds Technologies
 

Weitere ähnliche Inhalte

Was ist angesagt?

Building Consumer Trust through Individual Rights / DSAR Management
Building Consumer Trust through Individual Rights / DSAR ManagementBuilding Consumer Trust through Individual Rights / DSAR Management
Building Consumer Trust through Individual Rights / DSAR ManagementTrustArc
 
Takshashila Blue Paper: Charting a New Framework for Data Protection in India
Takshashila Blue Paper: Charting a New Framework for Data Protection in IndiaTakshashila Blue Paper: Charting a New Framework for Data Protection in India
Takshashila Blue Paper: Charting a New Framework for Data Protection in IndiaThe Takshashila Institution
 
Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)Arpin Consulting
 
What is in store for e-discovery in 2015?
What is in store for e-discovery in 2015?What is in store for e-discovery in 2015?
What is in store for e-discovery in 2015?Logikcull.com
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaA practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaUlf Mattsson
 
Defining a Legal Strategy ... The Value in Early Case Assessment
Defining a Legal Strategy ... The Value in Early Case AssessmentDefining a Legal Strategy ... The Value in Early Case Assessment
Defining a Legal Strategy ... The Value in Early Case AssessmentAubrey Owens
 
Mulin Holstein PKI-strategy
Mulin Holstein PKI-strategyMulin Holstein PKI-strategy
Mulin Holstein PKI-strategyfEngel
 
Pci compliance without compensating controls how to take your mainframe out ...
Pci compliance without compensating controls how to take your mainframe out ...Pci compliance without compensating controls how to take your mainframe out ...
Pci compliance without compensating controls how to take your mainframe out ...Ulf Mattsson
 
How to Secure Your Files with DLP and FAM
How to Secure Your Files with DLP and FAMHow to Secure Your Files with DLP and FAM
How to Secure Your Files with DLP and FAMImperva
 
What I learned at the Infosecurity ISACA North America Conference 2019
What I learned at the Infosecurity ISACA North America Conference 2019What I learned at the Infosecurity ISACA North America Conference 2019
What I learned at the Infosecurity ISACA North America Conference 2019Ulf Mattsson
 
GDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsGDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsUlf Mattsson
 
Privacy Implications of Biometric Data - Kevin Nevias
Privacy Implications of Biometric Data - Kevin NeviasPrivacy Implications of Biometric Data - Kevin Nevias
Privacy Implications of Biometric Data - Kevin NeviasKevin Nevias
 
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10Ulf Mattsson
 
Cloud computing : legal , privacy and contract issues
Cloud computing : legal , privacy and contract issuesCloud computing : legal , privacy and contract issues
Cloud computing : legal , privacy and contract issuesLilian Edwards
 
Post US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsPost US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsTrustArc
 
Electronic data & record management
Electronic data & record managementElectronic data & record management
Electronic data & record managementGreenLeafInst
 

Was ist angesagt? (20)

Building Consumer Trust through Individual Rights / DSAR Management
Building Consumer Trust through Individual Rights / DSAR ManagementBuilding Consumer Trust through Individual Rights / DSAR Management
Building Consumer Trust through Individual Rights / DSAR Management
 
Takshashila Blue Paper: Charting a New Framework for Data Protection in India
Takshashila Blue Paper: Charting a New Framework for Data Protection in IndiaTakshashila Blue Paper: Charting a New Framework for Data Protection in India
Takshashila Blue Paper: Charting a New Framework for Data Protection in India
 
Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)
 
Breached! The First 48
Breached! The First 48Breached! The First 48
Breached! The First 48
 
What is in store for e-discovery in 2015?
What is in store for e-discovery in 2015?What is in store for e-discovery in 2015?
What is in store for e-discovery in 2015?
 
Data Leakage Prevention - K. K. Mookhey
Data Leakage Prevention - K. K. MookheyData Leakage Prevention - K. K. Mookhey
Data Leakage Prevention - K. K. Mookhey
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaA practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpa
 
Defining a Legal Strategy ... The Value in Early Case Assessment
Defining a Legal Strategy ... The Value in Early Case AssessmentDefining a Legal Strategy ... The Value in Early Case Assessment
Defining a Legal Strategy ... The Value in Early Case Assessment
 
Mulin Holstein PKI-strategy
Mulin Holstein PKI-strategyMulin Holstein PKI-strategy
Mulin Holstein PKI-strategy
 
GDPR - 5 Months On!
GDPR - 5 Months On!GDPR - 5 Months On!
GDPR - 5 Months On!
 
Pci compliance without compensating controls how to take your mainframe out ...
Pci compliance without compensating controls how to take your mainframe out ...Pci compliance without compensating controls how to take your mainframe out ...
Pci compliance without compensating controls how to take your mainframe out ...
 
How to Secure Your Files with DLP and FAM
How to Secure Your Files with DLP and FAMHow to Secure Your Files with DLP and FAM
How to Secure Your Files with DLP and FAM
 
What I learned at the Infosecurity ISACA North America Conference 2019
What I learned at the Infosecurity ISACA North America Conference 2019What I learned at the Infosecurity ISACA North America Conference 2019
What I learned at the Infosecurity ISACA North America Conference 2019
 
GDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsGDPR and evolving international privacy regulations
GDPR and evolving international privacy regulations
 
Cyber safe lambeth | GDPR taster
Cyber safe lambeth | GDPR tasterCyber safe lambeth | GDPR taster
Cyber safe lambeth | GDPR taster
 
Privacy Implications of Biometric Data - Kevin Nevias
Privacy Implications of Biometric Data - Kevin NeviasPrivacy Implications of Biometric Data - Kevin Nevias
Privacy Implications of Biometric Data - Kevin Nevias
 
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
 
Cloud computing : legal , privacy and contract issues
Cloud computing : legal , privacy and contract issuesCloud computing : legal , privacy and contract issues
Cloud computing : legal , privacy and contract issues
 
Post US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsPost US Election Privacy Updates & Implications
Post US Election Privacy Updates & Implications
 
Electronic data & record management
Electronic data & record managementElectronic data & record management
Electronic data & record management
 

Ähnlich wie Tape vaulting audit and encryption usage analysis

Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilityDFickett
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckNetIQ
 
HXR 2016: Free the Data Access & Integration -Jonathan Hare, WebShield
HXR 2016: Free the Data Access & Integration -Jonathan Hare, WebShieldHXR 2016: Free the Data Access & Integration -Jonathan Hare, WebShield
HXR 2016: Free the Data Access & Integration -Jonathan Hare, WebShieldHxRefactored
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...PECB
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsFinancial Poise
 
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...Ted Myerson
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Financial Poise
 
Comprehensive Data Leak Prevention
Comprehensive Data Leak PreventionComprehensive Data Leak Prevention
Comprehensive Data Leak PreventionTanvir Hashmi
 
The Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTThe Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTCompliancy Group
 
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceCybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceSecureDocs
 
Data breach protection from a DB2 perspective
Data breach protection from a DB2 perspectiveData breach protection from a DB2 perspective
Data breach protection from a DB2 perspectiveCraig Mullins
 
White Paper - Nuix Cybersecurity - US Localized
White Paper - Nuix Cybersecurity - US LocalizedWhite Paper - Nuix Cybersecurity - US Localized
White Paper - Nuix Cybersecurity - US LocalizedStuart Clarke
 
Access Control, Authentication, and Public Key Infrastructure.docx
Access Control, Authentication, and Public Key Infrastructure.docxAccess Control, Authentication, and Public Key Infrastructure.docx
Access Control, Authentication, and Public Key Infrastructure.docxnettletondevon
 
2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance 2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance Raffa Learning Community
 
Data Breaches
Data BreachesData Breaches
Data Breachessstose
 
2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?Raffa Learning Community
 

Ähnlich wie Tape vaulting audit and encryption usage analysis (20)

Data Privacy
Data PrivacyData Privacy
Data Privacy
 
California Consumer Privacy Act (CCPA)
California Consumer Privacy Act (CCPA)California Consumer Privacy Act (CCPA)
California Consumer Privacy Act (CCPA)
 
Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liability
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS Deck
 
HXR 2016: Free the Data Access & Integration -Jonathan Hare, WebShield
HXR 2016: Free the Data Access & Integration -Jonathan Hare, WebShieldHXR 2016: Free the Data Access & Integration -Jonathan Hare, WebShield
HXR 2016: Free the Data Access & Integration -Jonathan Hare, WebShield
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and Requirements
 
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
 
Comprehensive Data Leak Prevention
Comprehensive Data Leak PreventionComprehensive Data Leak Prevention
Comprehensive Data Leak Prevention
 
Smart grid
Smart gridSmart grid
Smart grid
 
The Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTThe Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOT
 
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceCybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
 
Data breach protection from a DB2 perspective
Data breach protection from a DB2 perspectiveData breach protection from a DB2 perspective
Data breach protection from a DB2 perspective
 
White Paper - Nuix Cybersecurity - US Localized
White Paper - Nuix Cybersecurity - US LocalizedWhite Paper - Nuix Cybersecurity - US Localized
White Paper - Nuix Cybersecurity - US Localized
 
Data breaches at home and abroad
Data breaches at home and abroad Data breaches at home and abroad
Data breaches at home and abroad
 
Access Control, Authentication, and Public Key Infrastructure.docx
Access Control, Authentication, and Public Key Infrastructure.docxAccess Control, Authentication, and Public Key Infrastructure.docx
Access Control, Authentication, and Public Key Infrastructure.docx
 
2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance 2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance
 
Data Breaches
Data BreachesData Breaches
Data Breaches
 
2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?
 

Mehr von Thomas Bronack

Personnel Productivity System - Exec Pres
Personnel Productivity System - Exec PresPersonnel Productivity System - Exec Pres
Personnel Productivity System - Exec PresThomas Bronack
 
Utilizing Dashboards to improve efficiency
Utilizing Dashboards to improve efficiencyUtilizing Dashboards to improve efficiency
Utilizing Dashboards to improve efficiencyThomas Bronack
 
Optimizing the it and business environment through dashboards
Optimizing the it and business environment through dashboardsOptimizing the it and business environment through dashboards
Optimizing the it and business environment through dashboardsThomas Bronack
 
Dcag training on VMware DR Process
Dcag training on VMware DR ProcessDcag training on VMware DR Process
Dcag training on VMware DR ProcessThomas Bronack
 
Achieving enterprise resiliency and corporate certification through the use o...
Achieving enterprise resiliency and corporate certification through the use o...Achieving enterprise resiliency and corporate certification through the use o...
Achieving enterprise resiliency and corporate certification through the use o...Thomas Bronack
 
Enterprise resiliency and world-wide compliance, in-depth article.
Enterprise resiliency and world-wide compliance, in-depth article.Enterprise resiliency and world-wide compliance, in-depth article.
Enterprise resiliency and world-wide compliance, in-depth article.Thomas Bronack
 
Optimizing the IT and Business Environment
Optimizing the IT and Business EnvironmentOptimizing the IT and Business Environment
Optimizing the IT and Business EnvironmentThomas Bronack
 
Dcag service optimization offering01
Dcag service optimization offering01Dcag service optimization offering01
Dcag service optimization offering01Thomas Bronack
 
Recovery and Compliance Services provided by Tom Bronack
Recovery and Compliance Services provided by Tom BronackRecovery and Compliance Services provided by Tom Bronack
Recovery and Compliance Services provided by Tom BronackThomas Bronack
 
Auditing contingency Plans
Auditing contingency PlansAuditing contingency Plans
Auditing contingency PlansThomas Bronack
 
Equipment Redeployment and Termination Procedures
Equipment Redeployment and Termination ProceduresEquipment Redeployment and Termination Procedures
Equipment Redeployment and Termination ProceduresThomas Bronack
 
Article on Emergency Management and Corporate Certification
Article on Emergency Management and Corporate CertificationArticle on Emergency Management and Corporate Certification
Article on Emergency Management and Corporate CertificationThomas Bronack
 
Updated Healthcare Industry Compliance Presentation
Updated Healthcare Industry Compliance PresentationUpdated Healthcare Industry Compliance Presentation
Updated Healthcare Industry Compliance PresentationThomas Bronack
 
Smaller Presentation on Enterprise Resiliency and Corporate Certification
Smaller Presentation on Enterprise Resiliency and Corporate CertificationSmaller Presentation on Enterprise Resiliency and Corporate Certification
Smaller Presentation on Enterprise Resiliency and Corporate CertificationThomas Bronack
 
Exec Presentation on Achieving Enterprise Resiliency and Corporate Certification
Exec Presentation on Achieving Enterprise Resiliency and Corporate CertificationExec Presentation on Achieving Enterprise Resiliency and Corporate Certification
Exec Presentation on Achieving Enterprise Resiliency and Corporate CertificationThomas Bronack
 
Executive Presentation on adhering to Healthcare Industry compliance
Executive Presentation on adhering to Healthcare Industry complianceExecutive Presentation on adhering to Healthcare Industry compliance
Executive Presentation on adhering to Healthcare Industry complianceThomas Bronack
 
Personnel Productivity System - Updated 6-6-2013
Personnel Productivity System - Updated 6-6-2013Personnel Productivity System - Updated 6-6-2013
Personnel Productivity System - Updated 6-6-2013Thomas Bronack
 
Achieving Enterprise Resiliency and Corporate Certification
Achieving Enterprise Resiliency and Corporate CertificationAchieving Enterprise Resiliency and Corporate Certification
Achieving Enterprise Resiliency and Corporate CertificationThomas Bronack
 
Asset Management (Acquisition, Redeployment, and Termination)(
Asset Management (Acquisition, Redeployment, and Termination)(Asset Management (Acquisition, Redeployment, and Termination)(
Asset Management (Acquisition, Redeployment, and Termination)(Thomas Bronack
 
Application migration guideline document
Application migration guideline documentApplication migration guideline document
Application migration guideline documentThomas Bronack
 

Mehr von Thomas Bronack (20)

Personnel Productivity System - Exec Pres
Personnel Productivity System - Exec PresPersonnel Productivity System - Exec Pres
Personnel Productivity System - Exec Pres
 
Utilizing Dashboards to improve efficiency
Utilizing Dashboards to improve efficiencyUtilizing Dashboards to improve efficiency
Utilizing Dashboards to improve efficiency
 
Optimizing the it and business environment through dashboards
Optimizing the it and business environment through dashboardsOptimizing the it and business environment through dashboards
Optimizing the it and business environment through dashboards
 
Dcag training on VMware DR Process
Dcag training on VMware DR ProcessDcag training on VMware DR Process
Dcag training on VMware DR Process
 
Achieving enterprise resiliency and corporate certification through the use o...
Achieving enterprise resiliency and corporate certification through the use o...Achieving enterprise resiliency and corporate certification through the use o...
Achieving enterprise resiliency and corporate certification through the use o...
 
Enterprise resiliency and world-wide compliance, in-depth article.
Enterprise resiliency and world-wide compliance, in-depth article.Enterprise resiliency and world-wide compliance, in-depth article.
Enterprise resiliency and world-wide compliance, in-depth article.
 
Optimizing the IT and Business Environment
Optimizing the IT and Business EnvironmentOptimizing the IT and Business Environment
Optimizing the IT and Business Environment
 
Dcag service optimization offering01
Dcag service optimization offering01Dcag service optimization offering01
Dcag service optimization offering01
 
Recovery and Compliance Services provided by Tom Bronack
Recovery and Compliance Services provided by Tom BronackRecovery and Compliance Services provided by Tom Bronack
Recovery and Compliance Services provided by Tom Bronack
 
Auditing contingency Plans
Auditing contingency PlansAuditing contingency Plans
Auditing contingency Plans
 
Equipment Redeployment and Termination Procedures
Equipment Redeployment and Termination ProceduresEquipment Redeployment and Termination Procedures
Equipment Redeployment and Termination Procedures
 
Article on Emergency Management and Corporate Certification
Article on Emergency Management and Corporate CertificationArticle on Emergency Management and Corporate Certification
Article on Emergency Management and Corporate Certification
 
Updated Healthcare Industry Compliance Presentation
Updated Healthcare Industry Compliance PresentationUpdated Healthcare Industry Compliance Presentation
Updated Healthcare Industry Compliance Presentation
 
Smaller Presentation on Enterprise Resiliency and Corporate Certification
Smaller Presentation on Enterprise Resiliency and Corporate CertificationSmaller Presentation on Enterprise Resiliency and Corporate Certification
Smaller Presentation on Enterprise Resiliency and Corporate Certification
 
Exec Presentation on Achieving Enterprise Resiliency and Corporate Certification
Exec Presentation on Achieving Enterprise Resiliency and Corporate CertificationExec Presentation on Achieving Enterprise Resiliency and Corporate Certification
Exec Presentation on Achieving Enterprise Resiliency and Corporate Certification
 
Executive Presentation on adhering to Healthcare Industry compliance
Executive Presentation on adhering to Healthcare Industry complianceExecutive Presentation on adhering to Healthcare Industry compliance
Executive Presentation on adhering to Healthcare Industry compliance
 
Personnel Productivity System - Updated 6-6-2013
Personnel Productivity System - Updated 6-6-2013Personnel Productivity System - Updated 6-6-2013
Personnel Productivity System - Updated 6-6-2013
 
Achieving Enterprise Resiliency and Corporate Certification
Achieving Enterprise Resiliency and Corporate CertificationAchieving Enterprise Resiliency and Corporate Certification
Achieving Enterprise Resiliency and Corporate Certification
 
Asset Management (Acquisition, Redeployment, and Termination)(
Asset Management (Acquisition, Redeployment, and Termination)(Asset Management (Acquisition, Redeployment, and Termination)(
Asset Management (Acquisition, Redeployment, and Termination)(
 
Application migration guideline document
Application migration guideline documentApplication migration guideline document
Application migration guideline document
 

Tape vaulting audit and encryption usage analysis

  • 1. Data Center Assistance Group, Inc. DCAG Tape Vaulting Audit And Encryption Usage Analysis Prepared for Public Presentation (includes “SB 1386”, “Gramm Leach Bliley”, and “Personal Data Protection and Security Act of 2005” Customer Information Protection and loss reporting requirements review and analysis) Presented by: Tom Bronack, Phone: (718) 591-5553 Email: bronackt@dcag.com Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 1
  • 2. Data Center Assistance Group, Inc. DCAG Abstract  Loss of media events have happened frequently and could result in Identify Theft to customers whose information was on lost media or exposed to data breach.  Potential monetary losses are great for company and individuals, through civil charges, and potentially criminal charges.  Personal Data Privacy and Security Act of 2005; Gramm, Leach, Bliley (GLB); and CA State Bill 1386 all require that customers be immediately informed of a data breach or lost media event.  The cost associated with the Tape Vaulting Audit and Encryption Usage Analysis engagement is very small in relationship to the amount that can be lost.  Project identifies Gaps and Exposures and results in implemented Procedures and Response Plans that help the organization adhere to laws and regulations in a controlled manner.  Better customer safeguards though controls, procedures, and response plans. Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 2
  • 3. Data Center Assistance Group, Inc. DCAG ChoicePoint losses due to Personal Data Breach  Fined $15 million by FTC.  Lost 25% market cap, or $750 million.  Lost $15-20 million in Core Revenue.  Lost 10-20 cents per share.  Spending $2 million on credit bureau memberships for customers affected by data breach.  Will suffer more scrutiny in the future.  Will never regain reputation lost due to data breach. Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 3
  • 4. Data Center Assistance Group, Inc. DCAG Goals and Objectives  Review Laws and Regulations affecting Tape Transport To/From data center and remote locations.  Review the Tape transportation process between the data center and remote locations (i.e., Vaults, Customers, Credit Bureaus, other).  Evaluate vendors included in the media transportation process, including those used for purchase and disposal of media.  Perform an Audit of the Local and Remote Vaults.  Research existing Insurance over loss of media.  Review Procedures and the Response Plan for lost media or a Data Breach.  Investigate the use of Encryption to protect data from misuse.  Identify Exposures and Gaps, define impact, draw conclusions, and make recommendations to mitigate and remedy identified problems.  Prepare a Final Report with findings and recommendations. Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 4
  • 5. Data Center Assistance Group, Inc. DCAG Gramm Leach Bliley Safeguard Rule  Effective – May 23, 2002  Covered Entities include - Financial institutions as defined in the Bank Holding Company Act that possess, process, or transmit private customer information.  Purpose – Protect Customer Information from unauthorized disclosure or use.  Operative Mechanisms – Information Security Program:  Responsible Employee Selection and Assignment;  Risk Assessment performed;  Information safeguards and controls implemented;  Oversight of “Service Providers”; and  Testing and Monitoring.  Criminal Consequence of Non Compliance – Fines and imprisonment of up to Five (5) years. Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 5
  • 6. Data Center Assistance Group, Inc. DCAG California SB 1386 (State Bill)  California SB 1386 became effective on July 1, 2003, amending civil codes 1798.29, 1798.82 and 1798.84. It is a serious bill, with far reaching implications.  Designed to force any public or private entity that maintains electronic customer data to report the misuse, loss, or destruction of such data immediately upon the discovery.  Purpose is to reduce, or eliminate, personal identify theft.  Essentially, it requires an agency, person, or business entity that conducts business in California and owns or licenses computerized 'personal information' to disclose any breach of security (to any resident whose unencrypted data is believed to have been disclosed).  If company’s fail to notify, they will be subject to civil penalties and suit by each of the people who have had their identity records compromised.  In order to reduce or eliminate the potential for media loss during transport, the Tape Vaulting Audit and Encryption Usage Analysis engagement has been requested.  This engagement will review how media is presently transported between the data center and remote locations, vendor operations, and the potential use of Encryption. Making recommendations to eliminate exposures and gaps. Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 6
  • 7. Data Center Assistance Group, Inc. DCAG Personal Data Privacy And Security Act of 2005  Designed to replace California SB 1386 nationwide.  Introduced by Sen. Arlen Specter (R-Pa.) and Sen. Patrick Leahy (D- Vt.)  Key Features include: • Requires companies that have databases with personal information on more than 10,000 Americans to establish and implement data privacy and security programs, and vet third-party contractors hired to process data; • Increasing criminal penalties for identity theft involving electronic personal data by (1) increasing penalties for computer fraud when such fraud involves personal data, (2) adding fraud involving unauthorized access to personal information as a predicate offense for RICO and (3) making it a crime to intentionally or willfully conceal a security breach involving personal data; • Giving individuals access to, and the opportunity to correct, any personal information held by data brokers; • Requiring entities that maintain personal data to establish internal policies that protect such data and vet third-parties they hire to process that data; Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 7
  • 8. Data Center Assistance Group, Inc. DCAG Personal Data Privacy And Security Act of 2005 continued  Key Features include: continued • Requires notice to law enforcement, consumers and credit reporting agencies when digitized sensitive personal information has been compromised. The trigger for notice is tied to risk of harm, and there are exemptions for notice where the risk is de minimis or where fraud prevention techniques prevent harm to consumers. Also requires that companies provide victim protection assistance, specifically free access to credit reports and credit monitoring services, to individuals notified that their personal data has been breached ; • Limits the buying, selling or displaying of a social security number without consent from the individual whose number it is, prohibits companies from requiring individuals to use social security numbers as their account numbers and places limits on when companies can force individuals to turn over those numbers in order to obtain goods or services, and bars government agencies from posting public records that contain Social Security numbers on the Internet; and • Requiring the government to establish rules protecting privacy and security when it uses data broker information, to conduct audits of government contracts with data brokers and impose penalties on government contractors that fail to meet data privacy and security requirements. Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 8
  • 9. Data Center Assistance Group, Inc. DCAG Defining a GLB or 1386 type of violation  These guidelines are the only Arkansas Louisiana North ones requiring notification if a Carolina “Breach” occurs, whether it be electronic or paper. Connecticut Maine North Dakota  Combination of “Sensitive” Delaware Minnesota Rhode Customer Information, Island including: Florida Montana Tennessee • Name, Address, Telephone Number, PLUS • Social Security Number, Account Number, Georgia Nevada Texas Credit / Debit Card Number and associated PIN, or any combination of components that would allow access to individuals account. Illinois New Jersey Washington States that are enacting similar Indiana New York Maybe bill as 1386 include: Federal Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 9
  • 10. Data Center Assistance Group, Inc. DCAG Companies experiencing a 1386 or GLB Breach include: ABN Amro CitiGroup, Inc People’s Bank Mortgage Group Ameritrade Dept. of Justice Several Universities Holding Corp. Bank of America Ford Motor Time Warner Corp. Company CardSystems HSBC North Sam’s Club – a Solutions, Inc. America division of Wal Mart Choicepoint, Inc Marriott American Express Corporation Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 10
  • 11. Data Center Assistance Group, Inc. DCAG Tape Vaulting Audit  Define Scope and Deliverables:  Define off-site locations receiving media, including:  Remote Vendor Vaults;  Credit Bureaus; and  Customers, etc.  Evaluate Backup and Vaulting Procedures.  Define Goals and Objectives:  Identify media to be safeguarded during transport to/from remote locations;  Review and Optimize procedures governing media transport;  Review and suggest methods for optimizing protection for media being transported between locations; and  Recommend updates to standards and Procedures, as needed. Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 11
  • 12. Data Center Assistance Group, Inc. DCAG Project Phases and Assignments  Assign Team Members  Define functions to be performed;  Select personnel with required skills to perform functions;  Assign personnel to project functions;  Establish schedule for periodic reviews (Communication Plan);  Review project purpose and deliverables with team members;  Gain consensus with team members;  Agree upon deliverables and schedule (Detailed Work Program); and  Develop Action Plan for team members. Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 12
  • 13. Data Center Assistance Group, Inc. DCAG Environment Overview  Define locations included in study, such as:  Data Centers, Remote Vaults, and Credit Bureaus;  Other locations.  Define Operating Systems Used.  Define Tape Management Systems Used.  Review Tape Management Organization and Staff.  Review Staff Functional Responsibilities.  Review Staff Job Descriptions.  Review Tape Management Standards and Procedures Manual. Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 13
  • 14. Data Center Assistance Group, Inc. DCAG External Relationship Review  Define Vendor Relationships:  Vaulting; and  Media purchase and disposal.  Review Vendor Contracts.  Review insurance related to media loss.  Review company response to media loss (CA 1386).  Review media re-use and disposal policies and practices. Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 14
  • 15. Data Center Assistance Group, Inc. DCAG Selecting Media for Backup and Vaulting  Review Vital Records Management procedures:  Identifying files for backup and vaulting;  Determining the best time to perform backups;  Review vaulting procedures; and  Discuss operations with management and staff.  Review file naming conventions.  Review Standards and Procedures for this area of work.  Review vaulting schedule and past history. Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 15
  • 16. Data Center Assistance Group, Inc. DCAG Review How Backups are Created  Review Operating System requirements.  Review Tape Management System.  Review Backup Job Stream and Schedule:  Weekly and Monthly backup schedule;  Daily Incremental Backups;  Other types of backup; and  Backup Schedule as it relates to production schedule.  Review physical movement of media to backup machine and then to storage area in preparation for vaulting company pickup.  Review Backup logs, tracking, and reporting for both customer and remote location to synchronize file location. Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 16
  • 17. Data Center Assistance Group, Inc. DCAG Review Media Transportation Procedures  Define where media is stored before pick-up.  Determine if the location is secure.  Review Vault Management System and its usage.  Review vaulting procedures for:  Local Vault;  Customer off-site vault; and  Vendor off-site vault.  Review associated standards and Procedures Manual sections relating to the above operation. Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 17
  • 18. Data Center Assistance Group, Inc. DCAG Audit Vaulting Vendor Location and Procedures  Review pickup and delivery procedures.  Review log-in and log-out procedures.  Review how media is packed, shipped, and received at vendor location.  Review vendor procedures when receiving media for vaulting.  Review Vault Management System and its reports.  Review any methods for customer to validate vaulted media has arrived and is placed in storage rack via remote access or hard copy reports.  Identify Gaps and Exposures associated with process and documentation.  Compare process with other vendors. Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 18
  • 19. Data Center Assistance Group, Inc. DCAG Evaluate Current Vaulting Procedures  Evaluate findings and documentation.  Identify Gaps and Exposures.  Rate impact of Gaps and Exposures.  Make recommendations for improvement.  Prepare supportive documentation to make it easier for the customer and vendor to more easily correct mistakes.  Present findings to customer for review.  Make any changes deemed necessary.  Create final media vaulting evaluation document. Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 19
  • 20. Data Center Assistance Group, Inc. DCAG Evaluate the Need for Encryption  Define the types of files that are candidates for Encryption, including: • Long-term files may not be good candidates. • Short-term sensitive files may be excellent candidates. • Financial, Compliance, and other critical files.  Define and research the Types of Encryption available: • Encryption Key Methodology (128 bit, etc.). • Encryption Key escrow and usage procedures. • Duration associated with Encryption Jobs and their impact on production schedules. • Define Encryption Selection and Usage criteria. Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 20
  • 21. Data Center Assistance Group, Inc. DCAG Final Report  Management Report.  Management Presentation.  Discussion of Findings.  Working with the customer after final report.  Where do we go from here. Confidential and Proprietary Tape Vaulting Audit and Encryption Usage Analysis Page: 21