SlideShare ist ein Scribd-Unternehmen logo

Data Lifecycle Management and Destruction Governance

H Contrex
H Contrex
Technologie
1 von 29
Data Lifecycle Management and Destruction Identification, Governance and Controls Harry Contreras - CISSP, Six Sigma Phoenix, AZ www.company.com Copyright 2010
Data Lifecycle Management & Destruction Topical overview of this presentation material • What constitutes the elements of information (data) today? • Overview of physical and logical (electronic) realms • Governance and control methodologies • Data Lifecycle Management • Data destruction issues • Contractual, regulatory and compliance Issues • Information escape • Summary • Questions and answers Presentation to ISSA – Phoenix, AZ – October, 2010 1
In the beginning… Collaborative societal norms transition to intellectual property Who owns an idea or information and how to keep it secure? Presentation to ISSA – Phoenix, AZ – October, 2010 2
Why measuring with metrics matter What constitutes the elements of information today? Information is proprietary • The concept of intellectual property (IP) is why are we are having this discussion the first place and why we apply control methodologies to contain and retain this information with security programs and management actions. “So, I have this idea… this information confidential… has great importance to the organization… can be considered an asset with intrinsic value.” Obligated for Confidentiality, Integrity and Availability • Integral to day-to-day business operations • Integral to meeting compliance requirements • Integral to securing company technology position and future success The proliferation of business information in all forms Presentation to ISSA – Phoenix, AZ – October, 2010 3
Why measuring with metrics matter What constitutes the elements of information today? These concepts apply to all SMBs and enterprises, globally • Since advent of computer systems, business operations have been prolific in their actions to produce information on an ever-increasing scale. This will be a point of contention in the future between business budgets and compliance issues. Reflective moment; – consider your business, your state and national government and your personal and family papers in relationship to concepts presented today. Discovery • What are the information targets? • Where is this information, right now, and where will it be later? • When was it created and for how long must it be retained? • Who is specifying retention and why? • What penalties and consequences are the risk for non-compliance? Regarding Discovery - Someone once said, “You don’t know what you don’t know”. Presentation to ISSA – Phoenix, AZ – October, 2010 4
Why measuring with metrics matter Overview of physical & logical (electronic) realms Traditional physical realm information concepts • Has three dimensional qualities – occupies space • Pushing the limits for volume, size and weight • Subject to environmental contaminates and physical disaster scenarios Electronic information age concepts (logical) • Has no dimensional qualities in basic state of bits & bytes • In a constant volatile state • Subject to interruptions in the sustaining system environment - corruptible Scope creep(y) issues • Audio & video recordings for company communications and operations. • Collaboration services and Unified Messaging (UM) compound this. • Social media services now extend control boundaries to third-parties Consideration – What and where is your information located at third-parties? Presentation to ISSA – Phoenix, AZ – October, 2010 5
Its everywhere, its everywhere… Audio, video and papers… oh my! Presentation to ISSA – Phoenix, AZ – October, 2010 6
Why measuring with metrics matter Governance and control methodologies Bringing measures to manage this mess • Application of structured approach to information (data) management • Sound management methodologies supported by technological solutions Policy and Standards • Corporate position statements for policy and approach to align the company with regulatory requirements and best practices • Documented company standards to set the minimum baseline of company requirements to be implemented. E.g. • Information (data) Classification • Acceptable Use • Records Retention • Encryption • Access Controls • Non-Disclosure Agreements (NDAs) Presentation to ISSA – Phoenix, AZ – October, 2010 7
Why measuring with metrics matter Governance and control methodologies Documentation reference inclusions • Company control specifications for; • What - data categorization by identified use and risk boundaries • Where – containment facilities (logical and physical) • When - conditional circumstances • Who - personnel authorized to perform specialized actions • How - handling, storage, marking, transport, etc, of information Operational processes • Documented, repeatable and measureable statements how required actions are to be carried out for the company. Records Management… a parallel discipline Presentation to ISSA – Phoenix, AZ – October, 2010 8
Why measuring with metrics matter Governance and control methodologies Enforcement • Review of system & application logs for appropriate access and data integrity • Internal auditing actions and the inevitable “external” audit • Metrics to measure and to indicate progress of actions to goals • Manual and automated systems for control measures Awareness – education and training • The workforce is the primary business resource to accomplish compliance • A well trained organization will deliver consistent results • Addresses the “now what do I do with this?” situations Presentation to ISSA – Phoenix, AZ – October, 2010 9
Why measuring with metrics matter Governance and control methodologies Containment strategies • A tiered approach to the stratification of information sensitivity in storage and use within the company • Access controls aligned to “need to know”, “separation of duties” and “least privilege” principles • A tired but true analogy, “defense in depth” can and should be applied Control principles to observe • RBAC – Role Based Access Controls • PoLP – Principle of Least Privilege • SoD – Separation of Duties Develop scalable action plans – “Don’t boil the ocean” Presentation to ISSA – Phoenix, AZ – October, 2010 10
Graphical Representation of Information Protections Topology Generic - Information Categorization Model – Public, Internal and Controlled Regulatory controlled information to be located in the secure data storage locations. Security Practices for PoLP, SoD and RBAC applied to access. *RBAC and Compartmentalized World data protections Public Use Company Internal Community Use Compliance Secured Controlled Controls Data Use bled Storage SSL, SS Ena H or othe ting r secure Audi tunnelin ction d Tra nsa Data Custodian g prot ocols u sed for gging an access UserId s, Lo Responsibility Information Protection Logical Access Boundaries Information Protection Physical and Logical Access Boundaries *RBAC – Role Based Access Control methodology PoLP – Principle of Least Privilege SoD – Separation of Duties Presentation to ISSA – Phoenix, AZ – October, 2010 11
Its “round-up” time… Like Pandora’s box… you know what to do… contain and control are key words How you gonna keep em down on the server farm? Presentation to ISSA – Phoenix, AZ – October, 2010 12
Why measuring with metrics matter Data Lifecycle Management Cradle to grave issues Information – “Time to Live” • From data creation to retirement of useful data element value • Provide basis for information lifespan parameters • Provide tactical control for data management via manual and automated processes. • Can be associated with information distribution outside of company controls • Where does this control information live? • Typically in the meta data of the physical and logical attributes You can’t “keep” everything, forever • A word of caution - “hoarding” is a practice of irresponsible management • A word of caution on “archiving” – be careful it does not become a hoarding practice just because you can and have the technology to achieve it. • Audits will uncover non-compliance to company policy and standards • Resulting in “findings”. Institute regular “good housekeeping” practices within the Company Presentation to ISSA – Phoenix, AZ – October, 2010 13
Why measuring with metrics matter Data Lifecycle Management Cradle to grave issues Data organization - benefits • Structured data back-up strategies • Tiered storage services mapped to data risk landscape • Prioritization objectives aligned with business requirements Information “expiration” • Information Retirement due to end of useful (life) value/valuation benefits • Base on time span • End of obligations of contract or regulatory mandate to retain • Provide basis for information lifespan parameters • Provide tactical control for data management via manual and automated processes. Expiration – other issues • What is the level of risk to retain or prematurely expire? • Is the business exercising the appropriate control based on cost or risk? Presentation to ISSA – Phoenix, AZ – October, 2010 14
Data Management Program – Decision–Action Cycle AKA, Plan, Do, Check and Act (PDCA) Data Actions Apply mitigating security Monitor threat horizon, review new controls or changes to technologies, develop services delivery portfolio Effectiveness measurements. Interpretation Assess, review security metrics, benchmarking, analysis of Key Performance Indicators Continuous improvement through repeatable process controls Presentation to ISSA – Phoenix, AZ – October, 2010 15
Data destruction issues You just can’t put those back-up tapes on the Bar-Be… Who called the EPA? Presentation to ISSA – Phoenix, AZ – October, 2010 16
Why measuring with metrics matter Data destruction/disposal issues Target assurance • Alignment with all data retention requirements • Compliance with contractual and regulatory requirements Oh wait… • Legal holds for pending and going litigation cases • Contact in-house legal counsel The who, when, how and why this order for execution • Authorized following destruction standard, procedure and process • Meets EPA regulatory controls • In compliance with specified destruction processes • Shredding • For those “Green” practitioners – Recycling is not the same. • Incineration • Pulverize • Electronic data deletion/erasure/overwrites • Degaussing – the effectiveness is up for debate Read the “Regs” and follow the “Specs” Presentation to ISSA – Phoenix, AZ – October, 2010 17
Why measuring with metrics matter Data destruction/disposal issues Considerations - DIY or Outsource • Certified Third-Party destruction specialists for disposal Reporting Actions Chain of Custody • You transferred the responsibility • You transferred the risk • Auditable handling – document it. Replication issues Copies, copies everywhere… • Physical and digital forms • Originals and replicas • Back-up data and that information in tiered retention cycles A business certification to look for in information disposal outsourcers NAID National Association for Information Destruction - (International) www.naidonline.org Dumpster Diving – still a viable “research” method Presentation to ISSA – Phoenix, AZ – October, 2010 18
What actions do you take with your metrics? Regulatory, contractual and compliance issues Some regulatory agencies associated with requirements on Information, retention and the implementation controls in business • How long and where are the controls to be effective? A sampling of the US based regulatory/industry agencies HIPAA Health Insurance Portability and Accountability Act of 1996 FERC Federal Energy Regulatory Commission FDIC Federal Deposit Insurance Corporation SEC U.S Securities and Exchange Commission IRS Internal Revenue Service PCI-DSS Payment Card Industry – Data Security Standard AICPA American Institute of Certified Public Accounts NARA National Archives and Records Administration A sampling of the International regulatory agencies FSA UK – Financial Service Authority PiPEDA Canada – Personal Information Protection and Electronic Documents Act Presentation to ISSA – Phoenix, AZ – October, 2010 19
Regulatory, contractual and compliance issues A sampling of the US based regulatory / agencies - MORE Federal Rules of Civil Procedure • As of December 2006 electronic records are now considered a separate type of evidence apart from documents. Emails, instant messaging, computer files all may fall into the category of “discoverable”. (Remember that we covered digital audio and video files as well.) • Rule 26 – eDiscovery is born Sarbanes-Oxley Act • Public Company Accounting Reform and Investor Protection Act of 2002 This one we all know too well. • Sub-section 404 In today’s information security practice, consider the regulatory requirements for cross-border information constraints and international “regs” for data. Presentation to ISSA – Phoenix, AZ – October, 2010 20
Information escape Identifying escapes or “How did that happen” events? Lack of policy • What compels employees to modify “risky” behavior and “appropriate use” No documented process or “repeatable” procedure • Employees are not equipped with the appropriate tools to be successful No “awareness” • Awareness training and employee education sessions to raise awareness of business risks or the “well intentioned employee” Third-parties • Contracted parties having access to “controlled” information and not using specified safeguards Data “leakage” risks are through multiple sources. No safe harbor if not “encrypted”. How information goes out the doors… and becomes a “CNN moment” Presentation to ISSA – Phoenix, AZ – October, 2010 21
Why measuring with metrics matter Summary Presentation to ISSA – Phoenix, AZ – October, 2010 22
What actions do you take with your metrics? Summary Program development actions • Policy, standards, procedures and process • Alignment with Compliance programs Rationalization actions • Data life cycle • Risk impact assessment • Prioritization actions • Budgeting for Capex and Opex • Allocation of time and personnel for implementing Reassessment actions • The cycle of continuous improvement • Auditing For plan development - consider “inch stones” to milestones” approach Presentation to ISSA – Phoenix, AZ – October, 2010 23
Why measuring with metrics matter Summary Practical Advice Your “due diligence” activities – “document it” Obtain endorsement by C-Level and Legal or Privacy There are subsequent strategy threads – Records Management MBWA – Management by walking around Audit outsourcers, contractor and third-parties (Ensure that “right to audit” clauses are in contracts.) Other observations Containment strategies that eliminate data duplication opportunities Institute “data de-duplication” housekeeping practices Information has a “half-life” – consider residual remnants Presentation to ISSA – Phoenix, AZ – October, 2010 24
Resources – Helpful slides (One of Two) Some important references to aid in developing a program ISO 15489 – Records Management Standard http://www.iso.org/iso/home.htm Information Systems Security Association - (ISSA) - http://www.issa.org/ CSO Online – http://www.csoonline.com/ SearchSecurity – http://www.searchsecurity.com/ These are just a few of many additional resources to search that have information repositories A sampling of professional organizations ARMA – Association of Record Managers & Administrators International www.arma.org (They have a local AZ chapter) AHIMA American Health Information Management Association www.ahima.org PRISM Professional Records & Information Services Management www.prismintl.org Presentation to ISSA – Phoenix, AZ – October, 2010 25
Resources – Helpful slides (Two of Two) Some important references to aid in developing a program Media Disposal Toolkit - Media Disposal Implemention Guide, A UCF media disposal common controls spreadsheet, Project work break down structure (WBS), Visio diagram of the “Clear, Purge, or Destroy” decision tree, 10 policy implementation templates © 2008, Unified Compliance Framework Inc. http://www.unifiedcompliance.com/ Located in the IT Impact Zones / UCF Toolkits offerings section. Some professional certifications in this subject matter area CIPP/IT Certified Information Privacy Professional / Information Technology International Association of Privacy Professional www.privacyassociation.org CPP Certified Protection Professional American Society for Industrial Security www.asis.org Presentation to ISSA – Phoenix, AZ – October, 2010 26
Question and answers Q & A Legal disclaimer goes here The “Information Age” reference takes on a broader perspective Presentation to ISSA – Phoenix, AZ – October, 2010 27
Data Lifecycle Management and Destruction Identification, Governance and Controls Harry Contreras - CISSP, Six Sigma Phoenix, AZ www.company.com Copyright 2010

Empfohlen

Sharepoint & TRIM integration
Sharepoint & TRIM integrationSharepoint & TRIM integration
Sharepoint & TRIM integrationAnastasia Govan Kuusk
 
Improving Findability Inside the Firewall
Improving Findability Inside the FirewallImproving Findability Inside the Firewall
Improving Findability Inside the FirewallECM-Search Consultant - EContent Magazine
 
E-Mail Compliance Frameworks in the Real World
E-Mail Compliance Frameworks in the Real WorldE-Mail Compliance Frameworks in the Real World
E-Mail Compliance Frameworks in the Real WorldChris Byrne
 
Information Management in a Web 2.0 World May 2009
Information Management in a Web 2.0 World May 2009Information Management in a Web 2.0 World May 2009
Information Management in a Web 2.0 World May 2009Collabor8now Ltd
 
NGC records management - SP2010 RM Features
NGC records management - SP2010 RM FeaturesNGC records management - SP2010 RM Features
NGC records management - SP2010 RM FeaturesMike Brannon
 
Joburg cobit assurance
Joburg cobit assuranceJoburg cobit assurance
Joburg cobit assuranceAldee2013
 
Information Governance for Smarter Government Strategy and Solutions
Information Governance for Smarter Government Strategy and SolutionsInformation Governance for Smarter Government Strategy and Solutions
Information Governance for Smarter Government Strategy and SolutionsIBMGovernmentCA
 
Information Governance-a programmatic perspective on driving value through RI...
Information Governance-a programmatic perspective on driving value through RI...Information Governance-a programmatic perspective on driving value through RI...
Information Governance-a programmatic perspective on driving value through RI...Ledjit
 

Empfohlen

Sharepoint & TRIM integration
Sharepoint & TRIM integrationSharepoint & TRIM integration
Sharepoint & TRIM integrationAnastasia Govan Kuusk
 
Improving Findability Inside the Firewall
Improving Findability Inside the FirewallImproving Findability Inside the Firewall
Improving Findability Inside the FirewallECM-Search Consultant - EContent Magazine
 
E-Mail Compliance Frameworks in the Real World
E-Mail Compliance Frameworks in the Real WorldE-Mail Compliance Frameworks in the Real World
E-Mail Compliance Frameworks in the Real WorldChris Byrne
 
Information Management in a Web 2.0 World May 2009
Information Management in a Web 2.0 World May 2009Information Management in a Web 2.0 World May 2009
Information Management in a Web 2.0 World May 2009Collabor8now Ltd
 
NGC records management - SP2010 RM Features
NGC records management - SP2010 RM FeaturesNGC records management - SP2010 RM Features
NGC records management - SP2010 RM FeaturesMike Brannon
 
Joburg cobit assurance
Joburg cobit assuranceJoburg cobit assurance
Joburg cobit assuranceAldee2013
 
Information Governance for Smarter Government Strategy and Solutions
Information Governance for Smarter Government Strategy and SolutionsInformation Governance for Smarter Government Strategy and Solutions
Information Governance for Smarter Government Strategy and SolutionsIBMGovernmentCA
 
Information Governance-a programmatic perspective on driving value through RI...
Information Governance-a programmatic perspective on driving value through RI...Information Governance-a programmatic perspective on driving value through RI...
Information Governance-a programmatic perspective on driving value through RI...Ledjit
 
ROAR Provides Peace of Mind in Digital Enviroments
ROAR Provides Peace of Mind in Digital EnviromentsROAR Provides Peace of Mind in Digital Enviroments
ROAR Provides Peace of Mind in Digital EnviromentsThe Lorenzi Group
 
NIEM Overview Rule Ml November 2011
NIEM Overview Rule Ml November 2011NIEM Overview Rule Ml November 2011
NIEM Overview Rule Ml November 2011Bizagi Inc
 
IBM Banking: Automated Systems help meet new Compliance Requirements
IBM Banking: Automated Systems help meet new Compliance RequirementsIBM Banking: Automated Systems help meet new Compliance Requirements
IBM Banking: Automated Systems help meet new Compliance RequirementsIBM Banking
 
Valuendo cyberwar and security (okt 2011) handout
Valuendo cyberwar and security (okt 2011) handoutValuendo cyberwar and security (okt 2011) handout
Valuendo cyberwar and security (okt 2011) handoutMarc Vael
 
Business classification scheme (Taxonomy)
Business classification scheme (Taxonomy)Business classification scheme (Taxonomy)
Business classification scheme (Taxonomy)SOLOMON M KAMINDA
 
Aligning It With Small Business
Aligning It With Small BusinessAligning It With Small Business
Aligning It With Small BusinessNathan Lee
 
Effective IT Security Governance
Effective IT Security GovernanceEffective IT Security Governance
Effective IT Security GovernanceLeo de Sousa
 
Information Governance
Information GovernanceInformation Governance
Information GovernanceVicky Makhija
 
What Are you Waiting For? Remediate your File Shares and Govern your Informat...
What Are you Waiting For? Remediate your File Shares and Govern your Informat...What Are you Waiting For? Remediate your File Shares and Govern your Informat...
What Are you Waiting For? Remediate your File Shares and Govern your Informat...Everteam
 
Information Governance Maturity for Financial Services
Information Governance Maturity for Financial ServicesInformation Governance Maturity for Financial Services
Information Governance Maturity for Financial ServicesCraig Adams
 
Mobile Solutions and Privacy – Not One at the Expense of the Other
Mobile Solutions and Privacy – Not One at the Expense of the Other Mobile Solutions and Privacy – Not One at the Expense of the Other
Mobile Solutions and Privacy – Not One at the Expense of the Otherbradley_g
 
Is3 Capabilities Brief
Is3 Capabilities BriefIs3 Capabilities Brief
Is3 Capabilities Briefmageeb
 
Solutions Storage
Solutions StorageSolutions Storage
Solutions StorageJim Chalil
 
NHIN Privacy & Security
NHIN Privacy & SecurityNHIN Privacy & Security
NHIN Privacy & SecurityBrian Ahier
 
Enforcing SharePoint Governance
Enforcing SharePoint GovernanceEnforcing SharePoint Governance
Enforcing SharePoint GovernanceRoberto Vazquez Delgado
 
Maximize the Business Value of Your Information
Maximize the Business Value of Your Information Maximize the Business Value of Your Information
Maximize the Business Value of Your Information Iron Mountain
 
Neuron Intellectual Property Management Presentation - October 2011
Neuron Intellectual Property Management Presentation - October 2011Neuron Intellectual Property Management Presentation - October 2011
Neuron Intellectual Property Management Presentation - October 2011HealthDocs
 
SunGard Enterprise Cloud Services @ Cloud Connect 2011
SunGard Enterprise Cloud Services @ Cloud Connect 2011SunGard Enterprise Cloud Services @ Cloud Connect 2011
SunGard Enterprise Cloud Services @ Cloud Connect 2011Satish Hemachandran
 
Data Archiving white paper
Data Archiving white paperData Archiving white paper
Data Archiving white paperIBM India Smarter Computing
 
E-Business Suite 2 _ Ben Davis _ Achieving outstanding optim data management ...
E-Business Suite 2 _ Ben Davis _ Achieving outstanding optim data management ...E-Business Suite 2 _ Ben Davis _ Achieving outstanding optim data management ...
E-Business Suite 2 _ Ben Davis _ Achieving outstanding optim data management ...InSync2011
 
RSA Presentation - 5 Steps to Improving PCI Compliance
RSA Presentation - 5 Steps to Improving PCI ComplianceRSA Presentation - 5 Steps to Improving PCI Compliance
RSA Presentation - 5 Steps to Improving PCI ComplianceEMC
 
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...David Kearney
 

Weitere ähnliche Inhalte

Was ist angesagt?

ROAR Provides Peace of Mind in Digital Enviroments
ROAR Provides Peace of Mind in Digital EnviromentsROAR Provides Peace of Mind in Digital Enviroments
ROAR Provides Peace of Mind in Digital EnviromentsThe Lorenzi Group
 
NIEM Overview Rule Ml November 2011
NIEM Overview Rule Ml November 2011NIEM Overview Rule Ml November 2011
NIEM Overview Rule Ml November 2011Bizagi Inc
 
IBM Banking: Automated Systems help meet new Compliance Requirements
IBM Banking: Automated Systems help meet new Compliance RequirementsIBM Banking: Automated Systems help meet new Compliance Requirements
IBM Banking: Automated Systems help meet new Compliance RequirementsIBM Banking
 
Valuendo cyberwar and security (okt 2011) handout
Valuendo cyberwar and security (okt 2011) handoutValuendo cyberwar and security (okt 2011) handout
Valuendo cyberwar and security (okt 2011) handoutMarc Vael
 
Business classification scheme (Taxonomy)
Business classification scheme (Taxonomy)Business classification scheme (Taxonomy)
Business classification scheme (Taxonomy)SOLOMON M KAMINDA
 
Aligning It With Small Business
Aligning It With Small BusinessAligning It With Small Business
Aligning It With Small BusinessNathan Lee
 
Effective IT Security Governance
Effective IT Security GovernanceEffective IT Security Governance
Effective IT Security GovernanceLeo de Sousa
 
Information Governance
Information GovernanceInformation Governance
Information GovernanceVicky Makhija
 
What Are you Waiting For? Remediate your File Shares and Govern your Informat...
What Are you Waiting For? Remediate your File Shares and Govern your Informat...What Are you Waiting For? Remediate your File Shares and Govern your Informat...
What Are you Waiting For? Remediate your File Shares and Govern your Informat...Everteam
 
Information Governance Maturity for Financial Services
Information Governance Maturity for Financial ServicesInformation Governance Maturity for Financial Services
Information Governance Maturity for Financial ServicesCraig Adams
 
Mobile Solutions and Privacy – Not One at the Expense of the Other
Mobile Solutions and Privacy – Not One at the Expense of the Other Mobile Solutions and Privacy – Not One at the Expense of the Other
Mobile Solutions and Privacy – Not One at the Expense of the Otherbradley_g
 
Is3 Capabilities Brief
Is3 Capabilities BriefIs3 Capabilities Brief
Is3 Capabilities Briefmageeb
 
Solutions Storage
Solutions StorageSolutions Storage
Solutions StorageJim Chalil
 
NHIN Privacy & Security
NHIN Privacy & SecurityNHIN Privacy & Security
NHIN Privacy & SecurityBrian Ahier
 
Maximize the Business Value of Your Information
Maximize the Business Value of Your Information Maximize the Business Value of Your Information
Maximize the Business Value of Your Information Iron Mountain
 
Neuron Intellectual Property Management Presentation - October 2011
Neuron Intellectual Property Management Presentation - October 2011Neuron Intellectual Property Management Presentation - October 2011
Neuron Intellectual Property Management Presentation - October 2011HealthDocs
 
SunGard Enterprise Cloud Services @ Cloud Connect 2011
SunGard Enterprise Cloud Services @ Cloud Connect 2011SunGard Enterprise Cloud Services @ Cloud Connect 2011
SunGard Enterprise Cloud Services @ Cloud Connect 2011Satish Hemachandran
 

Was ist angesagt? (18)

ROAR Provides Peace of Mind in Digital Enviroments
ROAR Provides Peace of Mind in Digital EnviromentsROAR Provides Peace of Mind in Digital Enviroments
ROAR Provides Peace of Mind in Digital Enviroments
 
NIEM Overview Rule Ml November 2011
NIEM Overview Rule Ml November 2011NIEM Overview Rule Ml November 2011
NIEM Overview Rule Ml November 2011
 
IBM Banking: Automated Systems help meet new Compliance Requirements
IBM Banking: Automated Systems help meet new Compliance RequirementsIBM Banking: Automated Systems help meet new Compliance Requirements
IBM Banking: Automated Systems help meet new Compliance Requirements
 
Valuendo cyberwar and security (okt 2011) handout
Valuendo cyberwar and security (okt 2011) handoutValuendo cyberwar and security (okt 2011) handout
Valuendo cyberwar and security (okt 2011) handout
 
Business classification scheme (Taxonomy)
Business classification scheme (Taxonomy)Business classification scheme (Taxonomy)
Business classification scheme (Taxonomy)
 
Aligning It With Small Business
Aligning It With Small BusinessAligning It With Small Business
Aligning It With Small Business
 
Effective IT Security Governance
Effective IT Security GovernanceEffective IT Security Governance
Effective IT Security Governance
 
Information Governance
Information GovernanceInformation Governance
Information Governance
 
What Are you Waiting For? Remediate your File Shares and Govern your Informat...
What Are you Waiting For? Remediate your File Shares and Govern your Informat...What Are you Waiting For? Remediate your File Shares and Govern your Informat...
What Are you Waiting For? Remediate your File Shares and Govern your Informat...
 
Information Governance Maturity for Financial Services
Information Governance Maturity for Financial ServicesInformation Governance Maturity for Financial Services
Information Governance Maturity for Financial Services
 
Mobile Solutions and Privacy – Not One at the Expense of the Other
Mobile Solutions and Privacy – Not One at the Expense of the Other Mobile Solutions and Privacy – Not One at the Expense of the Other
Mobile Solutions and Privacy – Not One at the Expense of the Other
 
Is3 Capabilities Brief
Is3 Capabilities BriefIs3 Capabilities Brief
Is3 Capabilities Brief
 
Solutions Storage
Solutions StorageSolutions Storage
Solutions Storage
 
NHIN Privacy & Security
NHIN Privacy & SecurityNHIN Privacy & Security
NHIN Privacy & Security
 
Enforcing SharePoint Governance
Enforcing SharePoint GovernanceEnforcing SharePoint Governance
Enforcing SharePoint Governance
 
Maximize the Business Value of Your Information
Maximize the Business Value of Your Information Maximize the Business Value of Your Information
Maximize the Business Value of Your Information
 
Neuron Intellectual Property Management Presentation - October 2011
Neuron Intellectual Property Management Presentation - October 2011Neuron Intellectual Property Management Presentation - October 2011
Neuron Intellectual Property Management Presentation - October 2011
 
SunGard Enterprise Cloud Services @ Cloud Connect 2011
SunGard Enterprise Cloud Services @ Cloud Connect 2011SunGard Enterprise Cloud Services @ Cloud Connect 2011
SunGard Enterprise Cloud Services @ Cloud Connect 2011
 

Ähnlich wie Data Lifecycle Management and Destruction Governance

E-Business Suite 2 _ Ben Davis _ Achieving outstanding optim data management ...
E-Business Suite 2 _ Ben Davis _ Achieving outstanding optim data management ...E-Business Suite 2 _ Ben Davis _ Achieving outstanding optim data management ...
E-Business Suite 2 _ Ben Davis _ Achieving outstanding optim data management ...InSync2011
 
RSA Presentation - 5 Steps to Improving PCI Compliance
RSA Presentation - 5 Steps to Improving PCI ComplianceRSA Presentation - 5 Steps to Improving PCI Compliance
RSA Presentation - 5 Steps to Improving PCI ComplianceEMC
 
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...David Kearney
 
Cor concepts information governance-protection-of-personal-information-act-popi
Cor concepts information governance-protection-of-personal-information-act-popiCor concepts information governance-protection-of-personal-information-act-popi
Cor concepts information governance-protection-of-personal-information-act-popiRobust Marketing & Consulting (Pty) Ltd
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDaniel P Wallace
 
CNI Fall 2011 Meeting Presentation Margaret Hedstrom & Robert McDonald (Dec. ...
CNI Fall 2011 Meeting Presentation Margaret Hedstrom & Robert McDonald (Dec. ...CNI Fall 2011 Meeting Presentation Margaret Hedstrom & Robert McDonald (Dec. ...
CNI Fall 2011 Meeting Presentation Margaret Hedstrom & Robert McDonald (Dec. ...SEAD
 
Advanced Law Enforcement Investigation Platform
Advanced Law Enforcement Investigation PlatformAdvanced Law Enforcement Investigation Platform
Advanced Law Enforcement Investigation Platformdeppster
 
Data, Information And Knowledge Management Framework And The Data Management ...
Data, Information And Knowledge Management Framework And The Data Management ...Data, Information And Knowledge Management Framework And The Data Management ...
Data, Information And Knowledge Management Framework And The Data Management ...Alan McSweeney
 
de theory and practice of digital preservation
de theory and practice of digital preservationde theory and practice of digital preservation
de theory and practice of digital preservationFIAT/IFTA
 
Evolving Domains, Problems and Solutions for Long Term Digital Preservation
Evolving Domains, Problems and Solutions for Long Term Digital PreservationEvolving Domains, Problems and Solutions for Long Term Digital Preservation
Evolving Domains, Problems and Solutions for Long Term Digital PreservationSCAPE Project
 
[DSC Europe 23] Milos Solujic - Data Lakehouse Revolutionizing Data Managemen...
[DSC Europe 23] Milos Solujic - Data Lakehouse Revolutionizing Data Managemen...[DSC Europe 23] Milos Solujic - Data Lakehouse Revolutionizing Data Managemen...
[DSC Europe 23] Milos Solujic - Data Lakehouse Revolutionizing Data Managemen...DataScienceConferenc1
 
M12S21 - "Corporate Alzheimer's": The Impending Crisis in Accessing Digital R...
M12S21 - "Corporate Alzheimer's": The Impending Crisis in Accessing Digital R...M12S21 - "Corporate Alzheimer's": The Impending Crisis in Accessing Digital R...
M12S21 - "Corporate Alzheimer's": The Impending Crisis in Accessing Digital R...MER Conference
 
Data Lakes - The Key to a Scalable Data Architecture
Data Lakes - The Key to a Scalable Data ArchitectureData Lakes - The Key to a Scalable Data Architecture
Data Lakes - The Key to a Scalable Data ArchitectureZaloni
 
Medical Clinic - Daragh O Brien
Medical Clinic - Daragh O BrienMedical Clinic - Daragh O Brien
Medical Clinic - Daragh O Brienhealthcareisi
 
Improving Performance, Efficiency and Information Governance Control of Share...
Improving Performance, Efficiency and Information Governance Control of Share...Improving Performance, Efficiency and Information Governance Control of Share...
Improving Performance, Efficiency and Information Governance Control of Share...Bishop Technologies
 
Metadata Use Cases You Can Use
Metadata Use Cases You Can UseMetadata Use Cases You Can Use
Metadata Use Cases You Can Usedmurph4
 
Metadata Use Cases
Metadata Use CasesMetadata Use Cases
Metadata Use Casesdmurph4
 

Ähnlich wie Data Lifecycle Management and Destruction Governance (20)

Data Archiving white paper
Data Archiving white paperData Archiving white paper
Data Archiving white paper
 
E-Business Suite 2 _ Ben Davis _ Achieving outstanding optim data management ...
E-Business Suite 2 _ Ben Davis _ Achieving outstanding optim data management ...E-Business Suite 2 _ Ben Davis _ Achieving outstanding optim data management ...
E-Business Suite 2 _ Ben Davis _ Achieving outstanding optim data management ...
 
RSA Presentation - 5 Steps to Improving PCI Compliance
RSA Presentation - 5 Steps to Improving PCI ComplianceRSA Presentation - 5 Steps to Improving PCI Compliance
RSA Presentation - 5 Steps to Improving PCI Compliance
 
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
 
Cor concepts information governance-protection-of-personal-information-act-popi
Cor concepts information governance-protection-of-personal-information-act-popiCor concepts information governance-protection-of-personal-information-act-popi
Cor concepts information governance-protection-of-personal-information-act-popi
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
CNI Fall 2011 Meeting Presentation Margaret Hedstrom & Robert McDonald (Dec. ...
CNI Fall 2011 Meeting Presentation Margaret Hedstrom & Robert McDonald (Dec. ...CNI Fall 2011 Meeting Presentation Margaret Hedstrom & Robert McDonald (Dec. ...
CNI Fall 2011 Meeting Presentation Margaret Hedstrom & Robert McDonald (Dec. ...
 
Advanced Law Enforcement Investigation Platform
Advanced Law Enforcement Investigation PlatformAdvanced Law Enforcement Investigation Platform
Advanced Law Enforcement Investigation Platform
 
Proact story on Archiving
Proact story on ArchivingProact story on Archiving
Proact story on Archiving
 
Data, Information And Knowledge Management Framework And The Data Management ...
Data, Information And Knowledge Management Framework And The Data Management ...Data, Information And Knowledge Management Framework And The Data Management ...
Data, Information And Knowledge Management Framework And The Data Management ...
 
de theory and practice of digital preservation
de theory and practice of digital preservationde theory and practice of digital preservation
de theory and practice of digital preservation
 
Evolving Domains, Problems and Solutions for Long Term Digital Preservation
Evolving Domains, Problems and Solutions for Long Term Digital PreservationEvolving Domains, Problems and Solutions for Long Term Digital Preservation
Evolving Domains, Problems and Solutions for Long Term Digital Preservation
 
[DSC Europe 23] Milos Solujic - Data Lakehouse Revolutionizing Data Managemen...
[DSC Europe 23] Milos Solujic - Data Lakehouse Revolutionizing Data Managemen...[DSC Europe 23] Milos Solujic - Data Lakehouse Revolutionizing Data Managemen...
[DSC Europe 23] Milos Solujic - Data Lakehouse Revolutionizing Data Managemen...
 
M12S21 - "Corporate Alzheimer's": The Impending Crisis in Accessing Digital R...
M12S21 - "Corporate Alzheimer's": The Impending Crisis in Accessing Digital R...M12S21 - "Corporate Alzheimer's": The Impending Crisis in Accessing Digital R...
M12S21 - "Corporate Alzheimer's": The Impending Crisis in Accessing Digital R...
 
Data Lakes - The Key to a Scalable Data Architecture
Data Lakes - The Key to a Scalable Data ArchitectureData Lakes - The Key to a Scalable Data Architecture
Data Lakes - The Key to a Scalable Data Architecture
 
Medical Clinic - Daragh O Brien
Medical Clinic - Daragh O BrienMedical Clinic - Daragh O Brien
Medical Clinic - Daragh O Brien
 
Improving Performance, Efficiency and Information Governance Control of Share...
Improving Performance, Efficiency and Information Governance Control of Share...Improving Performance, Efficiency and Information Governance Control of Share...
Improving Performance, Efficiency and Information Governance Control of Share...
 
Cassie findlay
Cassie findlayCassie findlay
Cassie findlay
 
Metadata Use Cases You Can Use
Metadata Use Cases You Can UseMetadata Use Cases You Can Use
Metadata Use Cases You Can Use
 
Metadata Use Cases
Metadata Use CasesMetadata Use Cases
Metadata Use Cases
 

Kürzlich hochgeladen

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 

Kürzlich hochgeladen (20)

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 

Data Lifecycle Management and Destruction Governance

  • 1. Data Lifecycle Management and Destruction Identification, Governance and Controls Harry Contreras - CISSP, Six Sigma Phoenix, AZ www.company.com Copyright 2010
  • 2. Data Lifecycle Management & Destruction Topical overview of this presentation material • What constitutes the elements of information (data) today? • Overview of physical and logical (electronic) realms • Governance and control methodologies • Data Lifecycle Management • Data destruction issues • Contractual, regulatory and compliance Issues • Information escape • Summary • Questions and answers Presentation to ISSA – Phoenix, AZ – October, 2010 1
  • 3. In the beginning… Collaborative societal norms transition to intellectual property Who owns an idea or information and how to keep it secure? Presentation to ISSA – Phoenix, AZ – October, 2010 2
  • 4. Why measuring with metrics matter What constitutes the elements of information today? Information is proprietary • The concept of intellectual property (IP) is why are we are having this discussion the first place and why we apply control methodologies to contain and retain this information with security programs and management actions. “So, I have this idea… this information confidential… has great importance to the organization… can be considered an asset with intrinsic value.” Obligated for Confidentiality, Integrity and Availability • Integral to day-to-day business operations • Integral to meeting compliance requirements • Integral to securing company technology position and future success The proliferation of business information in all forms Presentation to ISSA – Phoenix, AZ – October, 2010 3
  • 5. Why measuring with metrics matter What constitutes the elements of information today? These concepts apply to all SMBs and enterprises, globally • Since advent of computer systems, business operations have been prolific in their actions to produce information on an ever-increasing scale. This will be a point of contention in the future between business budgets and compliance issues. Reflective moment; – consider your business, your state and national government and your personal and family papers in relationship to concepts presented today. Discovery • What are the information targets? • Where is this information, right now, and where will it be later? • When was it created and for how long must it be retained? • Who is specifying retention and why? • What penalties and consequences are the risk for non-compliance? Regarding Discovery - Someone once said, “You don’t know what you don’t know”. Presentation to ISSA – Phoenix, AZ – October, 2010 4
  • 6. Why measuring with metrics matter Overview of physical & logical (electronic) realms Traditional physical realm information concepts • Has three dimensional qualities – occupies space • Pushing the limits for volume, size and weight • Subject to environmental contaminates and physical disaster scenarios Electronic information age concepts (logical) • Has no dimensional qualities in basic state of bits & bytes • In a constant volatile state • Subject to interruptions in the sustaining system environment - corruptible Scope creep(y) issues • Audio & video recordings for company communications and operations. • Collaboration services and Unified Messaging (UM) compound this. • Social media services now extend control boundaries to third-parties Consideration – What and where is your information located at third-parties? Presentation to ISSA – Phoenix, AZ – October, 2010 5
  • 7. Its everywhere, its everywhere… Audio, video and papers… oh my! Presentation to ISSA – Phoenix, AZ – October, 2010 6
  • 8. Why measuring with metrics matter Governance and control methodologies Bringing measures to manage this mess • Application of structured approach to information (data) management • Sound management methodologies supported by technological solutions Policy and Standards • Corporate position statements for policy and approach to align the company with regulatory requirements and best practices • Documented company standards to set the minimum baseline of company requirements to be implemented. E.g. • Information (data) Classification • Acceptable Use • Records Retention • Encryption • Access Controls • Non-Disclosure Agreements (NDAs) Presentation to ISSA – Phoenix, AZ – October, 2010 7
  • 9. Why measuring with metrics matter Governance and control methodologies Documentation reference inclusions • Company control specifications for; • What - data categorization by identified use and risk boundaries • Where – containment facilities (logical and physical) • When - conditional circumstances • Who - personnel authorized to perform specialized actions • How - handling, storage, marking, transport, etc, of information Operational processes • Documented, repeatable and measureable statements how required actions are to be carried out for the company. Records Management… a parallel discipline Presentation to ISSA – Phoenix, AZ – October, 2010 8
  • 10. Why measuring with metrics matter Governance and control methodologies Enforcement • Review of system & application logs for appropriate access and data integrity • Internal auditing actions and the inevitable “external” audit • Metrics to measure and to indicate progress of actions to goals • Manual and automated systems for control measures Awareness – education and training • The workforce is the primary business resource to accomplish compliance • A well trained organization will deliver consistent results • Addresses the “now what do I do with this?” situations Presentation to ISSA – Phoenix, AZ – October, 2010 9
  • 11. Why measuring with metrics matter Governance and control methodologies Containment strategies • A tiered approach to the stratification of information sensitivity in storage and use within the company • Access controls aligned to “need to know”, “separation of duties” and “least privilege” principles • A tired but true analogy, “defense in depth” can and should be applied Control principles to observe • RBAC – Role Based Access Controls • PoLP – Principle of Least Privilege • SoD – Separation of Duties Develop scalable action plans – “Don’t boil the ocean” Presentation to ISSA – Phoenix, AZ – October, 2010 10
  • 12. Graphical Representation of Information Protections Topology Generic - Information Categorization Model – Public, Internal and Controlled Regulatory controlled information to be located in the secure data storage locations. Security Practices for PoLP, SoD and RBAC applied to access. *RBAC and Compartmentalized World data protections Public Use Company Internal Community Use Compliance Secured Controlled Controls Data Use bled Storage SSL, SS Ena H or othe ting r secure Audi tunnelin ction d Tra nsa Data Custodian g prot ocols u sed for gging an access UserId s, Lo Responsibility Information Protection Logical Access Boundaries Information Protection Physical and Logical Access Boundaries *RBAC – Role Based Access Control methodology PoLP – Principle of Least Privilege SoD – Separation of Duties Presentation to ISSA – Phoenix, AZ – October, 2010 11
  • 13. Its “round-up” time… Like Pandora’s box… you know what to do… contain and control are key words How you gonna keep em down on the server farm? Presentation to ISSA – Phoenix, AZ – October, 2010 12
  • 14. Why measuring with metrics matter Data Lifecycle Management Cradle to grave issues Information – “Time to Live” • From data creation to retirement of useful data element value • Provide basis for information lifespan parameters • Provide tactical control for data management via manual and automated processes. • Can be associated with information distribution outside of company controls • Where does this control information live? • Typically in the meta data of the physical and logical attributes You can’t “keep” everything, forever • A word of caution - “hoarding” is a practice of irresponsible management • A word of caution on “archiving” – be careful it does not become a hoarding practice just because you can and have the technology to achieve it. • Audits will uncover non-compliance to company policy and standards • Resulting in “findings”. Institute regular “good housekeeping” practices within the Company Presentation to ISSA – Phoenix, AZ – October, 2010 13
  • 15. Why measuring with metrics matter Data Lifecycle Management Cradle to grave issues Data organization - benefits • Structured data back-up strategies • Tiered storage services mapped to data risk landscape • Prioritization objectives aligned with business requirements Information “expiration” • Information Retirement due to end of useful (life) value/valuation benefits • Base on time span • End of obligations of contract or regulatory mandate to retain • Provide basis for information lifespan parameters • Provide tactical control for data management via manual and automated processes. Expiration – other issues • What is the level of risk to retain or prematurely expire? • Is the business exercising the appropriate control based on cost or risk? Presentation to ISSA – Phoenix, AZ – October, 2010 14
  • 16. Data Management Program – Decision–Action Cycle AKA, Plan, Do, Check and Act (PDCA) Data Actions Apply mitigating security Monitor threat horizon, review new controls or changes to technologies, develop services delivery portfolio Effectiveness measurements. Interpretation Assess, review security metrics, benchmarking, analysis of Key Performance Indicators Continuous improvement through repeatable process controls Presentation to ISSA – Phoenix, AZ – October, 2010 15
  • 17. Data destruction issues You just can’t put those back-up tapes on the Bar-Be… Who called the EPA? Presentation to ISSA – Phoenix, AZ – October, 2010 16
  • 18. Why measuring with metrics matter Data destruction/disposal issues Target assurance • Alignment with all data retention requirements • Compliance with contractual and regulatory requirements Oh wait… • Legal holds for pending and going litigation cases • Contact in-house legal counsel The who, when, how and why this order for execution • Authorized following destruction standard, procedure and process • Meets EPA regulatory controls • In compliance with specified destruction processes • Shredding • For those “Green” practitioners – Recycling is not the same. • Incineration • Pulverize • Electronic data deletion/erasure/overwrites • Degaussing – the effectiveness is up for debate Read the “Regs” and follow the “Specs” Presentation to ISSA – Phoenix, AZ – October, 2010 17
  • 19. Why measuring with metrics matter Data destruction/disposal issues Considerations - DIY or Outsource • Certified Third-Party destruction specialists for disposal Reporting Actions Chain of Custody • You transferred the responsibility • You transferred the risk • Auditable handling – document it. Replication issues Copies, copies everywhere… • Physical and digital forms • Originals and replicas • Back-up data and that information in tiered retention cycles A business certification to look for in information disposal outsourcers NAID National Association for Information Destruction - (International) www.naidonline.org Dumpster Diving – still a viable “research” method Presentation to ISSA – Phoenix, AZ – October, 2010 18
  • 20. What actions do you take with your metrics? Regulatory, contractual and compliance issues Some regulatory agencies associated with requirements on Information, retention and the implementation controls in business • How long and where are the controls to be effective? A sampling of the US based regulatory/industry agencies HIPAA Health Insurance Portability and Accountability Act of 1996 FERC Federal Energy Regulatory Commission FDIC Federal Deposit Insurance Corporation SEC U.S Securities and Exchange Commission IRS Internal Revenue Service PCI-DSS Payment Card Industry – Data Security Standard AICPA American Institute of Certified Public Accounts NARA National Archives and Records Administration A sampling of the International regulatory agencies FSA UK – Financial Service Authority PiPEDA Canada – Personal Information Protection and Electronic Documents Act Presentation to ISSA – Phoenix, AZ – October, 2010 19
  • 21. Regulatory, contractual and compliance issues A sampling of the US based regulatory / agencies - MORE Federal Rules of Civil Procedure • As of December 2006 electronic records are now considered a separate type of evidence apart from documents. Emails, instant messaging, computer files all may fall into the category of “discoverable”. (Remember that we covered digital audio and video files as well.) • Rule 26 – eDiscovery is born Sarbanes-Oxley Act • Public Company Accounting Reform and Investor Protection Act of 2002 This one we all know too well. • Sub-section 404 In today’s information security practice, consider the regulatory requirements for cross-border information constraints and international “regs” for data. Presentation to ISSA – Phoenix, AZ – October, 2010 20
  • 22. Information escape Identifying escapes or “How did that happen” events? Lack of policy • What compels employees to modify “risky” behavior and “appropriate use” No documented process or “repeatable” procedure • Employees are not equipped with the appropriate tools to be successful No “awareness” • Awareness training and employee education sessions to raise awareness of business risks or the “well intentioned employee” Third-parties • Contracted parties having access to “controlled” information and not using specified safeguards Data “leakage” risks are through multiple sources. No safe harbor if not “encrypted”. How information goes out the doors… and becomes a “CNN moment” Presentation to ISSA – Phoenix, AZ – October, 2010 21
  • 23. Why measuring with metrics matter Summary Presentation to ISSA – Phoenix, AZ – October, 2010 22
  • 24. What actions do you take with your metrics? Summary Program development actions • Policy, standards, procedures and process • Alignment with Compliance programs Rationalization actions • Data life cycle • Risk impact assessment • Prioritization actions • Budgeting for Capex and Opex • Allocation of time and personnel for implementing Reassessment actions • The cycle of continuous improvement • Auditing For plan development - consider “inch stones” to milestones” approach Presentation to ISSA – Phoenix, AZ – October, 2010 23
  • 25. Why measuring with metrics matter Summary Practical Advice Your “due diligence” activities – “document it” Obtain endorsement by C-Level and Legal or Privacy There are subsequent strategy threads – Records Management MBWA – Management by walking around Audit outsourcers, contractor and third-parties (Ensure that “right to audit” clauses are in contracts.) Other observations Containment strategies that eliminate data duplication opportunities Institute “data de-duplication” housekeeping practices Information has a “half-life” – consider residual remnants Presentation to ISSA – Phoenix, AZ – October, 2010 24
  • 26. Resources – Helpful slides (One of Two) Some important references to aid in developing a program ISO 15489 – Records Management Standard http://www.iso.org/iso/home.htm Information Systems Security Association - (ISSA) - http://www.issa.org/ CSO Online – http://www.csoonline.com/ SearchSecurity – http://www.searchsecurity.com/ These are just a few of many additional resources to search that have information repositories A sampling of professional organizations ARMA – Association of Record Managers & Administrators International www.arma.org (They have a local AZ chapter) AHIMA American Health Information Management Association www.ahima.org PRISM Professional Records & Information Services Management www.prismintl.org Presentation to ISSA – Phoenix, AZ – October, 2010 25
  • 27. Resources – Helpful slides (Two of Two) Some important references to aid in developing a program Media Disposal Toolkit - Media Disposal Implemention Guide, A UCF media disposal common controls spreadsheet, Project work break down structure (WBS), Visio diagram of the “Clear, Purge, or Destroy” decision tree, 10 policy implementation templates © 2008, Unified Compliance Framework Inc. http://www.unifiedcompliance.com/ Located in the IT Impact Zones / UCF Toolkits offerings section. Some professional certifications in this subject matter area CIPP/IT Certified Information Privacy Professional / Information Technology International Association of Privacy Professional www.privacyassociation.org CPP Certified Protection Professional American Society for Industrial Security www.asis.org Presentation to ISSA – Phoenix, AZ – October, 2010 26
  • 28. Question and answers Q & A Legal disclaimer goes here The “Information Age” reference takes on a broader perspective Presentation to ISSA – Phoenix, AZ – October, 2010 27
  • 29. Data Lifecycle Management and Destruction Identification, Governance and Controls Harry Contreras - CISSP, Six Sigma Phoenix, AZ www.company.com Copyright 2010