Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Data Lifecycle Management and Destruction Governance
1. Data Lifecycle Management and
Destruction
Identification, Governance and Controls
Harry Contreras - CISSP, Six Sigma
Phoenix, AZ
www.company.com
Copyright 2010
2. Data Lifecycle Management & Destruction
Topical overview of this presentation material
• What constitutes the elements of information (data) today?
• Overview of physical and logical (electronic) realms
• Governance and control methodologies
• Data Lifecycle Management
• Data destruction issues
• Contractual, regulatory and compliance Issues
• Information escape
• Summary
• Questions and answers
Presentation to ISSA – Phoenix, AZ – October, 2010 1
3. In the beginning…
Collaborative societal norms transition to intellectual property
Who owns an idea or information and how to keep it secure?
Presentation to ISSA – Phoenix, AZ – October, 2010 2
4. Why measuring with metrics matter
What constitutes the elements of information today?
Information is proprietary
• The concept of intellectual property (IP) is why are we are having this
discussion the first place and why we apply control methodologies to contain
and retain this information with security programs and management actions.
“So, I have this idea… this information confidential… has great importance to the
organization… can be considered an asset with intrinsic value.”
Obligated for Confidentiality, Integrity and Availability
• Integral to day-to-day business operations
• Integral to meeting compliance requirements
• Integral to securing company technology position and future success
The proliferation of business information in all forms
Presentation to ISSA – Phoenix, AZ – October, 2010 3
5. Why measuring with metrics matter
What constitutes the elements of information today?
These concepts apply to all SMBs and enterprises, globally
• Since advent of computer systems, business operations have been prolific in
their actions to produce information on an ever-increasing scale. This will be a
point of contention in the future between business budgets and compliance
issues.
Reflective moment;
– consider your business, your state and national government and your
personal and family papers in relationship to concepts presented today.
Discovery
• What are the information targets?
• Where is this information, right now, and where will it be later?
• When was it created and for how long must it be retained?
• Who is specifying retention and why?
• What penalties and consequences are the risk for non-compliance?
Regarding Discovery - Someone once said, “You don’t know what you don’t know”.
Presentation to ISSA – Phoenix, AZ – October, 2010 4
6. Why measuring with metrics matter
Overview of physical & logical (electronic) realms
Traditional physical realm information concepts
• Has three dimensional qualities – occupies space
• Pushing the limits for volume, size and weight
• Subject to environmental contaminates and physical disaster scenarios
Electronic information age concepts (logical)
• Has no dimensional qualities in basic state of bits & bytes
• In a constant volatile state
• Subject to interruptions in the sustaining system environment - corruptible
Scope creep(y) issues
• Audio & video recordings for company communications and operations.
• Collaboration services and Unified Messaging (UM) compound this.
• Social media services now extend control boundaries to third-parties
Consideration – What and where is your information located at third-parties?
Presentation to ISSA – Phoenix, AZ – October, 2010 5
7. Its everywhere, its everywhere…
Audio, video and papers… oh my!
Presentation to ISSA – Phoenix, AZ – October, 2010 6
8. Why measuring with metrics matter
Governance and control methodologies
Bringing measures to manage this mess
• Application of structured approach to information (data) management
• Sound management methodologies supported by technological solutions
Policy and Standards
• Corporate position statements for policy and approach to align the company
with regulatory requirements and best practices
• Documented company standards to set the minimum baseline of company
requirements to be implemented. E.g.
• Information (data) Classification
• Acceptable Use
• Records Retention
• Encryption
• Access Controls
• Non-Disclosure Agreements (NDAs)
Presentation to ISSA – Phoenix, AZ – October, 2010 7
9. Why measuring with metrics matter
Governance and control methodologies
Documentation reference inclusions
• Company control specifications for;
• What - data categorization by identified use and risk boundaries
• Where – containment facilities (logical and physical)
• When - conditional circumstances
• Who - personnel authorized to perform specialized actions
• How - handling, storage, marking, transport, etc, of information
Operational processes
• Documented, repeatable and measureable statements how required actions
are to be carried out for the company.
Records Management… a parallel discipline
Presentation to ISSA – Phoenix, AZ – October, 2010 8
10. Why measuring with metrics matter
Governance and control methodologies
Enforcement
• Review of system & application logs for appropriate access and data integrity
• Internal auditing actions and the inevitable “external” audit
• Metrics to measure and to indicate progress of actions to goals
• Manual and automated systems for control measures
Awareness – education and training
• The workforce is the primary business resource to accomplish compliance
• A well trained organization will deliver consistent results
• Addresses the “now what do I do with this?” situations
Presentation to ISSA – Phoenix, AZ – October, 2010 9
11. Why measuring with metrics matter
Governance and control methodologies
Containment strategies
• A tiered approach to the stratification of information sensitivity in storage and
use within the company
• Access controls aligned to “need to know”, “separation of duties” and “least
privilege” principles
• A tired but true analogy, “defense in depth” can and should be applied
Control principles to observe
• RBAC – Role Based Access Controls
• PoLP – Principle of Least Privilege
• SoD – Separation of Duties
Develop scalable action plans – “Don’t boil the ocean”
Presentation to ISSA – Phoenix, AZ – October, 2010 10
12. Graphical Representation of Information Protections Topology
Generic - Information Categorization Model – Public, Internal and Controlled
Regulatory controlled information to be located in the secure data storage locations.
Security Practices for PoLP, SoD and RBAC applied to access.
*RBAC and Compartmentalized
World data protections Public
Use
Company Internal
Community Use
Compliance Secured Controlled
Controls Data
Use
bled
Storage SSL, SS
Ena H or othe
ting r secure
Audi tunnelin
ction
d Tra
nsa Data Custodian g prot ocols u
sed for
gging an access
UserId
s, Lo Responsibility
Information Protection Logical Access Boundaries
Information Protection Physical and Logical Access Boundaries
*RBAC – Role Based Access Control methodology
PoLP – Principle of Least Privilege
SoD – Separation of Duties
Presentation to ISSA – Phoenix, AZ – October, 2010 11
13. Its “round-up” time…
Like Pandora’s box… you know what to do… contain and control are key words
How you gonna keep em down on the server farm?
Presentation to ISSA – Phoenix, AZ – October, 2010 12
14. Why measuring with metrics matter
Data Lifecycle Management
Cradle to grave issues
Information – “Time to Live”
• From data creation to retirement of useful data element value
• Provide basis for information lifespan parameters
• Provide tactical control for data management via manual and automated
processes.
• Can be associated with information distribution outside of company controls
• Where does this control information live?
• Typically in the meta data of the physical and logical attributes
You can’t “keep” everything, forever
• A word of caution - “hoarding” is a practice of irresponsible management
• A word of caution on “archiving” – be careful it does not become a hoarding
practice just because you can and have the technology to achieve it.
• Audits will uncover non-compliance to company policy and standards
• Resulting in “findings”.
Institute regular “good housekeeping” practices within the Company
Presentation to ISSA – Phoenix, AZ – October, 2010 13
15. Why measuring with metrics matter
Data Lifecycle Management
Cradle to grave issues
Data organization - benefits
• Structured data back-up strategies
• Tiered storage services mapped to data risk landscape
• Prioritization objectives aligned with business requirements
Information “expiration”
• Information Retirement due to end of useful (life) value/valuation benefits
• Base on time span
• End of obligations of contract or regulatory mandate to retain
• Provide basis for information lifespan parameters
• Provide tactical control for data management via manual and automated
processes.
Expiration – other issues
• What is the level of risk to retain or prematurely expire?
• Is the business exercising the appropriate control based on cost or risk?
Presentation to ISSA – Phoenix, AZ – October, 2010 14
16. Data Management Program – Decision–Action Cycle
AKA, Plan, Do, Check and Act (PDCA)
Data Actions
Apply mitigating security
Monitor threat horizon, review new
controls or changes to
technologies, develop
services delivery portfolio
Effectiveness measurements.
Interpretation
Assess, review security metrics,
benchmarking, analysis of Key
Performance Indicators
Continuous improvement through repeatable process controls
Presentation to ISSA – Phoenix, AZ – October, 2010 15
17. Data destruction issues
You just can’t put those back-up tapes on the Bar-Be…
Who called the EPA?
Presentation to ISSA – Phoenix, AZ – October, 2010 16
18. Why measuring with metrics matter
Data destruction/disposal issues
Target assurance
• Alignment with all data retention requirements
• Compliance with contractual and regulatory requirements
Oh wait…
• Legal holds for pending and going litigation cases
• Contact in-house legal counsel
The who, when, how and why this order for execution
• Authorized following destruction standard, procedure and process
• Meets EPA regulatory controls
• In compliance with specified destruction processes
• Shredding
• For those “Green” practitioners – Recycling is not the same.
• Incineration
• Pulverize
• Electronic data deletion/erasure/overwrites
• Degaussing – the effectiveness is up for debate
Read the “Regs” and follow the “Specs”
Presentation to ISSA – Phoenix, AZ – October, 2010 17
19. Why measuring with metrics matter
Data destruction/disposal issues
Considerations - DIY or Outsource
• Certified Third-Party destruction specialists for disposal
Reporting Actions
Chain of Custody
• You transferred the responsibility
• You transferred the risk
• Auditable handling – document it.
Replication issues
Copies, copies everywhere…
• Physical and digital forms
• Originals and replicas
• Back-up data and that information in tiered retention cycles
A business certification to look for in information disposal outsourcers
NAID National Association for Information Destruction - (International)
www.naidonline.org
Dumpster Diving – still a viable “research” method
Presentation to ISSA – Phoenix, AZ – October, 2010 18
20. What actions do you take with your metrics?
Regulatory, contractual and compliance issues
Some regulatory agencies associated with requirements on Information, retention
and the implementation controls in business
• How long and where are the controls to be effective?
A sampling of the US based regulatory/industry agencies
HIPAA Health Insurance Portability and Accountability Act of 1996
FERC Federal Energy Regulatory Commission
FDIC Federal Deposit Insurance Corporation
SEC U.S Securities and Exchange Commission
IRS Internal Revenue Service
PCI-DSS Payment Card Industry – Data Security Standard
AICPA American Institute of Certified Public Accounts
NARA National Archives and Records Administration
A sampling of the International regulatory agencies
FSA UK – Financial Service Authority
PiPEDA Canada – Personal Information Protection and Electronic Documents Act
Presentation to ISSA – Phoenix, AZ – October, 2010 19
21. Regulatory, contractual and compliance issues
A sampling of the US based regulatory / agencies - MORE
Federal Rules of Civil Procedure
• As of December 2006 electronic records are now considered a separate type
of evidence apart from documents. Emails, instant messaging, computer files
all may fall into the category of “discoverable”. (Remember that we covered
digital audio and video files as well.)
• Rule 26 – eDiscovery is born
Sarbanes-Oxley Act
• Public Company Accounting Reform and Investor Protection Act of 2002
This one we all know too well.
• Sub-section 404
In today’s information security practice, consider the regulatory requirements
for cross-border information constraints and international “regs” for data.
Presentation to ISSA – Phoenix, AZ – October, 2010 20
22. Information escape
Identifying escapes or “How did that happen” events?
Lack of policy
• What compels employees to modify “risky” behavior and “appropriate use”
No documented process or “repeatable” procedure
• Employees are not equipped with the appropriate tools to be successful
No “awareness”
• Awareness training and employee education sessions to raise awareness of
business risks or the “well intentioned employee”
Third-parties
• Contracted parties having access to “controlled” information and not using
specified safeguards
Data “leakage” risks are through multiple sources.
No safe harbor if not “encrypted”.
How information goes out the doors… and becomes a “CNN moment”
Presentation to ISSA – Phoenix, AZ – October, 2010 21
23. Why measuring with metrics matter
Summary
Presentation to ISSA – Phoenix, AZ – October, 2010 22
24. What actions do you take with your metrics?
Summary
Program development actions
• Policy, standards, procedures and process
• Alignment with Compliance programs
Rationalization actions
• Data life cycle
• Risk impact assessment
•
Prioritization actions
• Budgeting for Capex and Opex
• Allocation of time and personnel for implementing
Reassessment actions
• The cycle of continuous improvement
• Auditing
For plan development - consider “inch stones” to milestones” approach
Presentation to ISSA – Phoenix, AZ – October, 2010 23
25. Why measuring with metrics matter
Summary
Practical Advice
Your “due diligence” activities – “document it”
Obtain endorsement by C-Level and Legal or Privacy
There are subsequent strategy threads – Records Management
MBWA – Management by walking around
Audit outsourcers, contractor and third-parties
(Ensure that “right to audit” clauses are in contracts.)
Other observations
Containment strategies that eliminate data duplication opportunities
Institute “data de-duplication” housekeeping practices
Information has a “half-life” – consider residual remnants
Presentation to ISSA – Phoenix, AZ – October, 2010 24
26. Resources – Helpful slides (One of Two)
Some important references to aid in developing a program
ISO 15489 – Records Management Standard
http://www.iso.org/iso/home.htm
Information Systems Security Association - (ISSA) - http://www.issa.org/
CSO Online – http://www.csoonline.com/
SearchSecurity – http://www.searchsecurity.com/
These are just a few of many additional resources to search that have information repositories
A sampling of professional organizations
ARMA – Association of Record Managers & Administrators
International www.arma.org (They have a local AZ chapter)
AHIMA American Health Information Management Association
www.ahima.org
PRISM Professional Records & Information Services Management
www.prismintl.org
Presentation to ISSA – Phoenix, AZ – October, 2010 25
28. Question and answers
Q & A
Legal disclaimer goes here
The “Information Age” reference takes on a broader perspective
Presentation to ISSA – Phoenix, AZ – October, 2010 27
29. Data Lifecycle Management and
Destruction
Identification, Governance and Controls
Harry Contreras - CISSP, Six Sigma
Phoenix, AZ
www.company.com
Copyright 2010