August Lunch PPT

Data Loss Prevention
Keeping your sensitive data out of the public domain
What is data?
Data Loss Prevention
Data versus Information
Raw material and
unorganized facts
that need to be
When data are
structured or
presented in a
certain context so
as to make them
useful, they are
called information
Data Loss Prevention
Data Loss Prevention
Head knowledge
What sensitive data do you hold?
Data Loss Prevention
It’s all about the data!
Transaction data
Corporate data
Bank payments
B2B orders
Vendor data
Sales volumes
Purchase power
Revenue potential
Sales projections
Price/cost lists
Target customer lists
New designs
Source code
Pending patents
Intellectual property
Customer data
Customer list
Spending habits
Contact details
User preference
Product customer profile
Payment status
Contact history
Data Loss Prevention
Personally identifiable data
Full name
Birthday, birthplace
Biometric data
Credit card numbers
National identification number, passport numbers
Driver's license number, vehicle registration number
Where does your sensitive data reside?
Data Loss Prevention
Data is everywhere
Data at
Databases or Repositories
Data in
Data in use
Data at rest
Data Loss Prevention
Understanding the problem
Data Loss Prevention
Megatrends in data related risks
 Data is the lifeblood of most organizations
 High profile breaches and leaks are in the headlines almost daily
 Data protection will continue to be a significant challenge for organizations
 Four of six megatrends discussed are linked to the risk category “data”
Data Loss Prevention
Megatrends in data related risks
Business benefit
The rise of cloud
Mobile computing: Anytime and anywhere
connectivity/high-volume portable data
storage capability.
Social media: New and advanced
information sharing capabilities such as
Lower total cost of ownership.
Focus on core activities and reduction of
effort spent on managing IT infrastructure
and applications.
Contribute to reduction of global carbon
The increased
of business
persistence of
Increased vulnerability due to anytime, anywhere accessibility.
Risk of unintended sharing, amplification of casual remarks and disclosure of
personal and company data. The availability of this data on the web facilitates
cyber attacks.
Employees may violate company policies in terms of data leakage.
Lack of governance and oversight over IT infrastructure, applications and
Vendor lock-in.
Privacy and security.
Availability of IT to be impacted by the use of the cloud.
Increased risk to regulatory noncompliance (SOX, PCI, etc.). The cloud also brings
about challenges in auditing compliance.
The cloud may impact the agility of IT and organizations; the platform dictated by
the provider may not align with software development and strategic needs of the
Failure of the business continuity and disaster recovery plans causing financial or
reputational loss.
exposure to
internal threats
The accelerating
change agenda
24/7/365 availability of IT systems to
enable continuous consumer support,
operations, e-commerce, etc.
Categories of IT Risk
Universe affected
Business/IT risks
Fast adoption of new business models or
reducing costs provides organizations with
competitive advantage.
Spread of malicious code in company systems causing system outages.
The risk of theft of personal, financial and health information.
Loss of confidential data due to external vulnerabilities.
Financial loss due to unauthorized wire transfers.
Assigning access rights that are beyond what is required for the role by employees
or contractors.
Failure to remove access rights to employees or contractors on leaving the
Failure to deliver IT projects and programs within budget, timing, quality and scope
causing value leakage.
Data Loss Prevention
Security and privacy
Legal and regulatory
Security and privacy
Third-party suppliers and
Applications and databases
Legal and regulatory
Applications and databases
Physical environment
Security and privacy
Applications and databases
Programs and change
Overview of recent incidents
Web technology
Public health
International gas
and oil company
US public agency
National retail bank
Online storage
On their official weblog a web technology firm published a message that they uncovered a ploy to collect user passwords, likely through phishing. This
ploy affected the personal accounts of hundreds of users including, among others, senior U.S. government officials, Chinese political activists,
officials in several Asian countries (predominantly South Korea), military personnel and journalists.
A public health corporation had to notify 1.7 million patients, staff, contractors, vendors and others about a reported theft of electronic record files
that contained their personal information, protected health information or personally identifiable employee medical information. The information
included social security numbers, names, addresses and medical histories.
An international oil and gas company lost a laptop which contained personal information for 13,000 individuals including names, social security
numbers and addresses. The laptop was not encrypted and the information lost was for claimants against the company.
Personal details for 3.5 million teachers and other employees of a US public agency were accidentally published on the Internet. Information released
included names, social security numbers and birthdates. This data had been posted on the Internet for over a year without the organization realizing
2,000 customer records from a national retail bank were stolen by employees prior to leaving and joining a competitor firm. Records included
customer bank account numbers, social security numbers and other highly sensitive personal data such as tax returns and pay statements.
According to a blog post an Online storage provider explained that due to an authentication bug, all accounts were at risk of a data breach. As soon as
the bug was discovered, as a precaution all logged in sessions were disconnected. The bug was active for almost 4 hours and took 5 minutes to fix.
Data Loss Prevention
Data risk: cause and effect
Data loss risks
Loss or theft of laptops and mobile
Unauthorized transfer of data to USB
Improper categorization of sensitive
Printing and copying of sensitive data by
Insufficient response to intrusions
Unintentional transmission of sensitive
Corporate data
Data theft by employees or external
Your business environment
HR, Legal
Data Loss Prevention
Customer data
Brand damage and loss of reputation
Loss of competitive advantage
Loss of customers
Loss of market share
Erosion of shareholder value
Fines and civil penalties
Regulatory fines/sanction
Significant cost and effort to notify
affected parties and recover from the
Why does data loss occur?
Lack of awareness
Lack of
Lack of user
responsibility for
their actions
Lack of flexibility in
remote connectivity
No content aware
DLP tools
Lack of secure
Data Loss Prevention
Lack of data usage
Lack of data
Lack of data usage
Data loss prevention
Data Loss Prevention
What is data loss prevention?
Data loss prevention
is the practice of
detecting and preventing
confidential information
from being “leaked” out
of an organization’s boundaries for unauthorized use,
which may be thought of as
physical or logical
Data Loss Prevention
Data leakage vector
Internal threats
Instant messaging
► Mail
► Webmail
► Web logs
► Web pages/social media
► Removable media
► Classification errors
► Hard copy
► Cameras
► Inadequate logical access
Data Loss Prevention
External threats
Hackers/data theft
by intruders
► SQL injection
► Malware
► Dumpster diving
► Phishing
► Social engineering
► Physical theft
Insights on information security
74% of respondents to our Global Information Security Survey 2013 have
defined a policy for classification and handling of sensitive data as a control for
data leakage risk
Which of the following actions has your organization taken to control data leakage of sensitive information?
Defined a specific policy regarding the classification and handling of sensitive information
Employee awareness programs
Implemented additional security mechanisms for protecting information (e.g., encryption)
Locked down/restricted use of certain hardware components (e.g., USB drives or FireWire ports)
Utilized internal auditing for testing of controls
Defined specific requirements for telecommuting/telework regarding protection of information taken outside office
Implemented log review tools
Implemented data loss prevention tools (McAfee, Symantec, Verdasys, etc.)
Restricted or prohibited use of instant messaging or email for sensitive data transmission
Prohibited use of camera devices within sensitive or restricted areas
Restricted access to sensitive information to specific time periods
Source: Ernst & Young’s Global Information Security Survey 2013
Data Loss Prevention
Insights on information security
However, 66% of respondents have not implemented data loss prevention
(DLP) tools
Regarding DLP tools implementation, how would you describe that deployment?
We have not implemented DLP tools
Users have largely not noticed the impact of these tools
Our implementation has been a success
Implementation has gone smoothly and according to schedule
It has taken longer than expected to implement
Users have been upset with the impact to their daily routines
Our implementation has not been as successful as expected thus far
Source: Ernst & Young’s Global Information Security Survey 2013
Data Loss Prevention
What an organization needs to do
Know your data
Know where it is
Know where it is going
Know who accesses it
A data loss prevention program can address these issues
Data Loss Prevention
EY data-centric security model
Data governance
Policies and standards
Risk assessment
Focus areas
Data control
Structured data
Data in motion
Data in use
Data at rest
Perimeter security
Privileged user monitoring
EndPoint security
Network monitoring
Access/Usage monitoring
Host encryption
Internet access control
Data anonymisation
Mobile device protection
Data collection and exchange
Use of test data
Network/intranet storage
Messaging (Email, IM)
Data redaction
Physical media control
Remote access
Export/Save control
Disposal and destruction
Unstructured data
Supporting information security processes
Identity/access management
Security information/event management
Configuration management
Vulnerability management
Digital rights management
Incident response
Physical security
Training and awareness
Asset management
Data privacy/document protection
Employee screening and vetting
Third-party management and assurance
Business continuity
Disaster recovery
Regulatory compliance management
Change management/SDLC
Data Loss Prevention
Data in motion
Focus area
Example control objective
Supporting technologies
Perimeter security
Prevent unencrypted sensitive data from leaving the
DLP technology, firewalls, proxy servers
Network monitoring
Log and monitor network traffic to identifying and
investigate inappropriate sensitive data transfers.
DLP technology
Internet access control
Prevent users from accessing unauthorized sites or
uploading data through the web through personal
webmail, social media, online backup tools, etc.
Proxy servers, content filters
Data collection
Data exchange with third parties only occurs through
and exchange with third
secure means.
Secure email, secure FTP, secure APIs,
encrypted physical media
Use of instant
Prevent file transfers to external parties through instant
messaging and other non web-based applications
Firewalls, proxy servers, workstation
Remote access
Remote access to the company network is secured
and control the data that can be saved through
remote facilities such as Outlook Web Access.
Encrypted remote access, restrictions on
use of remote access tools to prevent data
leakage to non-corporate assets
Data Loss Prevention
Data in use
Focus area
Example control objective
Supporting technologies
Privileged user
Monitor the actions of privileged users with the
ability to override DLP controls, perform mass data
extracts, etc.
Security information and event
monitoring, operating database and
application log files.
Monitor access and usage of high risk data to identify
potentially inappropriate usage.
Security information and event monitoring,
operating database and application log files,
endpoint DLP logs.
Data sanitation
Sanitize/anonymize sensitive data when it is not
required for the intended use.
Data sanitation routines and programs.
Use of test data
Do not use or copy sensitive data into non-production
systems. Sanitize data before moving into test
systems when possible.
Data sanitation routines and programs.
Data redaction
Remove sensitive data elements from reports,
interfaces and extracts when they are not necessary for
the intended use.
Data redaction tools.
Export/save control
Restrict user abilities to copy sensitive data into
unapproved containers, such as e-mail, web browsers,
etc., including controlling the ability to copy, paste
and print sections of documents.
Endpoint DLP technology, application
Data Loss Prevention
Data at rest
Focus area
Example control objective
Supporting technologies
Endpoint security
Restrict access to local admin functions such as the
ability to install software and modify security settings.
Prevent malware, viruses, spyware, etc.
Operating system workstation restrictions,
security software (A/V, personal firewall,
etc.), endpoint DLP technology.
Host encryption
Ensure hard disks are encrypted on all servers,
workstations, laptops and mobile devices.
Full disk encryption tools.
Mobile device
Harden mobile device configurations and enable
features such as password protection, remote wipe
facilities, etc.
Built in security features, third-party
mobile device control products.
Access control software and permission
Govern access to network-based repositories containing
control in operating systems, databases
sensitive data on a least privilege basis.
and file storage systems.
Physical media
Prevent the copying of sensitive data to unapproved
media. Ensure authorized data extraction only takes
place on encrypted media.
Endpoint DLP technology, endpoint media
encryption tools, operating system
workstation restrictions.
Disposal and
Ensure all equipment with data storage capabilities
are cleansed or destroyed as part of the equipment
disposal process. (Including devices such as digital
copiers, fax machines, etc.)
Data erasure/data wiping software.
Data Loss Prevention
Data risk reduction
Data Loss Prevention
Why data loss prevention?
Data Loss Prevention
Data Loss Prevention
Data protection life cycle
Data Loss Prevention
Implementing a DLPP
Data Loss Prevention
Key Components of a DLPP
Data Loss Prevention
Data loss prevention drivers and benefits
Prevent brand
damage and loss
of reputation
competitive advantage
Prevent loss
of customers
Prevent loss of
shareholder value
Prevent fines and civil
Prevent regulatory
actions or sanctions
Prevent legal
actions – litigation
Data Loss Prevention
Limit cost
and effort for
Example approach
Data in motion
Client issue
Ernst & Young service
It is not known to what
extent data leakage is an
issue within the organization.
Evidence of data loss is
needed to:
► Build a business case
for DLP investment.
► Support a DLP risk
► Test effectiveness
of DLP controls
Program assessment/
strategic roadmap
Data at rest
The security of company data
stored on repositories such as
share drives, SharePoint sites
and intranet sites is uncertain.
Sensitive customer data or
client intellectual property may
be stored on widely accessible
internal systems.
‘Rogue’ servers/workstations
may be sharing sensitive data
in an uncontrolled way.
Meet with key stakeholders
► Meet with key stakeholders in a
to understand network
facilitated workshop to
weaknesses for DLP.
determine high-risk data.
Conduct a facilitated workshop ► Customize DLP rules to focus
to determine high-risk data.
on high-risk data and add
company specific criteria.
Customize DLP rules to focus
on high-risk data and add
► Utilize our DLP appliance to
company specific criteria.
scan high-risk data repositories
or network segments.
Utilize our DLP appliance
onsite to analyze electronic
► Review and validate the
communications for an agreed
incidents generated and
period of time.
develop a report highlighting
high-risk exposures.
Review and validate the
incidents generated and
develop a report highlighting
high-risk exposures.
Data discovery
Data Loss Prevention
Data privacy assessment
The lack of a robust DLP
program is a known issue.
However, the root cause of
data loss is unknown.
An assessment of DLP
processes and controls and/
or a roadmap for developing
the program and integrating
it into the existing security
program is needed.
Assistance with managing
the complex regulatory
and compliance requirements
associated with customer
privacy or responding
to inquiries and incidents
is required.
Services in options 1 and 2.
Conduct a current state
assessment of the overall
DLP program.
Develop a strategy and
roadmap to build a robust
DLP program that is integrated
with the existing security
Provide a report of high-level
issues that were identified with
recommendations for
risk mitigation and
control improvement.
Conduct a current state privacy
Assess compliance with
specific regulations.
Recommend improvements
to data privacy controls
and practices.
Assist in responding to specific
privacy incidents/ breaches.
Control assessments
Ernst & Young
Assurance | Tax | Transactions | Advisory
About Ernst & Young
Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 141,000 people are united by
our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our
wider communities achieve their potential.
Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate
legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more
information about our organization, please visit
© 2014 EYGM Limited.
All Rights Reserved.
This publication contains information in summary form and
is therefore intended for general guidance only. It is not intended to be a substitute
for detailed research or the exercise of professional judgment. Neither EYGM Limited
nor any other member of the global Ernst & Young organization can accept any
responsibility for loss occasioned to any person acting or refraining from action as a
result of any material in this publication. On any specific matter, reference should be
made to the appropriate advisor.

similar documents