data protection & security breakfast briefing master slides 28 june-final

© 2015 IBM Corporation

IBM Data Protection & Security Breakfast Briefing28th April 2015

© 2015 IBM Corporation22

Time Session

08.15 Arrival & Breakfast

08.45 Data Protection: Legal, Security and Regulatory UpdateEU General Data Protection Regulations are changing - what does this mean for your organisation? Cyber-Protection is high profile - breaches can cost you your business. Not knowing what business know-how and IP you have puts you at a disadvantage. What to do when the regulator or solicitors get involved.Your customers have a right to privacy and a right to protect their personal data, regardless where that data is stored or how it was first collected; this now includes a right to be forgotten. We will cover practical data protection, business data security (sensitive data and IP) and information governance policies/practices enforcement - we will help you build a culture of compliance and corporate protection within your organizationDr Donald Macfarlane, IBM

09.15 Panel DiscussionRobert Duggan, Partner - Mourant Ozannes.Gregory Campbell, Case Manager - Clifford ChanceMonika Tomczak-Gorlikowska, Data Privacy Counsel - Shell International Limited Mark Callahan, CEO - GravicusDr Donald Macfarlane, IBM

10.00 How can Analytics help your organisation adhere to these rules and regulations?Solomon Barron, IBM

10.15 Wrap up and Q&A

10.30 Close & Networking


Data Protection: Legal, Security and Regulatory UpdateDr Donald Macfarlane, IBM


Organizations today face a growing range of adversaries

• The number and variety of new adversaries and threats continues to grow• Old threats don’t always disappear – while new threats continue to add to the

total landscape• The old way of providing Managed Security Services has grown stale – Still a

requirement, but not enough on its own.


Information Doubles Every Two Years

1 Zettabye = 1,000 Exabytes = 1,000,000 Petabytes

Erroneous delivery of e-mails and documents was the leading threat action among the 47,000+ security incidents we studied from 2012 *

44.8 million70% Percentage of total information retained inside an organization which has no business value and no legal or compliance obligation*

10 Zettabytes

Information Under Management in 2014

Estimated number of records that were compromised in 2012

Portion of information unnecessarily retained

Hidden in corporate data is vast amounts of data some of which is likely to attract protection under global privacy rules and regulations – key is knowing which

Source: Verizon 2013 Data Breach Investigations Report

Source: IDC Digital Universe, 2012 Source: CGOC Summit Survey

*Indeed much of this data being kept is likely to have privacy obligations that are often failing to be met


EU Landscape 3-fold Problem

Global Implications

1. Existing Data Protection Directive – local laws

2. Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (2014)

3. Upcoming EU General Data Protection Regulation


Within the EU: Individuals have a right to privacy - “private and family life, his home and his

correspondence” (Article 8 ECHR), Individuals have right to protection of personal data - “Everyone has the right

to the protection of personal data concerning him or her” (Article 8 ECFR) Data protection is somewhat narrower in scope than the concept of privacy

as it does not specifically cover the right to a private life, private home, private correspondence, etc.

Specifically grants data subjects with the rights to access, modify, update or ask for deletion of such data e.g. right to know what data is gathered or stored about you, to access this and request modification/deletion

Data protection gives individuals: The right to know what personal data is collected, on what legal grounds, how

it is used, for how long it used and kept, and by whom. Specifically grants data subjects with the right to access, modify, update or

ask for deletion of their data

Privacy within the EU


Court of Justice of the European Union held that an internet search engine operator is responsible for the processing that it carries out of personal information which appears on web pages published by third parties.

Outcome of the ruling is that an ‘internet search engine’ must remove links to freely accessible web pages resulting from a search on their name e.g inadequate, irrelevant, no longer relevant or excessive (time)

Request from relevant authorities can order removal. Court did not explicitly grant “right to be forgotten” instead relied upon the data

subject's rights deriving from Articles 7 (respect for private and family life) and 8 (protection of personal data) of the Charter of Fundamental Rights of the European Union.

Commentators state that the Google Spain decision aligns with upcoming “right to be forgotten” in the GDPR

Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (2014) – Google Spain Case


Today’s environment is one of increasing reports of cyber-security attacks Consumers are wary of data privacy and protections put in place by big business

Cyber-criminals seek new ways to access credit card numbers, expiration dates, account holder names and CBB codes, intellectual property, and other sensitive information.

Reputational management has also become a major consideration – PII breaches are high profile, focus the vulnerability of user data, but more importantly consumers hold YOU responsible.

This provides the backdrop for upcoming data privacy rule changes The new Regulation introduces greater transparency and greater accountability Fines for noncompliance have become significant Rules apply to any non-European company handling EU-specific data

What is changing with the GDPR / What is being reported?


What is changing with the GDPR / What is being reported?

Single set of rules across EU & EU regulator – covers al EU countries

Regulation now has teeth - up to €100m penalty, or 5% of annual turnover

Includes all EU citizen data on cloud, social media and third parties

Rights of Data Subjects and Obligations on business

"Right to be forgotten" - Can you, as a business, prove it?

"Show me my data" - Do you know what and where it is on your systems?

"Privacy by design"- How are you planning this long-term?

Companies have to proactively certify compliance - Are you confident you can comply?


Personally Identifiable Information: Direct and Indirect

“Any information about an individual… including (1) information that can be used to distinguish or trace an individual‘s identity, such as

name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and/or

(2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information." e.g. user's IP address as used in a communication exchange is classed as PII regardless of whether it may or may not on its own be able to uniquely identify a person.”*NIST definition.

Email address, unique national identification number, tax, passport or identity card, vehicle

registration plate number, driver's license number, biometric data: face, fingerprints, or handwriting, credit card numbers, date of birth an birthplace, gender/race, genetic/medical information, telephone number, login name, screen name, nickname, or handle, IP address (in some cases), geographical data, qualifications, criminal record data, employment details….

Alphanumeric Sequences and/or Training Sets using classification technology

* National Institute of Standards and TechnologyDefinition


• Article 3 – Scope “…applies to the processing of personal data by a controller not established in the Union…”

• Article 15 - Right of Access for Data subject have the right to know “whether or not data relating to the data subject is being processed”

• And in addition will be provided with details relating to purpose, categories, recipients, storage periods, significance and how to seek rectification.

Article 17 - Right to Erasure (“to be forgotten”)

Data controller must erase the data if the individual objects to their data collection for a specific reason e.g. no consent for marketing usage and/or if the data is not being processed in accordance with the Regulation, it must be forgotten

Data must be deleted if it is no longer needed, or if “the data subject withdraws consent on which the processing is based…”

Article 19 - Right to Object and Profiling - “data subject shall have right to object…unless the controller demonstrates compelling

legitimate grounds for processing which override…”

What obligations flow from the GDPR


Article 22 – Responsibility of the Controller “The controller shall adopt policies and implement appropriate measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with this Regulation”

• Verification• Effectiveness

Article 23 - Data Protection by Design and by Default requirement to implement technical and organizational measures to meet Regulation

and ensure data protection rights of subject are met Have regard to state of the art and cost of implementation Note: 18 month implementation period often discussed

Need to take action to avoid issues and ensure able to prove compliance, so what is best practice?

Obligations on Controllers & Processes


GDPR: Timeline Update

On 28th January 2015, Data Protection Day, European Commission VP Andrus Ansip and commissioner Věra Jourová issued a joint statement to say ongoing negotiations on the GDPR will conclude before the end of this year.

“EU Data Protection reform also includes new rules for police and criminal justice authorities when they exchange data across the EU. This is very timely, not least in light of the recent terrorist attacks in Paris. There is need to continue and to intensify our law enforcement cooperation. Robust data protection rules will foster more effective cooperation based on mutual trust. We must conclude the ongoing negotiations on the data protection reform before the end of this year. By the 10th European Data Protection Day, we are confident that we will be able to say that the EU remains the global gold standard in the protection of personal data”

15


Best Practice & Solutions


What, Where & How What are common security breach causes? 1. Sensitive personal data stored behind a corporate firewall inappropriately e.g. Sony’s stoage of over 47,000 Social Security numbers, employment files including salaries,

medical information, and anything else that their employer Sony held, was leaked to the public.

2. Mis-use of sensitive data internally and/or data leakage/loss e.g. employees repurposing company data stored without sufficient safeguards and/or application of

corporate policy leading to loss of HDD

3. Data stored in breach of stated corporate policy/T&C’s agreed with their customers

e.g. MoD, Sony, Google and potentially many others

Where is the data likely to be? Email, SharePoint, Fileshare(s), Archives, PC/Laptop HDD, Databases, Cloud, USB devices etc. How do we propose to locate and remediate? Indexing of unstructured data and policy syndication in archives across the IT Estate. SIQ – pattern recognition – active intelligence, ICC – automatic classification and Atlas for the storage

of local law policies.

Business Remediation Processes


RIM

LEGALPRIVACY

AND SECURITY

BUSINESS

IT

ILGhub

AnalyticsDiscovery

Disposal

ArchivingRetention

STEP 1: Identify Sources and Types of Data

Information Governance Reference Model

• Unified governance • Information stakeholders• Policy integration

http://www.edrm.net/projects/igrm


STEP 2 - Using IGRM/Stakeholders to guide the Solution:

Legal: Identification of Sources and Data types – discovery and indexing to identify key areas of risk, index data and being in a position to take action/remediate. Classification & Archiving of identified sources. Early Data Assessment.

Privacy/Security: compliance with automated governance to corporate policy- adresses secure storage, privacy, audit trails and accountability for personal information.

RIM: Records & Security – automated file level application – addresses "Privacy by design", illustrate follow best practice by aligning private data with the reason for retaining them, and proactively driving timely disposition.

LOB: Business Take advantage of the Privacy Dividend – customers trust you with their data and will spend more with you rather than a competitor.

IT: Funding – storage reduction/cost take out to implement programme.


Email ServersECM Cloud

“ACTIVE” INTELLIGENCE – address historical and future

Identify, Analyze & Act

Business Outcome specific filters, actions, local policies, critical reports, audit trails etc

DATA SUBJECT ACCESS / DEFENCEArt 7 – consent

Art 11 – transparentArt 12 - Procedure

Art 17 - erasure Art 28 - documentation

ComplianceAudit

Art 7 – consentArt 11 – TransparentArt 12 procedureArt 22 – controller responsibilityArt 30 - security

PRIVACY /COMPLIANCE

DISCOVERY Art 14 – information

Art 15 – right of accessArt 23 – design/default

Art 30 – notificationAt 33 – impact

assessment

Data Manager

Business Stakeholder

IT Expert

Window on to Privacy/ Security/ Confidential/ Compliance Data

Business Outcome / Need

MediaArchivePlatform

Forensic Images/Tapes

FileServers

Desktops/Mobile

SharePoint &Enterprise

Collaboration

Social Networks

CLASSIFICATION AND

RETENTION EXECUTIONArt 18 - portability

Art 19 – right to objectArt 21 - restrictions


The Data and Data Source Challenge:

Hundreds of threats Multiple threat actor groups A wide variety of tactics

– From manipulative behaviors to malware Finding the data that should capture the

attention of your organization requires:– Expertise in targeted threat analysis –

knowing where and how to collect meaningful data

– Technology to manage threat intelligence– Business insight in knowing how to identify

the threats most significant to a specific organization, and to provide strategic guidance and tactical solutions to improve security posture

KEY - How can organizations make this challenge not only manageable, but cost effective?

Analysis of targeting and distillation to most

significant threats

Threat data, collected from multiple sources worldwide

Open Source Intelligence

Internal Data

Third Party Providers

Business Targeted

ActionableFindings


Use of Active Threat Intelligence: insight into effective action

Active Threat Intelligence partner discovers a new targeted threat or technique

New Threat

Process notes that the threat has a high probability of impact on the client

Process communicates threat detail to the client and provides:

• Steps to harden defense

• Tactics for monitoring threat activity

Process delivers detailed insight into

• Threat actor• Tactics

involved

Process may relay additional information to threat intelligence partner, such as

• Malware samples

• AV signatures• Activity logs

Process may analyze additional data to further refine insight into the nature of the threat

Process monitors external data for changes in the nature of the threatIf evidence of

threat activity is detected, Advisor may direct the client to engage:

• Incident response

• Remediation• Forensic

analysis

Process continues to monitor threat on an ongoing basis

Based on intelligence findings, Process may recommend

• Changes to the client’s security posture

• Consulting to adapt security strategy

Discover and Assess Respond Adapt


5 Steps to Comply and THRIVE

Burden of Data Privacy increase due to 3 main factors: increasing data, consumer awareness/media and the continuing evolution of data regulation across the world (including the increased use of civil penalties for breach). Large corporate tendencies “to keep everything” for the “longest legislated period in an operational market” increase risk – internet of everything

1. TRANSITION - Use the transition period between now and 2017 to set strategy.

2. HOUSING - Plan data housing, including data center location and data audit/compliance

3. RIGHTS (Privacy) - Consider data subject rights, and prepare for subject access requests

4. INTERNATIONAL - Establish guidance for international data transfers

5. VARIETY - Consider the variety of data types and sources, including social and mobile

6. EDUCATE & EVANGELIZE - Get stakeholders, especially executives, on board.


Panel Discussion

Robert Duggan, Partner - Mourant OzannesGregory Campbell, Case Manager - Clifford ChanceMonika Tomczak-Gorlikowska, Data Privacy Counsel - Shell International Limited Mark Callahan, CEO – GravicusDr Donald Macfarlane, IBM


An Analysis of Analytics

Sol [email protected]

IBM Analytics Information Governance Specialist


Modern day Alchemy?

Definition of alchemy: noun The medieval forerunner of chemistry, concerned with the transmutation of matter, in

particular with attempts to convert base metals into gold or find a universal elixir

big data,digital detritus


Or put it another way...


Types of data analytics

User-driven, single or limited facet analysis

- Large corpus, data at rest, trend spotting• Things you don’t know you don’t know, e.g. factoids!

- Large corpus, data at rest, intelligence gathering• Things you know you don’t know, e.g. sentiment analysis

System-driven, multi-faceted, exhaustive analysis- Large corpus, data at rest and in motion – actual business insight

• Things you ought to know!

Content analytics...


IBM Analytics

Unlimited corpus scope, to answer questions such as...- What is happening?

• Descriptive- Why is it happening?

• Diagnostic - What could happen next?

• Predictive- What should I do?

• Prescriptive


The sum of the parts

● Not just a set of tools ●

● Beyond business intelligence ●

● Turns intelligence into action ●

IBM Analytics allows you to...

• Reduce the time between insight and action

• Enable decision makers to find their own answers• Empower people at every level to act with confidence


But what about content analytics?

Data Protection & Security

- ... is not interested in the corpus as a whole• What’s my potential exposure vis-à-vis each individual content object

- ... requires document level analysis

• What type of documents are in this location?

- ... requires business intelligence for multiple document types

• How should different document types be handled?

- ... requires an understanding of semantic entities in your business

• PCI, PII, Account numbers, NINO’s, etc.


IBM Content Classification

…categorizes and organizes content by combining multiple methods of context-sensitive analysis. It enables workers to focus on higher value activities by

consistently and accurately automating content-centric categorization decisions. It is designed to help tame the explosion of unstructured content, delivering

better accessibility, usability, compliance and analytics


IBM Content Classification


Does this scale for your organisation?

How do you address 00’s terabytes or even petabytes of files?

StoredIQ provides a massively scalable delivery vehicle for enterprise-wide content assessment and analysis

Allows you to prioritise and target deep content classification analytics across the entire data estate


StoredIQ dashboard


Its not just about EU data compliance...

Can you find relevant content, quickly?- “Search, Refine, Repeat” is no longer acceptable - Image Capture, Content Collection, Enterprise Search

• Are you uncovering business insight from your content?– Organized content produces better insight– Content Analytics

• Is the right content available at the right time?– Business processes require timely access to content– Business Process Management, Case Management

• Are you complying with Legal and Business mandates?– Content has a compliance lifecycle that must be enforced– Content Collection, Enterprise Records, eDiscovery


Any questions???


Backup


Legal Disclaimer

• © IBM Corporation 2015. All Rights Reserved.• The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained

in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM ’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.

• References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.

• If the text contains performance statistics or references to benchmarks, insert the following language; otherwise delete:Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.

• If the text includes any customer examples, please confirm we have prior written approval from such customer and insert the following language; otherwise delete:All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer.

• Please review text for proper trademark attribution of IBM products. At first use, each product name must be the full name and include appropriate trademark symbols (e.g., IBM Lotus® Sametime® Unyte™). Subsequent references can drop “IBM” but should include the proper branding (e.g., Lotus Sametime Gateway, or WebSphere Application Server). Please refer to http://www.ibm.com/legal/copytrade.shtml for guidance on which trademarks require the ® or ™ symbol. Do not use abbreviations for IBM product names in your presentation. All product names must be used as adjectives rather than nouns. Please list all of the trademarks that you use in your presentation as follows; delete any not included in your presentation. IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, Sametime, WebSphere, UC2, PartnerWorld and Lotusphere are trademarks of International Business Machines Corporation in the United States, other countries, or both. Unyte is a trademark of WebDialogs, Inc., in the United States, other countries, or both.

• If you reference Adobe® in the text, please mark the first use and include the following; otherwise delete:Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries.

• If you reference Java™ in the text, please mark the first use and include the following; otherwise delete:Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.

• If you reference Microsoft® and/or Windows® in the text, please mark the first use and include the following, as applicable; otherwise delete:Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.

• If you reference Intel® and/or any of the following Intel products in the text, please mark the first use and include those that you use as follows; otherwise delete:Intel, Intel Centrino, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

• If you reference UNIX® in the text, please mark the first use and include the following; otherwise delete:UNIX is a registered trademark of The Open Group in the United States and other countries.

• If you reference Linux® in your presentation, please mark the first use and include the following; otherwise delete:Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others.

• If the text/graphics include screenshots, no actual IBM employee names may be used (even your own), if your screenshots include fictitious company names (e.g., Renovations, Zeta Bank, Acme) please update and insert the following; otherwise delete: All references to [insert fictitious company name] refer to a fictitious company and are used for illustration purposes only.

http://www.ibm.com/legal/copytrade.shtml

data protection & security breakfast briefing master slides 28 june-final

Data & Analytics

corporate data

practical data protection

personal data

ibm corporation2

ibm corporation8

ibm corporation4

ibm corporation6 information

corporate protection