protecting aggregated data

ProtectingAggregatedData USCERT

December5,2005

Produced byUSCERT,agovernmentorganization

TableofContents ExecutiveSummary ....................................................................................................................3

Purposeand Scope ....................................................................................................................4

Background.................................................................................................................................4

UnderstandingtheProblem.........................................................................................................5

Replicationand Persistence ....................................................................................................5

Ownership ...............................................................................................................................6

Transformation ........................................................................................................................6

Valuation .................................................................................................................................7

UnderstandingtheRisksandImpacts.........................................................................................7

ValuePlaced atRisk ...............................................................................................................8

ShorttermImpacts..................................................................................................................9

AbilitytoOffer andFulfillCustomerTransactions.................................................................9

Customerand PartnerIdentityandPrivacy..........................................................................9

LongtermImpacts.................................................................................................................10

Trust ..................................................................................................................................10

Compliance and LegalLiability...........................................................................................10

SecurityManagement for Large Volumesof AggregatedData..................................................11

Understand theInformation ...................................................................................................11

ApplyGoodManagementPrinciples......................................................................................12

ApplyGoodSecurityPractices ..............................................................................................14

AppendixA ...............................................................................................................................19

References ...............................................................................................................................22

Produced2005 byUSCERT,a governmentorganization. 2

Executive Summary Intheir ongoing quest forimproved operationalefficiency,organizationshavecome torelyon theabilitytocollect, access,and processlargevolumesof electronicdata(aggregateddata).Thisreliance hasevolvedwiththedevelopmentofsophisticated databasesoftwareandthe growingavailabilityofhardwarewithstoragecapacitymeasuredinterabytes.Bypossessing suchlargevolumesofdata,however,organizationsassumecertainrisksandresponsibilities:

Large datastoresarevaluableinformationalassetsthathave become targetsforcybercriminals.

Electronic data can be easily copied, modified, and distributed, making the totalretrieval or destruction of compromised or stolen data assets impossible to confirm.

Ownersandcustodiansoflargedatastoresassumeresponsibilityfor maintainingthe privacyandintegrityof theinformationundertheircontrol.

Theftorcompromiseofcustomer,partner,or otherdata heldbyanorganization hasanumber ofshortandlongtermconsequences.The dollar valueoftheseconsequencescan exceedthatofthedataitself.Theseconsequencesinclude

interferencewith an organizationsdaytodayoperations

interferencewith an organizationsabilityto fulfillcustomerandpartner transactions

erosionoftrustrelationshipsbetweentheorganizationanditscustomersand/or partners

violation of federal and/or state laws governing the protection ofaggregated data

exposuretocivillitigationclaims

Byapplyingsoundmanagementprinciplesand goodsecuritypractices,organizationscan mitigatetheserisksandbetterprotecttheaggregateddataundertheircontrol.Organizationsmustunderstandthe natureanddisposition of the data,determineitsvalue,andcalculate acceptablerisk.Theirdatamanagementandsecuritystrategiesmustmakeleadersaccountable foreffective oversightofdatasecurity,heightendatasecurityawareness,ensurelegalcompliance,andrequireregulardatasecurityauditsand the developmentandexecutionofincidentmanagementplans.Leadersandthestrategiestheydevelopshouldalsoaddresssoundsecurityarchitectureand design,physicalsecuritymanagement, themanagementofpartner processesand activitiesthataffectdatasecurity,vulnerabilitymanagement, and businesscontinuity.Byworking toensurethesecurityofthe aggregateddatain theircharge,organizationscan notonlyavoidthe negativeconsequencesassociatedwitha data securitybreach,butstrengthentheirrelationshipswithcustomersandpartnersandenhancetheir reputationsinthecommunityatlarge.


Purpose and Scope The purposeofthispaperisto discussthesecurityissues,businessimpacts,andpotentialstrategiesofU.S.industry,government, and academicorganizationsthatcreateandmaintain large aggregationsofdata,suchasdigitalrepositories, databases,datawarehouses,and aggregatedinformationsystems.Thepaper firstexaminescharacteristicsof data and informationwithrespectto howtheycreatesecuritymanagementchallengeswheninformation iscompiled andaggregated.Thepaperhighlights consequences,negativeimpactsand ramificationsto organizations,partners,and usersdueto datacompromiseincluding manipulations,disruptions,disclosures,thefts,andloss.Finally,thepaperdiscusseseffective securitymanagementapproachesandstrategiestoaddresstheissuesandtomitigaterisks.

Background Organizationsandinformationsecuritystaffare facing anincreasingnumberofattacksagainstmassstoresof theircustomer,private,andsensitiveinformation.All of ushaveread the headlinesidentifyingcorporations,universities,andgovernmentagenciesthathavelostcontroloftheir databaserecordsto attackers.The growinglistof attackersandmethodsofattackagainst suchdatastoresisrealand hasthe potentialtonegativelyimpactbusiness,government,academia,consumers,andthecitizenry.

Atthecenter of the attacksarethecommon databases,repositories, and datawarehousesrequiredtoconductoperationsinthe publicandprivate sectors.Because of thedecreasingcostinstorage devicesandtheincreasingdesire forbusinessintelligenceandanalytics,enormousvolumesofelectronicinformation are beingaggregatedand,consequently,placed atrisk.For instance,twoyearsago,informationtechnologyorientedmediaoutletswerewritingarticlesdescribing onlya handfulof thelargestcommercialdatabasespushing75terabytesinsize [Orzech03].Today,similararticlestalkofthesesizesascommonplace,wherethetypicalorganizationsdatabaserangesbetween hundredsof gigabytestotensof terabytes[Mearian 05].Howbigisthis?Considerthat1terabyte of electronicdataisequivalentto 50,000treesworth of printed paper [Berkeley00].

The termdata aggregationrefersto thetrendtoward amassing,preserving,andusinglarge volumesofelectronicinformation.Organizationsengagedindata aggregationmaydoso for anynumber ofreasons,including archiving,analysis,and operations.Aggregated data alsoincludesthemetadataneeded toindex,flag,define,oraccesstheinformation,aswellasthe contentitself.Thevolumesof thistypeofdataaremostoftenamassedinto anelectronicrepositorywithoutregardtotheirlogicalorphysicalstructure,and are generallyfree from organizationalcompartmentalizationthatresultsfromthe physicalandoperationalrequirementsofthepeoplewhointeractwith them.Aggregated dataismostoften found anddescribedbythe technologythathousesit,such asadatabase,datarepository,storagearray, filesystem,or datawarehouse.

Therisksposedtoaggregated data are numerousand derive from both externalandinternalthreats, suchasnaturaldisasters,failuresofinternalcontrols,sabotage,andattacks.Thispaper isconcernedwith aggregateddatasecurityasitpertainstolossesdueto attackersthatare


externalto theorganization thatisresponsiblefor managingtheaggregateddata.The following scenariodescribesthisproblem:

Adatabasecontaining100,000recordsforcurrentand paststudentsatalargeuniversityin the northeastwasattacked byunknownpartiesontheInternet.The compromiseddatacontained admissions,health,academictranscript, disciplinaryaction,residency,housing,studentemployment,andemergencycontactinformation. Theschoolsresponsewastowarncurrentstudentsandalumnioftherisksposedto themby theirinformationbeingpossiblycopiedand stolen.Theyclaimedthepotential formisuse ofsomeor alloftheirinformationcouldinclude identitytheft and financialfraud.Theyinstructedthevictimstokeepawatchfuleyeontheir creditreports.The universitystatedthattheywereinvestigatingtheincidentin anattemptto preventthistype of problemin the future.

Ifwe holdittobetruethatinformationisthelifebloodofan organizationwemustalsorecognizethesignificanceofourinformationresources,suchasvolumesof aggregateddata.Thissignificanceisamplifiedbythe desire ofattackerstoexploittheseresourcesfortheirgainandourneedtoroutinelytransfer,store,andprocesstheseresourcesto conductbusiness,governmentaffairs,etc.Customers,users,andstakeholdersdemandincreasinglymoreprivacyandprotection fortheinformationtheyprovide to organizationsinreturn forproductsand services.Theyplaceconfidenceinorganizationstoperform effectiveenterprisesecuritymanagementandunderstandtherisksnotonlyto an organizationssensitivedatabutto a customersprivateinformation.Theyexpecttheserisksto bemanagedregardlessofwherethe informationisstored,transmitted,or processed,beitinternaltotheorganization orthrough partnerships.Thiscustomer focusissometimeslostinthemassofmultiterabyte databasesofaggregated data.

Understandingthe Problem Whenarchivistslookto preserveinformation,theyunderstandthatthemediaservesthe content, notviceversa.Hence,thecontentdrivestheretention standard and policy,notthe storagemedia,beitpaper,microfiche,or tape.Similarly,ininformationsecurityitisthecontentthatdrivesthe securityrequirementsandinformationsystemsthatserveto fulfillthese requirements.In organizationsattemptstosecureinformation(thecontent),theyneedto considerthatthe systemswheretheinformationresidesareatargetofattacksandthusakeyconcern forinformationprotectionactivities.

Inlarge databasesystems,thecontentisacompilationofaggregated data.Asmuchasdatabaseslend themselvestosupporting organizationalprocesses,theyalsomake clear targetsforattacks:onestopshoppinglocationsforinformationthieves.The problemsassociatedwithdatabasesarenotthestructureofinformationtheyliemorewiththe characteristicsof electronicinformation,especiallyaggregateddata.Problemsalsostem from aggregating datainoneor a fewlogicallocations andthe potentialforlossofcontrol,inuse,andownership.Thissection brieflyexploressomeof these problemsandissues.

ReplicationandPersistence Whenleftunprotected,aggregateddatacan be easilyreplicated,shared,altered,and destroyed.Whenaphysicalobjectiscreated,suchasa car,itexistsuntilitiscompletely


consumedor becomesobsolete.In eithercase,the finaldispositionisthatthe objectisdestroyed andceasestoexist.

Thissamecharacteristicshouldapplytovolumesof aggregated data.The exceptionistheease withwhichinformation canbereplicatedatanypointduringitslifetime.Thiscreatesa potentialsituationwhereinformationcannotbedisposed of easilyduetotheproliferation ofcopies. Worseyet, aggregateddata,inelectronicform,canexistpastthe pointofobsolescence,persistinginperpetuity.

Ownership Anothersetofcharacteristicsdescribe ownership andcustodianshipofaggregated data.Continuingtheanalogywith a physicalobject,the identificationofwhoownsandoperatesacar isusuallyboundedandwellunderstood.Weknowtwothings:first,thatacar hasatitle,itsownershipisdocumented,andthereisa defined processfortransferring ownership.Second,mechanicswho servicethecarmaintainit, butdo notownit.In contrast,aggregated datararelyhasawelldefinedtitleofownership.Aggregated dataisconstantlychangingin both ownershipandcustodianshipbecauseofthe easewithwhichelectronicinformationisshared,transferred,andreplicated.For example, each time apieceofinformationisusedinconjunctionwith other information,itislikelythatthe ownerand custodianaredifferent.Here,ownersarethe proprietorsof anorganizationalprocessusing aggregateddatawhilecustodiansaretheusersandadministratorsof thetechnologyused to accessthe aggregated data.

Transformation Aggregated data undergoesaconstanttransformation.Information bydefinitionisthe communication orreception ofknowledgeorintelligence [Webster 05].For our purposes,data isprocessed,analyzed,and aggregatedtoproduceinformation.Thetransformation of datainto informationoccursbecauseorganizationsuserawdataintheaggregate andwithina given context,yieldinginformation andintelligence.

Info Data Process Process Info

Data

Figure 1:TheInformationCycle

Thecontinualcycle ofmovingsetsofdatathrougha processthatcreatesinformation(see Figure 1)presentschallenges for determiningclearownershipof aggregateddataandthe information fromwhichitderives.Data fromdifferentsourcesisoftencombined tocreate newinformation.Thisisanimportantproblemforintangible assetslikeaggregated data,asaclear


boundaryfortheassetanditsownershipisrequired beforeitsvaluecan be determined.Value iskeyto determiningthelevelofinvestmentfor protectionstrategies.

Valuation Valuinginformationofanytype hasproventobedifficultformostorganizations.Information assetsarenotoftencarriedon thebooksascapitalassets,sodetermining amonetaryvalueisnotstraightforward.Often,thevalueofaninformation assetisfoundintheprocessitsupportsandnotintheinformationitself.Thevalue of the aggregateddatato an organizationcan onlybe determinedif theperson orpersonsresponsible fortheorganizationalprocessitsupportsunderstandandagreeon exactlywhatisbeingvalued.

Aggregated data oftenhasmanyowners,users,andcustodians.Thiscreatessituationswhere theexactvalue(or even an approximate,relative value) ofthe aggregated dataisdifficultto calculate.Determiningthe valueisanattempttocapture howimportantthe aggregateddataistotheorganization.Datavaluederivesprimarilyfromitsuse,butorganizationsneed to alsoconsidertheimpactofitslossorunavailability.Valuingaggregated data,takingintoaccountitsuniquecharacteristics,iscriticalfordeterminingtherisks,theimpacts, andthusthe necessaryinvestmentsin protectionstrategiesandsecurityactionstoadequatelyprotectsuch data.

Understandingthe RisksandImpacts Considerwhatitcostsyouif

customerdataiscompromised anditmakesthe headlines

your brand andreputation are negativelyaffected byadatarelatedsecuritybreach,resultingin alossofcustomer confidence andloyalty

sensitiveintellectualproperty(such asgovernmentortradesecretsand newproductinformation)isstolenbyacompetitorormadepublic

your organizationisfound tobenoncompliantwithprivacyanddata protection/reportingregulations(international,national,state,local)

your networkgoesdownbecauseofa data compromise

youcantdetecta datacompromise

Therisksassociatedwithmanaging aggregatedandsensitive datainelectronicformandwith networkaccessaremany.Organizationsoften findthemselvesinthe positionofcustodian for criticalsensitiveinformationbelonging tootherswho trustthe organizationtohandlethisinformationresponsibly.Reciprocally,ownersassignresponsibilityfor protection tocustodiansthisdemandsthatownerscommunicatesecurityrequirementsexplicitlyand ensurecustodiansmeettheestablishedrequirements.


Determiningtherangeofactionsan organization needsto taketoreduce aggregateddata securityriskto anadequateor acceptableleveldependsonwhatan organization needsto protectandwhatitneedsto prevent.Considerthe following questions:

Whatresponsibilitydowehave for protecting theinformationin ourcomputer systems,particularlyinformationthatbelongsto others? Whatneedsto be protected? Whydoesitneedtobe protected? Whathappensifitisnotprotected?

Whatare ourworstcasescenariosforsecuritycompromise?Mostlikelyscenarios? Whatpotentialadverseconditionsandconsequencesneed to be prevented?Atwhatcost?

Howmuchdisruptioncanwe standbeforewetakeaction?

Howdowedetermine andeffectivelymanageresidualrisk(theriskremaining aftermitigationactionsaretaken)?

The answerstothese questionscan helporganizationsdeterminehowmuch toinvest,whereto invest,andhowfasttoinvestindataprotection.Theyserveasonemeanstoidentifysecurityrisksto aggregateddataand quantifythedegree ofriskexposure.Intheabsenceofanswersto these questions(andaprocessfor periodicallyreviewing and updatingthem),an organization mayfinditdifficultto defineand deployaneffectiveaggregated datasecuritystrategyandthusunabletoeffectivelysustainanadequatelevelofprotection.

ValuePlacedatRisk Organizationalassetsthatcan benegativelyaffectedif aggregated data securityisinadequate,performed poorly,orcompromisedinclude

trust

customerandpartneridentityandprivacy

theabilitytooffer and fulfillcustomertransactions

theabilitytomeetcompliance,legal,andregulatoryrequirements

Organizationscanexperience animmediateimpactintheshorttermasaresultofa compromiseofaggregated datasecurity,andimpactscanberealizedin thelongerterm.Aspectsof each assetandimpactstothemaredescribedinthe followingsections.


ShorttermImpacts

AbilitytoOfferand FulfillCustomerTransactions TheInternethasequalizedaccesstoinformation andaggregated dataworldwide.Risksand opportunitiesincreasinglyderive fromwho youareconnectedto andwhoisconnectedtoyou,ratherthan fromwhereyou are physicallylocated.Because of thereadyand directaccesscustomershavetothosewithwhomtheywishtotransactbusiness,and the easewithwhich theycanchangethesechoicesforanyreason,customersdrivetodaysmarketplace.

An organizationsability(orinability) tocompetentlyofferand fulfillcustomertransactionsismostvisibletothecustomer.Thisincludesacustomersprofile,preferences,and historicalbuying habits,oftenstoredin aggregateddatabases.Inthecase ofcommercialbusiness,makingitemsofinteresteasyto find,with accurateandcompetitive pricing,withimmediate orderconfirmation,andwithtimelydeliverycontributetothe growthofInternetbasedbusiness.Onlinebankingprovidesa goodexampleofhowaggregateddatasecurityenablescustomer transactions.Bankcustomersare typicallyassuredofidentityandprivacyprotectionwith respecttotheir personalinformation,transactionhistories, and asecure flowoffundsvia an Internetconnection.Imaginehowthischangesifthecustomersdataiscompromised and thisispubliclyreported.Imaginewhattheimpactwouldbeifthe entirerosterofcustomerswere negativelyaffected byasecuritybreach of thebanksvolumeofaggregatedcustomer accountdata.

The abilitytolowertransactioncosts(discovery,negotiation,arbitrage,settlement,and adjudication) dependson electronicallyaccessibleand aggregated data.TheInternetandthe electroniccommerceitenableshavelowered transactioncostscomparedwithpredecessor technologies.However,the natureofelectroniccommunicationisthatitislocationindependent, essentiallyinstantaneous,andunlessmodifiedanonymous[Geer 04].Thesequalitiesintroducenewrisksto aggregated datathatmustbe takenintoaccountbyorganizationsowning andserving ascustodiansforsuchdata.

CustomerandPartnerIdentityandPrivacy Concernsabouttherisksassociatedwith personalprivacyandidentityare growing.Violationsofthesetypeandtheircosts,legalconsequences,and effectsonreputation areregularlyreportedinthemedia. Atypicalexamplestates,TheFederalTradeCommissionestimatesthatapproximately3,000,000 Americanswerethevictimsofidentifytheftin 2002.A businessthatobtainsconsumerspersonalinformationhasalegaldutyto ensure thattheuse and handling ofthatdatacompliesinallrespectswithrepresentationsmade aboutthecompanysinformationsecurityand privacypractices[Braun 04].Disclosure of personalinformation entrusted to an organizationcanhaveaprofoundimpactonthatorganizationsreputation.

Asidentitytheftandrelatedviolationsof privacybecomemoreprevalent, publicbacklash from bothcustomersandlegislatorscouldbesignificant.Increasingly,customersandorganizationalpartnersexpectacertainstandardofaggregated datasecuritypractice fromanycompetentorganization.Thisexpectedstandardislikelytocontinuetoescalate.However,reputationneed notbeconsideredsolelyinnegativeterms.Leadersshouldalsoask,Howmuchisitworth for ustobeseen byourcustomersandpartnerstobeactivelyconcernedwithsafeguardingtheir information?Proactive approachestosecuritycanenhance anorganizationsreputation asa trusted partner [Charette 05].


Internationalprivacyregulations,suchasthosein theEuropeanUnion(EU),Japan,and Australia,aremorestringentthantheirU.S.counterparts,soapproachestocomplywith such regulationsmustbe developedwithproperappreciationofcountryorregionalrequirements. Givengreatercustomer privacyconcerns,data protectionauthoritiesinseveralcountriesare mostconcernedwith protecting healthcare,pharmaceutical,and financialservicesdata[Gartner 04].

U.S.ormultinationalorganizationsshouldbeespeciallywaryofhowtheytreatEUemployee data andhowtheymonitor EUemployeeselectronicactivities.EUemployeetribunalsare common,andEUemployeesfrequentlytaketheir employerstocourt.

Increasingly,organizationsare findingthataglobalapproach to privacycanmeetthemajorityofnationalorregionalprivacyrequirements,providingsome opportunity forcostcontainmentthroughstandardization.

Almostallorganizationscollect,process,store,disseminate,and transfercustomerinformation insome form,mostlikelydigital.Protectingsuchinformationandpreventingactionsthatcan causeunintended disclosure and useareincreasinglyrequired tomeetlegalrequirementsand preservecustomertrust.

LongtermImpacts

Trust Achievingand preservingtrustareamongthemostessentialoutcomesofprotectedaggregated data.Trustisanelementofprotectingcustomersandtheirinformation,protectingmarketshare,sustainingmarketandcustomerconfidence,preservingreputation,andenhancingan organizationsbrandandimage.Trustishardtobuildandeasytoloseinthe face of a publicbreach ofsecurityorcustomerprivacy.Justconsidercompaniesenjoying headline attentionastheircustomerdatabasesarecompromised,raisingwidespreadconcernsaboutidentitytheft.Someare findingthatregaining trustonceitislostmaynotbepossible.

Anincreasingnumber oforganizationsunderstandtheinextricablelinkbetween trustand securing aggregated dataintodaysgloballyconnected environment.OneCISOstatesSecurityisanecessaryconsiderationineverything thatwedo.We needtoprotectcustomersand employees.We are thecustodian foralotofinformationthatbelongsto other people.

ComplianceandLegalLiability Failureto protectstakeholderinterestswithrespecttocertaincategoriesofinformationor failure to preventunauthorizedaccessto personalinformationmayhave seriouslegalconsequences.Acomprehensiveapproach to protecting aggregated datacanhelpanorganizationmaintaincompliancewith newand expandinglawsandregulationsand avoidlegalliabilityrelatedto statutoryorcommonlaw.

Ratherthan focusing ona frameworkforcyberorinformationsecurity,currentU.S.federallegislation andrelatedregulatoryprogramshave focused onaninterestineither of the following:


protectingtheprivacyofindividuallyidentifiableinformationheldonprivate computersystems

improvingprivatesector oversightoffinancialreporting

ThreecurrentU.S.lawsneed to beconsideredwhen addressingresponsibilitiesto protectaggregated data:

theU.S.GrammLeachBlileyActof 1999(protecting personalinformation for financialinstitutioncustomers)

theU.S.HealthInsurancePortabilityand AccountabilityActof 1996 (protectingpersonallyidentifiablehealthinformationheldbycertain entities)

theU.S.SarbanesOxleyActof2002(mandating expandedpubliccompanyfinancialcontrolaudits,includinginformationsecurity)

Theselawshave allprovidedregulatoryincentivesforseniorlevelmanagersand oversightagencies(such asboardsof directorsand trustees)to paycloserattentiontoinformation security,includingtheprotectionofcustomer privacyandidentity.Asimilarsecurityeffectderives from bothstate andinternationallaw.The CaliforniaDatabaseProtectionAct(CASB 1386(notification of personalsecurityinformation breaches) and EuropeanUnion(EU) Directiveson data protection and privacyand electroniccommunicationsare affectingmultistateandmultinationalorganizations[CRS05].Consideration for extendingaspectsof the Californialawto allU.S.statesisinprogress.

Complianceissuesrelatedtolegislativeandregulatoryprogramsandthe criminalandcivil liabilitiesthatcan arisefromtheirviolation are onlyone partofthelegalliabilityexposure.There remainsthesignificantliabilitythatcanresult fromnational/federalandstatecourtlitigation claimsbasedon abreach ofcontract,tort,or propertyrights.Civillitigation providesaneffective platform forthe promotionofindividualprivacyandidentityprotection.Suchlitigationmightdrivetheadoption ofstandardsgoverningsecuritycontrolsonaggregated data.

Security Management forLargeVolumes ofAggregatedData

Understand theInformation The firststepin protecting anythingisto understandit.For aggregateddata,thisentailsunderstandingwhatinformationexists,whereitexists,andinwhat form.Determiningan adequatelevelof protection alsorequiresknowingthesecurityrequirements, ownersand custodians,and potentialrisksandimpacts.Once thebasicinformationisknownaboutlarge volumesofaggregated data,thedatacan bebrokenintosmaller unitsandprofiled.


Profiling,or the processofdescribing,categorizing,andboundinginformation,isonewayto understandtheuniquecharacteristicsand protectionrequirementsofinformation.Inthiscase,a smallerandmoremanageablesetof aggregated dataisused forprofiling.Ownersuseprofiling techniquestoexplicitlyandunambiguouslydefine:

informationdescriptionsand boundaries

designationsofowners,custodians,and users

informationsecurityrequirements,suchasaccessand authentication requirementsofusers

logicaland physicallocationswheretheinformationisstored,transported,andprocessed

informationvalue andsensitivity

Ownersmustknowthevalueoftheirinformationtodevelopameaningfulprofile.Suchaprofileisused bycustodianstoselectappropriatesecuritycontrolsto protecttheinformation.The owner oftheinformationassetanditsstakeholdersdeterminethevalue oftheinformation to the enterpriseor organizationalunit.Thecontribution oftheinformationto theownersgoalachievement(orthe potentialtoimpede goalachievement)isreflectedinthevaluation.One waytoconsiderthe value of anassetistolookat thepotentialimpactontheorganization(and theowner)ifsomethingweretohappen toit.

Asignificantamountofguidancehasbeenissued to help federalgovernmentagenciesdetermine and assignvaluetotheirinformationandinformationsystems.FederalInformation ProcessingStandard(FIPS)Publication199and NationalInstituteofStandardsand Technology(NIST)SpecialPublication80060 provide explicitguidance.Informationvalueisdetermined bylookingatthepotentialimpactonthe organizationif thesecurityof the informationiscompromised.Informationisfirstclassified bytype(publicrelationsinformation,forexample).Then for each type ofinformationthepotentialimpactisrated on a high,medium,orlowvaluescale foreachsecurityobjective,whichNISTdefinesasthetriadofconfidentiality, integrity,andavailability.

Everyorganizationneedsto determineitsownapproachto and processforinformation valuation.Oncethevalue oftheinformation andthe degreetowhichrisksandimpactscan negativelyaffectitare known,anorganization candevelop ameaningfulprofile againstwhichto applymanagementandsecuritycontrolstomitigaterisksandmanageimpacts.

Apply GoodManagementPrinciples Agoodsetofcommonlyacceptedmanagementprinciplesaidsanorganizationsleadersin determiningwhatprotectionstrategiesarebestapplied to secure aggregateddata.Organizationscanuse principlestoselect,interpret, prioritize,deploy,andreinforcepolicies, strategies,plans,actions,and expected behaviors.To beeffective and of greatestvalue,principleselection andinterpretationshouldalign withorganizationalobjectivesincludingthe requirementtoprotectsensitiveaggregated data.


The following principlesapplytoprotectingandsecuring aggregateddata.These are brieflydescribedinthissection:

Accountability

Adequacy

Awareness

Compliance

Measurement

Response

RiskManagement

Eachofthe principlesisstatedusing the presenttense,conveyingwhatactions,behaviors,and conditionsdemonstrate the presenceofthe principleinthe organizationscultureandconduct.

Accountability:Organizationalleadersareaccountablefor providing effective oversightofaggregated data security,including ensuringeffectiveexecution oftheagreedtoprotection strategies.Suchaccountabilityandresponsibilityare explicit,defined,acknowledged,and accompaniedbythe authoritytoact. Leadershipaccountabilityandresponsibilityfor aggregated data securityarevisibletoallstakeholders.

Leaderspossessthe necessaryknowledge,skills,and abilitiesto fulfillthese responsibilities.Individualroles,responsibilities,authorities,and accountabilitiesare assigned.Leadersensurethatall userswith accessto aggregateddataunderstandtheir responsibilitieswithrespecttothisaccess.Leadersconductregularevaluationsoftheir aggregated data securityprogram,reviewthe evaluationresults,andreportonperformance to oversightauthorities,includingaplan forremedialaction torectifyanydeficiencies.

Forexample,oneareareviewed andreported on wouldbedataretentionpolicyand procedure.Leadersworkwith aggregateddataownersandcustodiansto ensure processesare documented,implemented,andsecure forpurgingdatawhen theneed orrequirementtomaintainthedatahasexpired.

Adequacy:Investmentin aggregateddataprotectionstrategies(principles,policies,procedures,processes,controls)iscommensuratewithrisk.Determinationofriskisbased on thevalue,sensitivity,andcriticalityofsuchdatawithrespecttoitsvulnerabilitytoloss,damage,disclosure,ordenied/interruptedaccess.Probability,frequency,andseverityofpotentialvulnerabilitiesareconsidered.Leadersensurethatsufficientresources(people, time,equipment, facilities,dollars) are authorized andallocatedtoachieve andsustainan adequatelevelof aggregateddatasecurity.

Forexample,leadersensuredata ownersandcustodiansworktogetherto understandthe compartmentalizationthatsensitiveaggregateddatasetsrequire.Leadersusepoliciesto directownerstodeclarevalue andidentifysecurityrequirements(confidentiality,availability,


integrity,andauthentication)and directcustodianstoimplementsoundandmeasurablesecuritycontrols.

Awareness:Leadersare awareofandunderstandthe needtoprotectaggregated data.Theyunderstandwhatactionsarenecessaryto protectstakeholdervaluewithrespectto such data.All usersare awareofaggregated datasecurityrisksandprotection strategiesandunderstandtheirconcomitantrolesandresponsibilities.Awarenessisdemonstrated bythemotivation,training,and educationprovided touserswhoaregiven accesstosensitive aggregated data and byattendanceatperiodictraining asarequirementofcontinued access.Performancereviewsincludean evaluationofhowwelltheseresponsibilitiesare fulfilled.

Compliance:Aggregated data protectionstrategiesareincompliancewithlegaland regulatoryrequirements,requirementsof conducting business,andrequirementsestablished byexternalstakeholders.Actionsnecessaryto evaluatecomplianceobjectively(such asinternalandexternalaudits)arebuiltintothesecuritycomplianceprogram.Thisincludesregularmonitoring,review,andreporting ofcompliance findingstoaffected and interested parties.Leadersensurethatremedialand timelyactionistaken for anyaggregated data securitydeficiencies.

Measurement:Leadersidentifyandrequestperiodicreportsonmeasuresandindicatorsthatdemonstrate thevalueand adequacy(orlackthereof) of aggregateddatasecurityprotectionstrategies.Whatgetsmeasured getsdone.Metricsareabouttransformingpolicyinto action andmeasuring performance.Metricsindicatehowwellpoliciesandprocessesare functioningandwhetheror nottheyare producing desired performance outcomes[CISWG04b].

Response:Allusers(includingleaders)actina timely,coordinatedmanner to preventor respondtothreatstoaggregated datasecurityandcompromisesofit.Suchresponse requiresdevelopmentandregularexerciseofbusinesscontinuity,disasterrecovery,crisismanagement, andincidentmanagementplansso thatthe enterpriseisadequatelyprepared inthe faceofan attackandisabletoresume normaloperationsasquicklyaspossible.

Risk Management:Leaderscontinuallyreview,assess,andmodifyaggregateddata securityprotectionstrategiesinresponse to thedynamicallychangingriskenvironmentin whichtheyoperate.Leadersarticulateacceptablelevelsofriskto aggregateddataassetsbased ontheirvalue,sensitivity,andcriticality(seeAdequacy).Suchlevelsare examined duringregularreviewand assessmentprocesses.

Costsofcompromise(loss,damage,disclosure,denied/interrupted access,coststo reconstitute) are quantifiedtothe extentpossible aspartof ongoingriskmanagement. Controlsareselected to effectivelymitigateriskandtheirperformanceisregularlymeasured andreviewed.Plans forremedialactiontorectifyriskmitigationdeficienciesaredeveloped andexecuted following eachassessment.

Apply GoodSecurityPractices Aswithmanagementprinciples,a good setofcommonlyacceptedsecuritypracticeshelp an organizationmeettheprotectionrequirementsof aggregated data.Practice selectionand adoption derive fromthesecuritystrategyofan organization.Organizationsusepracticesastheyimplementsecuritypolicies,strategies, plans,and actions.To be effective andofgreatest


value,practicesshouldguidecontrolselection andaddressriskmitigation effortsnecessaryto adequatelyprotectsensitive aggregateddata.

The following practice areasapplyto protecting andsecuringall typesofinformation,including aggregated data.Thesearebrieflydescribedinthissection:

InformationSecurityStrategy

InformationSecurityPolicy

SecurityArchitecture andDesign

IncidentManagement

PartnerManagement

ContingencyPlanning andDisasterRecovery

PhysicalSecurityManagement

InformationTechnology

AuditandMonitoring

VulnerabilityManagement

Eachofthe practice areasisstated usingthepresenttense,conveyingwhatactions,behaviors,andconditionsdemonstrate thepresenceofthe practiceintheorganizationscultureand conduct.

InformationSecurityStrategy:Thesecuritystrategyispartofthe organizationsoverall strategicplanning activityandservesasasystematicplanofaction forimplementing,maintaining,andimprovingthesecuritypostureofanorganization.Thestrategyencompassesand describesthe organizationsinformationsecurityprogram,includingall oftheactivitiesandprocessesthatare performedto ensurethemissionssurvivability.Thisincludestheprotectionofaggregated data,consideredinthecontextof allothersecuritystrategyactions.Itconsidersthe uniqueoperatingcircumstancesofthe organization,aswell asitsculture,mission,andcriticalsuccessfactors.Effectivesecuritystrategyalignswith,andsupports,the businessstrategiesanddriversofthe organization.

InformationSecurityPolicy:Aninformationsecuritypolicyisthecompilation of guiding principlesthe organizationdefinesto establishthelimitsandboundariesofbehaviorsfor usinginformationresourcesand assets,including aggregated data.Thecore ofthe informationsecuritypolicydefinesthe organizationsrisktolerance,whichisindicative of the range ofsecurityeventsthe organizationisprepared towithstand.Forexample,ahigher risktolerancemaysignifythatthe organizationbelievesitwouldnotsuffer asignificantor materialimpactifasecurityweaknessorvulnerabilityisintroducedand/orexploited.Asthe organizationsrisktolerance narrows,amore extensivesecuritystrategyisnecessaryaswellaswelldefinedandprescribed guidelinesfor behaviorand action.


Security ArchitectureandDesign:Securityarchitecture anddesignisthephysicaland logicalimplementationofthe organizationssecuritystrategies, policies, and procedures.Itistheorganizationstechnicalimplementation ofsecuritystructure throughoutthevariouslayersofthetechnicalinfrastructure.Thisincludesphysicaldevices,hardware,software,andthewaysinwhichsecurityismanagedand administeredin thisinfrastructure.Securityarchitectureanddesignaddressesthe uniquerequirementsreflectedintheprofileforeach subsetof aggregateddata.Thispracticeincludes ensuring systemsonwhich aggregated dataisstored,processed,and transmittedaresecurelyconfigured andthatconfigurationsarekeptupto date usingawelldefined and enforcedchangemanagementprocess.

Incident Management:Incidentmanagementisthe organizationsprocess foridentifying,reporting,andrespondingtosuspectedsecurityincidentsandviolations,includingthose involvingaggregated data.Theorganizationisprepared forincidentsinvolvingthe organizationsnetworkandtechnicalinfrastructure,physicalfacilities,andhumanresources,such associalengineering attempts.The organizationsabilityto addressincidentsasapartoftheoverallsecuritystrategyprovidesanother toolformonitoringitsenvironment, understandingwhatthreatandvulnerabilitiestheyaresusceptibleto,andto develop proactivemitigating and protectivestrategies.For aggregated datain particular,incidentmanagementincludesthe processesforrequired communication andnotification of affected parties,such ascustomers.Incidentmanagementmayalsoincluderemedialandcorrective actionsnecessarytorestorecustomerconfidence.

PartnerManagement:Partnermanagementprocessesand activitiesrequirethatvendorsandserviceprovidersactinwaysthatsupportthe survivabilityof the parentorganization.Organizationscommunicate to these partnerswhatisimportanttotheorganization,and howtheyareexpectedto behavesothattheydonotexposetheparentorganization to further risk.Parentorganizationsrecognizetheyultimatelyretainresponsibilityfor ensuringthe tasksarecompleted andthatthe goalsandobjectivesare achieved.Itisessentialthatpartner organizationsunderstandtheirrolesandresponsibilitiesandareheldcontractuallyliablefor adequatelyprotecting aggregated datathatisowned bytheparentorganization and forwhichthe partnerisacustodian oruser.

ContingencyPlanningandDisasterRecovery:Contingencyplanningand disaster recoverydirectthe approachesandactionstaken bythe organizationtocontinue normaloperational functionswhenconfrontedwithsignificantor adverse disruption.Contingencyplanninginvolvesthe proactiveandreactivestepsto facilitate aneffective and efficientrecovery from anycontingencythatputsthe organizationsmissionatrisk.Managingthe impactsinvolvesandrequiresappropriate policies,plans,and proceduresto be documented,communicated,tested,and evaluatedbefore acontingencysituation occurs.Contingencyplanningand disasterrecoverypracticesinclude ensuring aggregateddata backupsareregularlymade,transmittedsecurely(encrypted),reach theirbackupstorage location,arestoredsecurely,andthataggregated datacan berestoredtoaknownstate fromanygivenbackupmedia.

PhysicalSecurityManagement:Physicalsecurityisacomponentofthe comprehensive protectionstrategy,particularlyfortangibleaggregated dataresources(such ashardware,software,andmedia).Itcomplimentsthe organizationsnetworkandsystemsecuritybyphysicallyprotectingand acknowledgingthelogicalinstantiation ofsystemsand networksecuritycontrols.


InformationTechnology:Informationtechnologysecurityistherange of technicalmechanismsthatthe organization deploysto enableand enforcepolicy,standards,and procedures.Technicalpracticesandmechanismsare appliedtocounterknownand anticipatedthreatsandvulnerabilitiesto aggregated data,software,systems,and networks.Inadditiontothreatavoidance,resistance,detection,andrecovery,technologyalso supportssecuritycontrolssuch asleastprivilege/separation of duties,accesscontrol,rolebased authentication, firewallsincludinguse of policysegregatednetworks,changeand patchmanagement, aggregateddatabaseserver configurationcontrol,encryption,redundancy,adequateimplementationofaggregateddataprofiles(includingseparating sensitive fromnonsensitivedata),etc.

Thesecurityofaggregated dataisgovernedbytheinformationsecuritystrategyandplans,andspansphysical,logical,and operationaldomains.The physicaldomainincludesthe networksandthe directlyconnectedsystems.Thelogicaldomainincludesthewaysin which usersaccessandauthenticate tosystemandnetworkresourcesrelatedto aggregated data.Thisdomainistypicallygovernedbyaninformationsecuritydepartmentandbytheimmediate departmentwherethesystemsreside.The operationaldomain,somewhatmore fragmented,considershowand where certainmissionrelated functionsare performed,ultimatelybytheownersand usersof aggregated data.

AuditandMonitoring:Monitoring andauditinginspectsandexaminesthe degreetowhich theorganizationspoliciesarebeingimplemented and followed.Monitoringactivitiesarethe meansbywhichthe organizationsystematicallychecksitssecurityposture forweaknessesandvulnerabilities,andinitiatesappropriateresponseswherenecessary.Thisincludesobservingsystemandnetworkevents,configurations,and processesunderroutine operation forsuspiciousorunauthorized eventsrelatedtoaggregated datasecurity.The practicesandtechnologiessupportingmonitoring requirethe expected ornormalstate ofthe system andnetworkenvironmenttobeknown anddefined foraggregated datain processing,storage,and transmission. Wheremonitoringisthemorecontinuousactivityintegratedintothe organizationsroutinesystem administration andmanagement, auditing inspectsthesecuritysafeguardsand controlsto determinewhethertheycomplywith regulatoryandlegalrequirements,policies,andstandards.

Vulnerability Management:Vulnerabilitymanagementdeterminesthestateoftechnicalandoperationalweaknessesinthetechnicalinfrastructurewhere aggregateddataresides,andhowto appropriatelymitigatetheweaknesses.Vulnerabilityassessmentisaproactive orpreventivemonitoringactivitywheresystemsand networksare examined forknowntechnicalflawsorweaknesses.Resultsofa vulnerabilityassessmentareanalyzed,prioritized,andreported,with actionstracked to completion.

Aggregated dataisone formofinformationand benefits from thesame organizational,process,technical,and humansecuritycontrolsthatarewellknownandpracticedininformationsecurity.Problemsandissuesuniquetoaggregated data anditsinherentcharacteristicshavebeen describedin Section3.Risksandimpactsto electronicinformationhave beensummarizedin Section 4 andinterpreted forsome of theunique challengesthatcomewithowning,using,and servingascustodians for aggregateddata.The principlesand practicesbrieflydescribedin Section 5 applytomosttypesofinformation andinformationsystems.Thispapersuggestsusingsuch principlesandpractices,aspartof an organizationwidesecuritystrategy,to


adequatelyprotectaggregateddata.Bydoingso,organizationsaremorelikelyto be ableto demonstratethattheyare exercising duediligencethrough followingcommonlyaccepted good practice.


AppendixA The principlesdescribedin Section5 are derived fromseveralcredibleandreputableorganizationsand thesourceslistedinTable1.

Table1:SourcesofEnterpriseSecurityPrinciples

Organizations References

AmericanChemistryCouncil [ACC99,ACC03]

BusinessSoftwareAlliance [BSA03]

Corporate GovernanceTaskForce [CGTF04]

CorporateInformationSecurityWorking Group [CISWG04a,CISWG04b]

InformationSystemsSecurityAssociation [ISSA 04]

InformationTechnologyGovernanceInstitute [ITGI01,ITGI04]

InstituteofInternalAuditors [IIA01]

InternationalStandardsOrganization(ISO) [ISO00a,ISO00b]

NationalAssociation ofCorporateDirectors [NACD01]

NationalInstituteofStandardsand Technology

[NIST96,NIST04]

Organisation for EconomicCooperationand Development

[OECD 02]

Software EngineeringInstitute [CMMI03]


[ACC99] AmericanChemistryCouncil.ResponsibleCare Guiding Principles,1999.http://www.americanchemistry.com/.

[ACC03] AmericanChemistryCouncil.ResponsibleCare SecurityCode ofManagementPractices,2003.http://www.americanchemistry.com/.

[BSA03] BusinessSoftwareAlliance.InformationSecurityGovernance:Toward a FrameworkforAction.October 2003.http://www.bsa.org /resources/loader.cfm?url=/commonspot/security/getfile.cfm&pageid=5841&hitboxdone=yes.

[CGTF04] Corporate GovernanceTaskForce.Information SecurityGovernance:ACallto Action.NationalCyber SecurityPartnership,April2004.http://www.cyberpartnership.org.

[CISWG04a] CorporateInformationSecurityWorking Group.AdamH.Putnam,ChairmanSubcommittee onTechnology,Information Policy, IntergovernmentalRelations&theCensusGovernmentReformCommittee,U.S.House ofRepresentatives.ReportoftheBestPracticesSubgroup.March3,2004.http://reform.house.gov/TIPRC /News/DocumentSingle.aspx?DocumentID=3030.

[CISWG04b] CorporateInformationSecurityWorking Group.AdamH.Putnam,ChairmanSubcommittee onTechnology,Information Policy, IntergovernmentalRelations&theCensusGovernmentReformCommittee,U.S.House ofRepresentatives.ReportoftheBestPracticesandMetricsTeams.November17,2004updatedJanuary10,2005.http://www.educause.edu/LibraryDetailPage/666&ID=CSD3661.

[ISSA 04] InformationSystemsSecurityAssociation.GenerallyAcceptedInformation SecurityPrinciplesv3.0.http://www.issa.org/gaisp/gaisp.html(2005).

[ITGI01] InformationTechnologyGovernanceInstitute.InformationSecurityGovernance:Guidance forBoardsofDirectorsandExecutiveManagement.InformationSystemsAuditand ControlFoundation,2001.http://www.itpi.org.

[ITGI04] InformationTechnologyGovernanceInstitute.COBITSecurityBaseline:An InformationSecuritySurvivalKit.ITGI,2004.Individualchecklistsare availableathttp://www.itgi.org.

[IIA01]TheInstitute ofInternalAuditorsetal.InformationSecurityGovernance:WhatDirectorsNeedtoKnow.IIA,2001.http://www.theiia.org/iia/index.cfm?doc_id=3061.

[ISO00a] InternationalStandardsOrganisation.ISO9000:2000QualityManagementSystemsFundamentalsandVocabularySecondEdition20001215.ISO9000:2000(E),2000.

[ISO05] InternationalStandardsOrganization.ISO/IEC17799/InformationTechnologySecurityTechniquesCodeofPractice forInformationSecurityManagement/Secondedition/. ISO/IEC17799:2005(E).June 2005.

[NACD01] NationalAssociation ofCorporateDirectors.RiskOversight: Board LessonsfromTurbulentTimes.DirectorsMonthlyNewsletter,27,1.NACD,January2003.


http://www.theiia.org/iia/index.cfm?doc_id=3061http:http://www.itgi.orghttp:http://www.itpi.orghttp://www.issa.org/gaisp/gaisp.htmlhttp://www.educause.edu/LibraryDetailPage/666&ID=CSD3661http://reform.house.gov/TIPRChttp:http://www.cyberpartnership.orghttp:http://www.bsa.orghttp:http://www.americanchemistry.comhttp:http://www.americanchemistry.com

[NIST96] Swanson,Marianne &Guttman,Barbara.GenerallyAccepted Principlesand PracticesforSecuringInformationTechnologySystems(NISTSpecialPublication 80014).NationalInstituteofStandardsandTechnology,September1996.http://csrc.nist.gov/publications/nistpubs/.

[NIST04] Stoneburner,Gary,etal.EngineeringPrinciplesforInformationTechnologySecurity(ABaseline for AchievingSecurity),Revision A.NISTSpecialPublication80027RevA,NationalInstituteofStandardsandTechnology,June 2004.http://csrc.nist.gov/publications/nistpubs/.

[OECD 02] Organisation for EconomicCoOperation andDevelopment.OECDGuidelinesforthe SecurityofInformation SystemsandNetworks:TowardsaCulture of Security.OECD,2002.http://www.oecd.org/document/42/0,2340,en_2649_34255_15582250_1_1_1_1,00.html.

[CMMI03] CapabilityMaturityModel Integration.Carnegie MellonUniversity,Software EngineeringInstitute.http://www.sei.cmu.edu/cmmi/cmmi.html.


http://www.sei.cmu.edu/cmmi/cmmi.htmlhttp://www.oecd.org/document/42/0,2340,en_2649_34255_15582250_1_1_1_1,00.htmlhttp://csrc.nist.gov/publications/nistpubshttp://csrc.nist.gov/publications/nistpubs

References URLsarevalidasofthe publication date ofthisdocument.

[Allen05] Allen,Julia.GoverningforEnterpriseSecurity(CMU/SEI2005TN023).Pittsburgh,PA:SoftwareEngineeringInstitute,CarnegieMellonUniversity,June 2005.http://www.sei.cmu.edu/publications/documents/05.reports/05tn023.html.

[Berkley00] Anonymous.DataPowersofTen.UniversityofCaliforniaatBerkley, 2000.Avaliableathttp://www.sims.berkeley.edu/research/projects/howmuchinfo/datapowers.html.ReferencesoriginalworkbyRoy Williamsof theCaliforniaInstituteofTechnologyinthemid1990s.

[Braun 04] Braun,Robert&Stahl,Stan.AnEmergingInformationSecurityMinimum Standard ofDueCare.CitadelInformationGroup,Inc., 2004.http://www.citadelinformation.com/minstdduecare.pdf.

[Charette05] Charette,Robert.Reviewcommentson[Allen05],May2005.

[CRS05] Fischer,Eric.CreatingaNationalFrameworkfor Cybersecurity:AnAnalysisofIssuesandOptions.OrderCodeRL32777.CongressionalResearch Service,LibraryofCongress,February22,2005.http://www.thecre.com/pdf/secure/20050404_cyber.pdf.

[Gartner 04] Hallawell,Arabella.Gartner GlobalSecurityand PrivacyBestPractices.GartnerAnalystReports,March16,2004.Availableathttp://www.csoonline.com/analyst/report2332.html.

[Geer04] Geer,DanielE.WhyInformation SecurityMatters.CutterConsortiumBusinessITStrategiesVol.7,No.3,2004.

[Mearian05] Mearian,Lucas.The 100YearArchiveDilemma.ComputerWorld,July25,2005.Availableathttp://www.computerworld.com/hardwaretopics/storage/story/0,10801,103382,00.html.

[Orzech03] Orzech,Dan.RapidlyFallingStorageCostsMeanBiggerDatabases,NewApplications.CIOUpdate TechnologyTrends,June4,2003.Availableathttp://www.cioupdate.com/trends/article.php/2217351.

[Webster05] MerriamWebster,Inc.MerriamWebster OnlineDictionary,2005.http://www.mw.com/.


http://www.mhttp://www.cioupdate.com/trends/article.php/2217351http://www.computerworld.com/hardwaretopics/storage/story/0,10801,103382,00.htmlhttp://www.csoonline.com/analyst/report2332.htmlhttp://www.thecre.com/pdf/secure/20050404_cyber.pdfhttp://www.citadelhttp://www.sims.berkeley.edu/research/projects/howmuchinfo/datapowers.htmlhttp://www.sei.cmu.edu/publications/documents/05.reports/05tn023.html

Structure BookmarksTable of Contents

protecting aggregated data

Documents