sensitive data assesment

1© Copyright 2012 Axis Technology, LLC

Sensitive Data Assessment

Information Security

Sensitive Data Assessment - About

Regulatory Control functions, such as Operational Risk, Compliance and Audit, increasingly raise

questions around the scope, management, and identification of sensitive data within distributed

and mainframe application environments.• Processes and tools used to Identify Sensitive Data need to provide clearly auditable results.

• Discovery of Sensitive Data needs to occur across the entire environment includingdistributed systems.

mainframe and

• The results of the data assessment need to be actionable.

• Assessment of Controls Maturity for the Entitlement Process of these systems.


Sensitive Data Includes:

Customer data Employee Data

Name, Phone number, e-mail, address, SSN, Birth date, Creditcard #, bank account #, Internal sequence key…

Employee or Corporate ID, Salary, Benefits, HR status, Familydata, Manager information, Cost Center data…

Sensitive Data Assessment - Approach

Axis leverage the data profiler component of DMsuite to create a secure online sensitivedata inventory which shows you exactly what data you need to mask.

••

•

Utilize our proprietary Top down/Bottom up approach

Proven Data Analysis ToolsDMsuite TM

– Unmatched Data Profiling Capabilities across multiple Data Base Types

• Populate an inventory of sensitive data including:

––

–

–

–

–

–

Where data is stored

Categorizing risk associated with the sensitive dataWhy each piece of data is being collectedHow the data flows when it is received into the environmentIdentify any variations in security when data flows from system to systemCategorize each sensitive data element by type of riskPopulation of a repository to enable personnel to easily refer to and maintain this information• Develop a road-map for securing sensitive data in the environment


Sensitive Data Assessment - Expertise

DMsuiteTM Profiler•– Unmatched Data Profiling Capabilities across databases, mainframe copybooks, to identify the location of sensitive or

non-public data.

Profiler can reduce work up to 80% associated with manual search of sensitive data in databases and mainframe filesAbility to identify sensitive data using metadata such as database column namesAbility to search through data itself using data pattern matching for sensitive data such as names, addresses, social security. Especially useful for notes and descriptions fields.Out of box ability to identify sensitive data for ERP software such as Oracle E-Business Suit, Lawson, SAP etc.Pre-packaged search solutions for the following verticals: Financial, Healthcare, and RetailPre-packaged search solution for HIPAA & PCI ComplianceProfiler has a fast search ability where we can search through sensitive data in a Peoplesoft database with 37,000tables under 90 minutes.

Profiler data profiling can also search through every row in a database to identify the location of the sensitive data based on patter matching.

––

–

––

–

–

–

• RAIDTM

– Maintains a complete detailed analysis of your current data architecture including:

•

•

•

•

•

•

Report producers and consumers

Serves as a Report/Query Catalog Identifies each data source and Lineage Documents report data sources Documents how data is accessedBecomes the data dictionary for reports and central repository for audit and compliance


DMsuite Profiler: Type of Data SearchedDMsuiteTM Profiler

– Out-of-the box ability to search for fields for the following information.– Profiler user can also create their own search algorithm using the product.


Type IPII - Public identifier of a customer or employee

Or Risk of direct misuse

Type IICompany - Internal identifier of a customer or

employee

Type IIIInference - Information other than Type I or TypeII that may disclose the identity of an individual

through inference

Risk = High: information is publicly available to identify an individual or misuse the data directly

Risk = Medium: information is not publicly available but may be known to employees and contractors

Risk = Varies : Inference risk must be analyzed on a case-by-case basis, documented, and raised to security stakeholders

Name Phone number, e-mail Address

• Street address, Zip+4• Care of…, Attn: ...

SSN or other national identifier Birth date and other dates Credit card #, bank account # Comment fields Customer ID Account# Internal sequence key

Employee or Corporate ID Salary, Benefits HR status

(termination, personnel issues) Family data Manager information Cost Center data

Vendor Data Security Identifiers

• CUSIP, ISIN, SEDOL Other Identifiers

• NAV, type of Security• Name, Number, Symbol

Activity• Account balances,

transactions, trade date Financials

• Price, quantity,legal fees, vendor payments

Assets/holdings Trade dates

Sensitive Data Assessment - Drivers

DMsuite™ profiler addresses the need to secure sensitive data in the following situations:

––

–

In-house Application development for development, testing and integration work.

Offshore - masked data provides the same level of quality as production and is safe.Third Party Vendors - If a vendor application breaks, 90% of problems can be reproduced and fixed using masked data, eliminating the risk of exposure to third parties.Analytics uses data from different systems to provide insight about the health of your business. Why are the analysts receiving patient address information if they are looking at clinical trial results?

–

• JAPAN: Apr 2005 – Personal Information Protection Lawsimilar to Senate Bill No 1386 – State of California


Any Businesses Falling Under

HIPAA - Healthcare and Pharmaceutical are required to secure Sarbanes-Oxley Act (2002)Patient Health Information Multi-nationals - face requirements including:

MA MGL93H - Companies with customers in Massachusetts • CANADA: Jan 2005 – Personal Information Protection and

State privacy laws - All companies must follow their own Electronic Documents Act

Gramm-Leach-Bliley Financial Services Modernization Act • FRANCE: Oct 2005 – Computing and Liberties Act

(1999)

www.axistechnologyllc.com

70 Federal StreetBoston, MA

02110

(857) 445-0110


http://www.axistechnologyllc.com/























