sensitive data assesment
DESCRIPTION
Regulatory Control functions, such as Operational Risk, Compliance and Audit, increasingly raise questions around the scope, management, and identification of sensitive data within distributed and mainframe application environments.TRANSCRIPT
1© Copyright 2012 Axis Technology, LLC
Sensitive Data Assessment
Information Security
Sensitive Data Assessment - About
Regulatory Control functions, such as Operational Risk, Compliance and Audit, increasingly raise
questions around the scope, management, and identification of sensitive data within distributed
and mainframe application environments.• Processes and tools used to Identify Sensitive Data need to provide clearly auditable results.
• Discovery of Sensitive Data needs to occur across the entire environment includingdistributed systems.
mainframe and
• The results of the data assessment need to be actionable.
• Assessment of Controls Maturity for the Entitlement Process of these systems.
2© Copyright 2012 Axis Technology, LLC
Sensitive Data Includes:
Customer data Employee Data
Name, Phone number, e-mail, address, SSN, Birth date, Creditcard #, bank account #, Internal sequence key…
Employee or Corporate ID, Salary, Benefits, HR status, Familydata, Manager information, Cost Center data…
Sensitive Data Assessment - Approach
Axis leverage the data profiler component of DMsuite to create a secure online sensitivedata inventory which shows you exactly what data you need to mask.
••
•
Utilize our proprietary Top down/Bottom up approach
Proven Data Analysis ToolsDMsuite TM
– Unmatched Data Profiling Capabilities across multiple Data Base Types
• Populate an inventory of sensitive data including:
––
–
–
–
–
–
Where data is stored
Categorizing risk associated with the sensitive dataWhy each piece of data is being collectedHow the data flows when it is received into the environmentIdentify any variations in security when data flows from system to systemCategorize each sensitive data element by type of riskPopulation of a repository to enable personnel to easily refer to and maintain this information• Develop a road-map for securing sensitive data in the environment
3© Copyright 2012 Axis Technology, LLC
Sensitive Data Assessment - Expertise
DMsuiteTM Profiler•– Unmatched Data Profiling Capabilities across databases, mainframe copybooks, to identify the location of sensitive or
non-public data.
Profiler can reduce work up to 80% associated with manual search of sensitive data in databases and mainframe filesAbility to identify sensitive data using metadata such as database column namesAbility to search through data itself using data pattern matching for sensitive data such as names, addresses, social security. Especially useful for notes and descriptions fields.Out of box ability to identify sensitive data for ERP software such as Oracle E-Business Suit, Lawson, SAP etc.Pre-packaged search solutions for the following verticals: Financial, Healthcare, and RetailPre-packaged search solution for HIPAA & PCI ComplianceProfiler has a fast search ability where we can search through sensitive data in a Peoplesoft database with 37,000tables under 90 minutes.
Profiler data profiling can also search through every row in a database to identify the location of the sensitive data based on patter matching.
––
–
––
–
–
–
• RAIDTM
– Maintains a complete detailed analysis of your current data architecture including:
•
•
•
•
•
•
Report producers and consumers
Serves as a Report/Query Catalog Identifies each data source and Lineage Documents report data sources Documents how data is accessedBecomes the data dictionary for reports and central repository for audit and compliance
4© Copyright 2012 Axis Technology, LLC
DMsuite Profiler: Type of Data SearchedDMsuiteTM Profiler
– Out-of-the box ability to search for fields for the following information.– Profiler user can also create their own search algorithm using the product.
5© Copyright 2012 Axis Technology, LLC
Type IPII - Public identifier of a customer or employee
Or Risk of direct misuse
Type IICompany - Internal identifier of a customer or
employee
Type IIIInference - Information other than Type I or TypeII that may disclose the identity of an individual
through inference
Risk = High: information is publicly available to identify an individual or misuse the data directly
Risk = Medium: information is not publicly available but may be known to employees and contractors
Risk = Varies : Inference risk must be analyzed on a case-by-case basis, documented, and raised to security stakeholders
Name Phone number, e-mail Address
• Street address, Zip+4• Care of…, Attn: ...
SSN or other national identifier Birth date and other dates Credit card #, bank account # Comment fields Customer ID Account# Internal sequence key
Employee or Corporate ID Salary, Benefits HR status
(termination, personnel issues) Family data Manager information Cost Center data
Vendor Data Security Identifiers
• CUSIP, ISIN, SEDOL Other Identifiers
• NAV, type of Security• Name, Number, Symbol
Activity• Account balances,
transactions, trade date Financials
• Price, quantity,legal fees, vendor payments
Assets/holdings Trade dates
Sensitive Data Assessment - Drivers
DMsuite™ profiler addresses the need to secure sensitive data in the following situations:
––
–
In-house Application development for development, testing and integration work.
Offshore - masked data provides the same level of quality as production and is safe.Third Party Vendors - If a vendor application breaks, 90% of problems can be reproduced and fixed using masked data, eliminating the risk of exposure to third parties.Analytics uses data from different systems to provide insight about the health of your business. Why are the analysts receiving patient address information if they are looking at clinical trial results?
–
• JAPAN: Apr 2005 – Personal Information Protection Lawsimilar to Senate Bill No 1386 – State of California
6© Copyright 2012 Axis Technology, LLC
Any Businesses Falling Under
HIPAA - Healthcare and Pharmaceutical are required to secure Sarbanes-Oxley Act (2002)Patient Health Information Multi-nationals - face requirements including:
MA MGL93H - Companies with customers in Massachusetts • CANADA: Jan 2005 – Personal Information Protection and
State privacy laws - All companies must follow their own Electronic Documents Act
Gramm-Leach-Bliley Financial Services Modernization Act • FRANCE: Oct 2005 – Computing and Liberties Act
(1999)
www.axistechnologyllc.com
70 Federal StreetBoston, MA
02110
(857) 445-0110
7© Copyright 2012 Axis Technology, LLC