Docstoc

WSV323_ Information governance for unstructured data using the

Document Sample
WSV323_ Information governance for unstructured data using the Powered By Docstoc
					WSV323
Session Objectives




Key Takeaways
  Data Classification Toolkit
 CSO/CIO        Infrastructure     Content         Information
department         Support         Business          Worker
                                    Owner
                   Control
 Regulation      objectives       Helps identify   Perform job
translated to    turned into     the information     without
   control         control         and drives      needing to
  objectives    activities and   business case     worry about
                 monitoring      for compliance    regulations
Option 1: Reactive - Do nothing until you have to
  • Predictable cost (just add storage)
  • Potentially enable Bitlocker to encrypt the disk that the data resides on
  • Potential high cost when a need comes up (Audit, eDiscovery, Leakage …)


Option 2: Proactive – Taking steps towards Data governance on file servers
  • Get insight into information and apply policy
  • Apply common data governance policies: Encryption, Retention
  • Start with one department (e.g.: Finance) and expand to additional departments
  • Expire data to reduce cost and risk
Solution Accelerator

                           IT GRC          Multiple File
      Knowledge
                         Integration      Server Support
    • Establish        • Map to           • Maintain
      Classification     compliance         Consistency
      Baseline           requirements       across file
    • Provide          • Demonstrate        Servers
      Information        IT data          • Reduce
      governance         governance &       manual labor
      policies           compliance for   • Aggregated
                         audits             Reporting

                         Reporting
                  Simple ontology to be used across Windows Servers
      Goals
                  Actionable based on data governance and protection policies



              Authoritative                  Harmonized                     Validated


•   Health Industry (HIPAA/HITECH)      • Ships required terms,     • Reviewed by IT pros,
•   US Government (NIST 800-60)           extensible by customers     legal, auditors,
•   Financial Industry (Sarbanes-Oxley) • Applicable to hundreds of   customers in the
                                          authority documents         Industry
•   Credit Card Industry (PCI-DSS)
•   Privacy Laws (PII)
Area                   Properties                   Values
                      Personally Identifiable
                      Information                 High; Moderate; Low; Public; Not PII
Information Privacy
                     Protected Health Information High; Moderate; Low
                     Confidentiality              High; Moderate; Low
Information Security
                     Required Clearance           Restricted; Internal Use; Public
                                                  SOX; PCI; HIPAA/HITECH; NIST SP 800-53; NIST SP 800-122; U.S.-EU Safe Harbor
                                                  Framework; GLBA; ITAR; PIPEDA; EU Data Protection Directive; Japanese Personal
                      Compliancy                  Information Privacy Act

       Legal          Discoverability             Privileged; Hold
                      Immutable                   Yes/No
                                                  Copyright; Trade Secret; Parent Application Document; Patent
                      Intellectual Property       Supporting Document
    Records           Retention                   Long-term; Mid-term; Short-term; Indefinite
   Management         Retention Start Date        <Date Value>
                      Impact                      High; Moderate; Low
  Organizational      Department                  Engineering ;Legal; Human Resources …
                      Project                     <Project>
                      Personal Use                Yes/No                                                 13
              Payment Card Industry - Data Security Standard



Board of Dir./CEO    Audit Committee




                             Data Classification            Data Protection
  CIO/CSO




                    Classify Data containing PII   RMS Protect Data containing PII
   IT Pro
             Implement                  Create
IT Pro   Controls for PCI-DSS   Classification Baseline
                                      for PCI-DSS
                                 (Import & Customize)
                                     Create Baseline
IT Pro       Implement                 for PCI-DSS
         Controls for PCI-DSS       (Import & Customize)




                       Export Baseline
                                                Apply Baseline to all
                                                    File Servers
                                     Baseline
                                             Create Baseline
IT Pro       Implement                         for PCI-DSS
         Controls for PCI-DSS               (Import & Customize)




                     Export Baseline                                                    Validate
                                                  Apply Baseline to all             Auditor / Compliance
                                                      File Servers                        Manager

                                       Baseline


                                                                          Reports
                                                                                                     Monitor
                                                                                                           IT Pro
1. Configure




               3. Collect




4. Report
Working together!
                         PCI – DSS (Regulation)                 IT GRC Process Management Pack
                                                                     (Regulations, Controls)




  Board of     Audit
  Dir./CEO   Committee




                        Data             Data
  CIO/CSO           Classification     Protection




                                                             Data Classification Toolkit
                 Classify Data       RMS Protect Data   (Knowledge + Multiple File Server Support)

   IT Pro
                 containing PII      containing PII
                                                                    File Server & FCI
                                                                Does the business comply with employee,
                                                              customer, and third party privacy requirements?
                       Are controls designed in                                                                             Who has access to what?
                       accordance with information
                                                                                                                            Do incident response
                       asset value and risk?
                                                                                                                            programs adequately address
                       Are resources allocated in                                                                           data breaches?
                       accordance with value and
                                                                                                                            Are tools used to restrict data
                       risk?
                                                                                                                            leakage and loss?
                       Are data protection needs
                                                                                                                            Do controls protect the quality,
                       communicated to the PMO,
                                                                                                                            integrity, completeness, and
                       Internal Audit, Legal, BI, etc.?
                                                                                                                            availability of data?
Shahed K. Latif                                                                                                             How are employees trained?
                       Where does information
Partner                come from and where does it
Information Security   go?
                       Is the organization                                                                                  Do contract terms and/or SLAs
KPMG                   adequately profiting from the                                                                        reflect information asset
                       use of information?                                                                                  requirements and controls
                                                                                                                            (owned and managed)?
                       Which processes, and what
                       data, drives business value                                                                          Is proper notification provided
                       and risk?                                                                                            in the event of data breach?


                                                           Is IT effectively collecting, organizing, storing, retrieving,
                                                                 and disposing of electronic data and content?
                                                          Is data duplication, redundancy, and exposure minimized?
Global Manufacturer and Marketer of Major Home Appliances
  Client Industry / Description
  • Consumer Products

  Client Challenge
  • The client requested assistance with identifying, defining, classifying, and locating information assets and (data) owners for
    the organization’s consumer data, employee data, and intellectual property related to product engineering. This project was
    the first component of a larger initiative to implement a global security risk management program for the organization.

  Approach
  • KPMG began by conducting a current state assessment to identify existing data classification procedures and to evaluate
    high-level information handling practices. KPMG then designed a data classification framework to identify, label , and define
    security control requirements for confidential data. Utilizing a GRC tool, we then utilized end-user surveys to identify and
    define confidential data types across several departments and calculate an inherent risk of each of those data types based on
    the sensitivity of the information and its usage. In addition, KPMG created a data classification charter for the organization,
    provided recommendations for updating their existing corporate information classification policy, and developed technical data
    handling standards.


  Outcomes
  • This project allowed the client to identify and locate its most critical data across the organization, as well as established
    policies and processes for assessing the risks and controls related to the storage, processing, and transmission of those
    information assets.
Sign up

                              Q3



                         Q3



                    Q2

                         2011
               Q1


               2010
          Q4
WSV317 Windows Server 2008 R2 File Services Consolidation: Technology
Update (Thurs 10:15am – 11:30am)
WSV314 Microsoft Assessment and Planning (MAP) Toolkit 5.5 Enhanced
Server Consolidation Assessments for Hyper-V (Thurs 4:30pm – 4:45p)



   WSV23 - File Services & Windows Storage Server 2008 R2 Booth
Sign Up

                         secwish@microsoft.com

                  www.microsoft.com/grc

          www.microsoft.com/fci
                                   Blue Section




http://www.microsoft.com/cloud/

http://www.microsoft.com/privatecloud/

   http://www.microsoft.com/windowsserver/

  http://www.microsoft.com/windowsazure/

           http://www.microsoft.com/systemcenter/

     http://www.microsoft.com/forefront/
                         http://northamerica.msteched.com




www.microsoft.com/teched                               www.microsoft.com/learning




http://microsoft.com/technet                            http://microsoft.com/msdn

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:0
posted:3/12/2013
language:Unknown
pages:36