Data Security Essentials - Course Contents

 

 

Day One – Framework and Policy



1. Introduction

  • What is data? Where does data live? Who owns it? Who manages it?
  • What is data security?
  • Why is data security needed?
  • What are the expectations of our senior management, executives, board of directors/governing bodies, and customers?

Exercise One

Sets the stage for developing a common understanding of “data”. What is data at your company? Where does data live?

2. The Role of Corporate/Organisational Governance and IT/Information Security Governance in Building a Data Security Programme

  • Corporate/Organisational governance role in data security
  • IT and Information Security governance role in data security
  • IT/Information Security Governance Frameworks and Standards
    • COBIT 4.1 and data security
    • ISO 27001/27002 and data security

3. Key players and Roles in the Data Security Programme

  • Introduction to RACI Charts
  • The business
  • IT and Information Security
  • Customer
  • Government

Exercise Two

Understand how to use tools such as RACI charts to help communicate with senior management and to identify the key players in your organisation. Will help participants understand who they need to work with to improve their data security programme.

4. Building your data security programme: A step-by-step approach to building a data security programme that aligns with the strategic goals of organisation and leading IT and Information Security governance frameworks and standards

  • Start with a risk assessment
  • Understand risks and create risk treatment plan
    • Consider compliance/legal requirements (PCI, SOX, Privacy, etc.) as inputs for the risk treatment plan
  • Receive management approval for implementing risk treatment plan
  • Implement controls required by risk treatment plan
  • Implement solutions to measure effectiveness of controls
  • Implement training and awareness programmes
  • Implement monitoring and construct procedures for rapid detection of security events and responses to incidents

Exercise Three

Movie – “New Face of Cybercrime”. We are now transitioning from theory to practice. This movie places us into the frame of mind of discussing practical, real-world issues and finding solutions to the real data security threats we face. What keeps you up at night? What are your company’s most significant risks? External? Internal? Illegal activity? Mistakes?

5. Writing the Data Security Policy – The strong foundation of your risk treatment plan will be your Data Security Policy

  • Leveraging ISO 27001/27002 and COBIT to build a comprehensive policy
  • Understanding data as a company asset
  • Ownership of data assets
  • Access control
  • Acceptable use of data assets
  • Data classification
  • Labeling and handling data assets
  • Monitoring and continuous improvement
  • Integration with your other Information Security, IT, Risk Management and business policies such as the backup policy, business continuity and disaster recovery, and others

Exercise Four

Not all data security policies are the same. Similar industries will face similar risks. In this exercise attendees will review in teams a sample data security policy and craft up to five suggestions on how to improve the policy for their own industry. This group effort will help team members with ideas for improvement of their policy when they return to their organisation.

 

 

Day Two – Controls, Monitoring and Incident Response

 

 

6. Data Security Controls – people and technology

  • Current state of many organisations – what’s not working and why?
  • Data security and the fallible human being – implementing controls (including training) that limit accidental misuse of data and data disclosure
  • Handling internal and external bad actors and why this is a neverending battle
    • Case study – The struggle against phishing attacks and criminal attempts to extract data from SaaS providers (salesforce.com)
  • Using public information we will explore what happened during the 2006 phishing attacks, the controls salesforce.com implemented, and additional controls that potentially could further mitigate the risk.
  • Multi-layered defenses – preventative and detective controls

Exercise Five

Attendees will see they are not alone. All organisations have room for improvement. What are the major control weaknesses for organisations? What is preventing organisations from improving those controls? The list of control weaknesses from this exercise will be mapped to potential solutions discussed in the next section of the course.

7. New technical solutions for improving data security

  • Just because they are new and “everyone” is implementing one, should you implement one too?
  • Data Leakage Prevention
  • Database Logging/Security
    • Case study – Explore how privileged users, such as database administrators, can monetize their access to company and customer data at financial institutions.
  • This case will identify two scenarios where a database administrator could monetize their access with little risk of discovery for significant personal financial gain, why conventional controls are inadequate, and the potential controls that could mitigate the risk
  • Identity and Access Management
  • End Point Security
  • Network Access Control
  • Vulnerability Assessment
  • Enterprise Password Management
  • Data masking
  • Encryption
  • Intrusion Detection/Prevention (NIDS/NIPS, HIDS/HIPS, WIDS/WIPS)
  • Web application data security
  • Patch management

Exercise Six

Attendees will have an opportunity to identify one security control which they believe should be implemented in their organisation. Why choose that one? What risk is mitigated? How easy would it be to implement? Attendees will also have an opportunity to learn about controls that they may want to implement in the future.

Exercise Seven

Databases are where much of the company and customer data is stored; however, many organisations do not appropriately test the security of these repositories. This exercise will demonstrate how easy it is to gain an understanding of database security risks. Features hands-on session using Scuba, the Database Vulnerability Scanner from Imperva

8. Testing, monitoring and continuous improvement

  • Using ISO 27001 and COBIT to implement appropriate testing, monitoring and continuous improvement
  • Following your policy – Testing, monitoring and continuous improvement should be part of your policy
    • Case study – Pre-implementation testing as well as real-world regular tests are important. In this short case, a major US collocation provider failed to appropriately test the diesel generators.
  • This case will show that when considering your test plans, you should attempt to simulate real-world testing.  
  • Log aggregation, correlation, alerting, and remediation
  • Creating your own metrics
  • Managing remediation
  • Incident management
  • Forensic investigations

9. Audit

  • The role of Internal Audit and using Internal Audit to improve Data Security
  • External Audit – why are they here and what are they looking for?

10. 3rd Parties and Outsource Partners

  • Building Data Security requirements into outsource agreements
  • Understanding the risk of outsourcing
  • Creating a framework for assessing potential outsource partners
  • Verifying adherence to the data security requirements integrated into outsource agreements

11. Summary and Conclusions