Confidential Data

Put your company logo here

Confidential Data

Upgrade from 8.x to 9.0

Speaker

• Michael Stutz - Consultant

• 22 years of IT industry experience

• 15 years of PeopleSoft experience

• PeopleSoft v.2.11 – v.9.0

• Mostly Technical but some Functional

• Primary: HRMS / Payroll / Benefits

• Recently: Campus Solutions

• . . . also some CRM and Financials

• Numerous International Banks

• Very Large Corporations

• Very Small Companies

Agenda

• Who – Who’s data is it anyway?

• What – Elements of Concern

• Why – Driving Factors

• How – Protection in Action

• Where – Environments

• When – & When Not to!

• Tools – Secure, Separate, Scramble

• Questions & Answers

WHO – Has InformationApplications

o HRMS / Payroll / Benefitso Campus Solutions (Student Admin / Financials /

Aid)o Financials (GL / AP / AR / etc.)o Customer Relationship Management (CRM)

Departments or Parts of the Organizationo ITo Call Centerso Marketingo Sales and Sales Operationso HR / Payroll / Benefitso Legalo Finance and Accountingo Research and Development

WHO – Needs Access• Management

o Department Heads (Corporate)o Managers with Direct Reports (Line Managers)

• Back Officeo Human Resources / Payroll / Benefitso Accountingo Corporate Dashboards and Reporting

• ITo Developerso Database & Systems Administrationo IT Management

• Interfaces to Other Organizations

WHO – Is Responsible• Management

o Department Heads (Corporate)o Managers with Direct Reports (Line Managers)

• Back Officeo Human Resources / Payroll / Benefitso Accountingo Corporate Dashboards and Reporting

• ITo Developerso Database & Systems Administrationo IT Management

• Interfaces to Other Organizations

Keep Needs, Access, & Responsibility Synchronized

WHAT

Elements of ConcernoIntellectual PropertyoBusiness Confidential Information

oCustomer and Consumer Data

oEmployee Data

MotionoAt RestoIn Transit within OrganisationoIn Transit on the WWW

WHAT

Intellectual PropertyBusiness Confidential

oBusiness StrategyoProject & CostingoMarketing PlansoBudgets and Forecasts

WHAT

Customer & ConsumeroKey AccountsoContact InformationoProduct or Service IssuesoContracts

WHAT

Employee DataoSocial Security NumbersoDates of BirthoPay InformationoHealth Care InformationoDependants & Dependant Information

oCompany Structure & Internal Contacts

WHY

Risks Internal to Organization

• Employee Negligence

• Malicious Employees

• Business Processes

Risks External to Organization

• Hackers / Theft (Laptops, USB Drives, etc.)

• Competition

• Sarbanes & Oxley / Basel I & Basel II

WHY

Costs

• Confidentiality Legal Issues

• Loss Competitive Edge

• Employee Compensation Issues

Sarbanes & Oxley•Responsibility of Corporations

Basel I & Basel II•Responsibility of Banks•Risk Management

WRITE THIS DOWN . . .

www.wikipedia.org

WHY (SOX)

• Risk Assessment

• Control EnvironmentCulture based on Awareness & Integrity

Keeping Balance: “What is our Business?”

• Control Activities

• Monitoring / Auditing

• Information and Communication

Half Way There!

HOW

Create the Culture

Define Data Types

Identify Who is Responsible and Accountable

Reduce Access

Maintain Controls

Maintain Culture

Test

(steps)

HOW - Create the Culture

Addressed at All Levels of Organization (Vertical)

Addressed across Corporation (Horizontal)

Support of Upper Management (Top Down)

Keep the Balance (Mind Your Business!)

Cost / Benefit / RISKo Money in your Mattress?o Day-trading Penny Stocks?

HOW - Define Data Types

•What is Confidential Data?

•How do I Classify my Data?

HOW - Responsible & Accountable

Identify those Responsible

Identify those Accountable

Identify those who need access

Designate Authority Accordingly

Ensure Responsibility, Accountability, and Authority are properly balanced and applied.

HOW – Reduce Access

Reduction of Access

• Departmental Segregation

• Within IT

• Balanced against Cost

• Balanced against Effectiveness

• Balanced against Trust

HOW – Maintain Controls

Access to Data

• Application Security

• Database Security

• Network Security

Where is my Data?

• Laptops

• PDAs

• eMail

• Internal / External

HOW – Maintain Culture

Security Awareness

Across The Organization

Vertically within Organization

KEEPING THE BALANCE!

HOW - Test

Audit

Ask!

White Hat

Trigger Monitoring Tools

Triage Scenarios

MIND YOUR BUSINESS

WHERE

PRODUCTION

STAGING

TEST

DEVELOPMENT

VANILLA

TRAINING

WHERE

PRODUCTION

STAGING

TEST

DEVELOPMENT MO

DS

WHERE

PRODUCTION

STAGING

TEST

DEVELOPMENT

DA

TA

WHERE

PRODUCTION

TRAINING METADATA

DATA

WHERE

PRODUCTION

TRAINING

FOUNDATION

CONFIDENTIAL

•Data Scrambler

•Mockup Data

GENERAL DATA

WHEN

Review the Who . . . oDatabase AdministratorsoSystem & Network AdministratorsoDevelopersoManagementoBack Office

WHEN

oDatabase AdministratorsHave Access. Period.

oSystem & Network AdministratorsNo Application AccessAny and All Reports

oDevelopersNegotiable!

oManagement – Application Security

oBack Office – Application Security

WHEN - Developers

Cost / Benefit / Risk

How Many Developers

Organization of DevelopersProduction Support

Modifications & Testing

Database Access

WHEN - Developers

PRODUCTION

STAGING

TEST

DEVELOPMENT

DA

TA

Tools (types)

SecureDatabaseApplication

SeparateApplications (HR & Financials)Roles (Centralized vs Normalized)Environments (TST, DEV, TRN)

ScrambleSelect EnvironmentsOn the Fly

TOOLS - Separate

Identify Data TypesoSSNoDOBoCompensation

Department (Name & EMPLID Scrambled)

Identify Records (Boeing / Princeton)oEMPLIDoCompensation

Paycheck (Not keyed by EMPLID)

WRITE THESE DOWN . . .

www.heres2u.com(Presentation & Resume)

www.sennac.com(RBAC & FURBAC)

(Johan Bethlehem)

Questions

Contact Information:

Michael Stutz

(888) 757-2616

http://heres2u.com