How Mature is Your Data Protection?

Today’s Agenda

Introduction

Aspects of Data Protection : The Survey Says …

A Model of Data Protection Maturity

Q & A

Today’s Panelists

3

Roger A. GrimesSecurity Consultant, Author

and Columnist

Ken OlsenPrincipal Security Engineer

ISO/IEC 27001:2005 Information Security Management System Lead Auditor

4

Discovering the State of Data Protection

Data Protection Maturity Assessment Survey• Anonymous Results • Over 170 Initial Respondents • Respondent Screening

Three areas of focus• Administrative Controls• Technical Controls • “Organizational Motivation”

Results of parallel, UK-targeted survey available at: http://www.lumension.com/Resources/WhitePapers/How-Mature-is-Your-Data-Protection.aspx

8%

10%

6%

12%

11%

9%

11%

33%

Survey Results:How many people work at your organization?

1 to 9

10 to 49

50 to 99

100 to 499

500 to 999

1,000 to1,999

2,000 to 4,999

5000+

Aspects of Data Protection: The Survey Says …

6

20%

45%

29%

6%

What type of IT data protection policies exist?

Exhaustive

Multiple

Minimal

None

Other (please specify)

Administrative Controls

7

Corpo

rate

Con

fiden

tiality

Custo

mer

Con

fiden

tiality

Mob

ile D

evice

Poli

cies

Data

Rights

Poli

cies

Corpo

rate

Righ

ts

Data

Remov

al

Third

Party

Righ

ts

None

Don't k

now

0%

20%

40%

60%

80%

100%86%

74%

47% 44% 45%

30% 32%

4% 1%

Which of the following organizational guide-lines are included in your employee agree-

ments?

Employee Agreement Clause Correlated Technical Controls

Corporate Confidentiality Whole DiskFile/Media EncryptionDevice /Port Control MDM

Customer Confidentiality Whole DiskFile/Media Encryption

Mobile Device Policies MDMWhole Disk

Based on Linear Correlation Analysis of Survey Data (>= +.6)

Administrative Controls: Driving Technology?

Technical Controls

8

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Which of the following technologies does your organization currently use, or plan to deploy within the next 24 months?

No plans

Plan to deploy

Currently deployed

Technical Controls

9

Delib

erat

e dat

a th

eft b

y em

ploye

es

Accid

enta

l dat

a lo

ss b

y em

ploye

es

Loss o

f sen

sitiv

e dat

a by

3rd p

arty

Gener

al d

ata

thef

t by

crim

inal

s

Indust

ry- /

Com

pany-

spec

ific

data

espio

nage

Theft o

f IT a

sset

s (la

ptops,

etc

.)

Cyber

atta

ck o

n mobile

pla

tform

s

Regula

tory

fines

and la

wsuits

Target

ed c

yber

atta

cks

Virus

or mal

ware

network

intru

sion

Softwar

e O/S

vuln

erab

ility

atta

cked

USB-born

e at

tack

Denia

l of S

ervi

ce (D

oS) atta

cks

None0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

16%

40%

10%17%

3%

42%

7%4%

17%

60%

27%

15%22%

15%

Have you experienced any of the following incidents in the past year?

Technical Controls – Survey Results

10

8%

17%

19%

22%

17%

12%

4%

Which of the following best describes your firm's policy for network access for personal devices such as smartphones

and tablets?

Open access

Access, with education

Access limited to higher level employees

Controlled access

No current access allowed, but may in future

No current access allowed, with not plans in the future

Don't know

Technical Controls – Correlations

11

Technology Correlated Technologies MDM DLP

DLP-Lite

Device / Port Control

Whole Disk

File / Media Encryption

Email Encryption

Application Data Encryption

Based on Linear Correlation Analysis (>= +.6 ) Strongest Correlations in Bold (>= +.7)

Several Correlations Existed between Technologies

One of the most prominent surrounded MDM

Organizational Motivation

12

16%

44%

16%

19%

4%

My organization has sufficient resources to achieve compliance with data security policies and best practices?

Strongly agree

Agree

Unsure

Disagree

Strongly disagree

Organizational Motivation

13

PCI DSS SOX / GLBA / Red Flag

HIPAA / HITECH Data Privacy Laws Other 0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Is your organization compliant with the following regulations, or do you plan to be compliant within the next 24 months?

Not applicable

Compliance planned

Currently compliant

A Data Protection Maturity Model

A Model for Data Protection Maturity

15

Rising to the Challenge

16

Creating Policies• Ad Hoc: Minimal or No Security Policies• Optimal: Comprehensive & Exhaustive

Educating Staff• Ad Hoc: One-Time or No Training• Optimal: On-Going, Formal Training

Enforcing Policies• Ad Hoc: Limited Technical Controls• Optimal: Robust Technical Controls

Q & A

More Information

• Free Security Scanner Tools» Application Scanner – discover all the apps

being used in your network» Vulnerability Scanner – discover all OS and

application vulnerabilities on your network » Device Scanner – discover all the devices

being used in your network

http://www.lumension.com/Resources/Security-Tools.aspx

• Lumension® Endpoint Management and Security Suite» Demo:

http://www.lumension.com/endpoint-management-security-suite/demo.aspx

» Evaluation: http://www.lumension.com/endpoint-management-security-suite/free-trial.aspx

• Get a Quote (and more)http://www.lumension.com/endpoint-management-security-suite/buy-now.aspx#2

18

Global Headquarters8660 East Hartford Drive

Suite 300

Scottsdale, AZ 85255

1.888.725.7828

info@lumension.com

http://blog.lumension.com