Upload
lumension
View
301
Download
0
Tags:
Embed Size (px)
Citation preview
How Mature is Your Data Protection?
Today’s Agenda
Introduction
Aspects of Data Protection : The Survey Says …
A Model of Data Protection Maturity
Q & A
Today’s Panelists
3
Roger A. GrimesSecurity Consultant, Author
and Columnist
Ken OlsenPrincipal Security Engineer
ISO/IEC 27001:2005 Information Security Management System Lead Auditor
4
Discovering the State of Data Protection
Data Protection Maturity Assessment Survey• Anonymous Results • Over 170 Initial Respondents • Respondent Screening
Three areas of focus• Administrative Controls• Technical Controls • “Organizational Motivation”
Results of parallel, UK-targeted survey available at: http://www.lumension.com/Resources/WhitePapers/How-Mature-is-Your-Data-Protection.aspx
8%
10%
6%
12%
11%
9%
11%
33%
Survey Results:How many people work at your organization?
1 to 9
10 to 49
50 to 99
100 to 499
500 to 999
1,000 to1,999
2,000 to 4,999
5000+
Aspects of Data Protection: The Survey Says …
6
20%
45%
29%
6%
What type of IT data protection policies exist?
Exhaustive
Multiple
Minimal
None
Other (please specify)
Administrative Controls
7
Corpo
rate
Con
fiden
tiality
Custo
mer
Con
fiden
tiality
Mob
ile D
evice
Poli
cies
Data
Rights
Poli
cies
Corpo
rate
Righ
ts
Data
Remov
al
Third
Party
Righ
ts
None
Don't k
now
0%
20%
40%
60%
80%
100%86%
74%
47% 44% 45%
30% 32%
4% 1%
Which of the following organizational guide-lines are included in your employee agree-
ments?
Employee Agreement Clause Correlated Technical Controls
Corporate Confidentiality Whole DiskFile/Media EncryptionDevice /Port Control MDM
Customer Confidentiality Whole DiskFile/Media Encryption
Mobile Device Policies MDMWhole Disk
Based on Linear Correlation Analysis of Survey Data (>= +.6)
Administrative Controls: Driving Technology?
Technical Controls
8
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Which of the following technologies does your organization currently use, or plan to deploy within the next 24 months?
No plans
Plan to deploy
Currently deployed
Technical Controls
9
Delib
erat
e dat
a th
eft b
y em
ploye
es
Accid
enta
l dat
a lo
ss b
y em
ploye
es
Loss o
f sen
sitiv
e dat
a by
3rd p
arty
Gener
al d
ata
thef
t by
crim
inal
s
Indust
ry- /
Com
pany-
spec
ific
data
espio
nage
Theft o
f IT a
sset
s (la
ptops,
etc
.)
Cyber
atta
ck o
n mobile
pla
tform
s
Regula
tory
fines
and la
wsuits
Target
ed c
yber
atta
cks
Virus
or mal
ware
network
intru
sion
Softwar
e O/S
vuln
erab
ility
atta
cked
USB-born
e at
tack
Denia
l of S
ervi
ce (D
oS) atta
cks
None0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
16%
40%
10%17%
3%
42%
7%4%
17%
60%
27%
15%22%
15%
Have you experienced any of the following incidents in the past year?
Technical Controls – Survey Results
10
8%
17%
19%
22%
17%
12%
4%
Which of the following best describes your firm's policy for network access for personal devices such as smartphones
and tablets?
Open access
Access, with education
Access limited to higher level employees
Controlled access
No current access allowed, but may in future
No current access allowed, with not plans in the future
Don't know
Technical Controls – Correlations
11
Technology Correlated Technologies MDM DLP
DLP-Lite
Device / Port Control
Whole Disk
File / Media Encryption
Email Encryption
Application Data Encryption
Based on Linear Correlation Analysis (>= +.6 ) Strongest Correlations in Bold (>= +.7)
Several Correlations Existed between Technologies
One of the most prominent surrounded MDM
Organizational Motivation
12
16%
44%
16%
19%
4%
My organization has sufficient resources to achieve compliance with data security policies and best practices?
Strongly agree
Agree
Unsure
Disagree
Strongly disagree
Organizational Motivation
13
PCI DSS SOX / GLBA / Red Flag
HIPAA / HITECH Data Privacy Laws Other 0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Is your organization compliant with the following regulations, or do you plan to be compliant within the next 24 months?
Not applicable
Compliance planned
Currently compliant
A Data Protection Maturity Model
A Model for Data Protection Maturity
15
Rising to the Challenge
16
Creating Policies• Ad Hoc: Minimal or No Security Policies• Optimal: Comprehensive & Exhaustive
Educating Staff• Ad Hoc: One-Time or No Training• Optimal: On-Going, Formal Training
Enforcing Policies• Ad Hoc: Limited Technical Controls• Optimal: Robust Technical Controls
Q & A
More Information
• Free Security Scanner Tools» Application Scanner – discover all the apps
being used in your network» Vulnerability Scanner – discover all OS and
application vulnerabilities on your network » Device Scanner – discover all the devices
being used in your network
http://www.lumension.com/Resources/Security-Tools.aspx
• Lumension® Endpoint Management and Security Suite» Demo:
http://www.lumension.com/endpoint-management-security-suite/demo.aspx
» Evaluation: http://www.lumension.com/endpoint-management-security-suite/free-trial.aspx
• Get a Quote (and more)http://www.lumension.com/endpoint-management-security-suite/buy-now.aspx#2
18
Global Headquarters8660 East Hartford Drive
Suite 300
Scottsdale, AZ 85255
1.888.725.7828
http://blog.lumension.com