Confidential Data

1
Confidential Data
Upgrade from 8.x to 9.0
2
Speaker

• Michael Stutz - Consultant
• 22 years of IT industry experience
• 15 years of PeopleSoft experience
• PeopleSoft v.2.11 v.9.0
• Mostly Technical but some Functional
• Primary HRMS / Payroll / Benefits
• Recently Campus Solutions
• . . . also some CRM and Financials
• Numerous International Banks
• Very Large Corporations
• Very Small Companies

3
Agenda

• Who Whos data is it anyway?
• What Elements of Concern
• Why Driving Factors
• How Protection in Action
• Where Environments
• When When Not to!
• Tools Secure, Separate, Scramble
• Questions Answers

4
WHO Has Information

• Applications
• HRMS / Payroll / Benefits
• Campus Solutions (Student Admin / Financials /
  Aid)
• Financials (GL / AP / AR / etc.)
• Customer Relationship Management (CRM)
• Departments or Parts of the Organization
• IT
• Call Centers
• Marketing
• Sales and Sales Operations
• HR / Payroll / Benefits
• Legal
• Finance and Accounting
• Research and Development

5
WHO Needs Access

• Management
• Department Heads (Corporate)
• Managers with Direct Reports (Line Managers)
• Back Office
• Human Resources / Payroll / Benefits
• Accounting
• Corporate Dashboards and Reporting
• IT
• Developers
• Database Systems Administration
• IT Management
• Interfaces to Other Organizations

6
WHO Is Responsible

• Management
• Department Heads (Corporate)
• Managers with Direct Reports (Line Managers)
• Back Office
• Human Resources / Payroll / Benefits
• Accounting
• Corporate Dashboards and Reporting
• IT
• Developers
• Database Systems Administration
• IT Management
• Interfaces to Other Organizations

• Keep Needs, Access, Responsibility Synchronized

7
WHAT

• Elements of Concern
• Intellectual Property
• Business Confidential Information
• Customer and Consumer Data
• Employee Data
• Motion
• At Rest
• In Transit within Organisation
• In Transit on the WWW

8
WHAT

• Intellectual Property

• Business Confidential
• Business Strategy
• Project Costing
• Marketing Plans
• Budgets and Forecasts

9
WHAT

• Customer Consumer
• Key Accounts
• Contact Information
• Product or Service Issues
• Contracts

10
WHAT

• Employee Data
• Social Security Numbers
• Dates of Birth
• Pay Information
• Health Care Information
• Dependants Dependant Information
• Company Structure Internal Contacts

11
WHY

• Risks Internal to Organization
• Employee Negligence
• Malicious Employees
• Business Processes
• Risks External to Organization
• Hackers / Theft (Laptops, USB Drives, etc.)
• Competition
• Sarbanes Oxley / Basel I Basel II

12
WHY

• Costs
• Confidentiality Legal Issues
• Loss Competitive Edge
• Employee Compensation Issues

• Sarbanes Oxley
• Responsibility of Corporations
• Basel I Basel II
• Responsibility of Banks
• Risk Management

13
WRITE THIS DOWN . . .

• www.wikipedia.org

14
WHY (SOX)

• Risk Assessment
• Control Environment
• Culture based on Awareness Integrity
• Keeping Balance What is our Business?
• Control Activities
• Monitoring / Auditing
• Information and Communication

15
Half Way There!
16
HOW
(steps)

• Create the Culture
• Define Data Types
• Identify Who is Responsible and Accountable
• Reduce Access
• Maintain Controls
• Maintain Culture
• Test

17
HOW - Create the Culture

• Addressed at All Levels of Organization
  (Vertical)
• Addressed across Corporation (Horizontal)
• Support of Upper Management (Top Down)
• Keep the Balance (Mind Your Business!)
• Cost / Benefit / RISK
• Money in your Mattress?
• Day-trading Penny Stocks?

18
HOW - Define Data Types

• What is Confidential Data?
• How do I Classify my Data?

19
HOW - Responsible Accountable

• Identify those Responsible
• Identify those Accountable
• Identify those who need access
• Designate Authority Accordingly
• Ensure Responsibility, Accountability, and
  Authority are properly balanced and applied.

20
HOW Reduce Access

• Reduction of Access
• Departmental Segregation
• Within IT
• Balanced against Cost
• Balanced against Effectiveness
• Balanced against Trust

21
HOW Maintain Controls

• Access to Data
• Application Security
• Database Security
• Network Security
• Where is my Data?
• Laptops
• PDAs
• eMail
• Internal / External

22
HOW Maintain Culture

• Security Awareness
• Across The Organization
• Vertically within Organization
• KEEPING THE BALANCE!

23
HOW - Test

• Audit
• Ask!
• White Hat
• Trigger Monitoring Tools
• Triage Scenarios
• MIND YOUR BUSINESS

24
WHERE
25
WHERE
MODS
26
WHERE
DATA
27
WHERE
DATA
METADATA
28
WHERE
FOUNDATION
GENERAL DATA
CONFIDENTIAL

• Data Scrambler
• Mockup Data

29
WHEN

• Review the Who . . .
• Database Administrators
• System Network Administrators
• Developers
• Management
• Back Office

30
WHEN

• Database Administrators
• Have Access. Period.
• System Network Administrators
• No Application Access
• Any and All Reports
• Developers
• Negotiable!
• Management Application Security
• Back Office Application Security

31
WHEN - Developers

• Cost / Benefit / Risk
• How Many Developers
• Organization of Developers
• Production Support
• Modifications Testing
• Database Access

32
WHEN - Developers
DATA
33
Tools (types)
Secure Database Application Separate Applications
(HR Financials) Roles (Centralized vs
Normalized) Environments (TST, DEV,
TRN) Scramble Select Environments On the Fly
34
TOOLS - Separate

• Identify Data Types
• SSN
• DOB
• Compensation
• Department (Name EMPLID Scrambled)
• Identify Records (Boeing / Princeton)
• EMPLID
• Compensation
• Paycheck (Not keyed by EMPLID)

35
WRITE THESE DOWN . . .

• www.heres2u.com
• (Presentation Resume)
• www.sennac.com
• (RBAC FURBAC)
• (Johan Bethlehem)

36
Questions

• Contact Information
• Michael Stutz
• (888) 757-2616
• http//heres2u.com