The Data Lifecycle goes through 5 steps: creation, usage, transport, storage and destruction. Most companies have parts of this lifecycle under control, but that means there are lots of areas for gaps in the control measures that could let a threat affect the data. The multiple part blog, (I am not sure how many parts it will take), will walk through the steps of the data lifecycle and what a company can do to implement a good process for all the data management challenges.

Data lifecycle management (DLM) is a policy and procedure based approach to manage information movement. Data has to be classified and evaluated to properly protect it with the right resources. Ownership is a key factor in managing and maintaining data throughout the lifecycle

The 5 Steps

1. Creation – How does data creation get managed?
2. Usage – What limitations are on data usage?
3. Storage – What controls are in place for storage?
4. Transportation – How is data transmitted between company, customers and business partners?
5. Destruction – What is the validation and verification process over data destruction?

The Data Management Problem

• Weak processes in place to track creation usage, transportation, storage and destruction
• Weak ability to monitor and manage a customer record throughout the lifecycle
• Inconsistent processes across each phase of data movement
• Lack of enforcement capabilities

What should be the goal of data lifecycle management?

• Provide practical steps to manage each step of the customer record management process
• Provide cost effective solution for risk mitigation
• Provide framework for data management
• Reduce risk of data loss

Challenges to Customer Data Records Management

• Rarely does a company have a centralized process to track controls over data, over management processes around data, over logging and monitoring, and removal
• Organizations rely on technology to secure data not processes that drive technology purchases
• The 5 steps of data management are not followed by all functional groups in a company
• No clear ownership and classification of customer data elements

Did you know…

• 1 in 400 emails contains confidential information
• 1 in 50 network files contains confidential data
• 4 out of 5 companies have lost confidential data when a laptop was lost
• 1 in 2 USB drives contains confidential information
• Companies that incur a data breach experience a significant increase in customer turnover—as much as 11%
• Over 35 states have enacted security breach notification laws
• Can openers were invented 48 years after cans

Related articles by Zemanta

• Infosec 2010: A quarter of all firms have seen data integrity attacks (computing.co.uk)

Vendor risk assessment are not part of everyday corporate managememnt but it should be. If you drive a car and every week you have to get something fixed it would prove pretty annoying, disgusting, outrageous and you probably you would never buy that model again and probably wouldn’t by from that manufacturer either. So why do we accepts buggy software that is vulnerable to things like cross site scripting attacks, buffer overflows, malware and such? But we do that everyday.

Everything from vulnerable operating systems such as Windows to vulnerable applications such as Adobe and weak website such as Facebook. As stated by CIO.com, “SANS and Mitre, a Bedford, Mass.-based non-profit, federally funded technology research and development organization, today is also releasing its second annual CWE/SANS Top 25 list of the most common programming errors currently being made by software developers. The authors say the errors on the list are responsible nearly every major type of cyber attack, including the recent intrusions at Google (GOOG), and numerous utilities and government agencies.”  The biggest companies are culprits.

So what are we do to about buggy software? How do you force a vendor risk assessment on all yoru vendors? Maybe scream “I’m mad as hell and I am not going to take it anymore!”  Might feel good for a second or two, but not going to solve the almost daily patch process we have to go through for our software. Patch management is a thriving sector!

As I see it, some theoretical things the end user can do to change the deadly cycle of poor software:

1. Sue! I don’t know if that’s possible, but if you bought a car with bad acceleration problems (ahem Toyota) you might just sue the manufacturer if you got into an accident. What can we do that if some hacker breaks in through buggy software?
2. Stop buying from that vendor! Apple seems to be taking this tactic by not allowing Flash on the IPad. But can we all move away from Microsoft tomorrow? Probably not.
3. Make the vendors conduct Risk Assessments of their products prior to release. A third party risk assessment is probably a good idea. Something with more teeth than a SAS70 type review.

Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

Address: 200 Se 1st St #601 Miami FL 33131

 *Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

 *FREE Website Security Test 

Related articles by Zemanta

• Apple vs. Microsoft: Making Platform Enemies and Friends (seekingalpha.com)
• Adobe Reader And Acrobat Get Yet Another Security Update (ghacks.net)
• Microsoft investigates new Internet Explorer flaw (news.cnet.com)
• Google readies Flash for Android devices (infoworld.com)
• IBM: Vulnerabilities fell in ’09, but other risks abound (computerworld.com)
• Update: Adobe issues emergency PDF patches (computerworld.com)
• Serious web vuln found in 8 million Flash files (theregister.co.uk)
• Hold vendors liable for buggy software, group says (computerworld.com)

Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity
Managed Firewall
Managed Vulnerability Scanning

The point being, that there are so many areas of security out there that most of us will never touch yet there is a dire need for professionals. The conference was less attended, as are most conferences this year, but I found the folks here are REALLY interested in learning and excited about the classes.

My topic was on Supplier Risk Management processe. You are asking yourself, what is that? I asked myself that same question in coming up with some good processes to target Supplier security. We have to go way beyond a SAS70 if you want real security over the hundreds or thousands of vendors that a large company may work with.

The Problem:

1. No framework for managing vendor risk
2. Inconsistent processes for tracking vendors
3. Lack of enforcement capabilities

The Opportunity:

1. Provide practical steps to manage vendor access/management
2. Provide cost effective solution for risk mitigation
3. Provide numerical risk analysis of vendor/partner security issues
4. Risk reduction or risk acceptance
5. Documented exposure
6. Iterative process for risk management
7. Happy CIO

So a Supplier Security assessment follow 4 main steps:

1. Analyze current vendor database, catageorize each
2. determine risk of each supplier, determine threats posed by each supplier
3. Perform assessment tests of each supplier, their processes of interaction, and data access
4. develop risk mitigation plan, update processed, monitoring processes

Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test