Data Privacy Essentials

Adam Rosen, VP of Product Strategy, Netwrix

1
 PLATFORM INFORMATION & QUICK TIPS

• Download the presentation deck from the MATERIALS window.

• Platform Windows can be hidden or expanded to fit your preference.

• Submit questions in the Q&A window.

• Use the HELP icon at the bottom for FAQ’s and system requirements.

• Experiencing technical difficulties? Try REFRESHING your browser!

2
 CPE CREDIT PROCESS
LIVE EVENT & ON DEMAND RECORDING

• You must view the live or recorded webinar for the required amount of time
(50-minutes). Check the CPE Credit window to view the timer.

• Your CPE Certificate will automatically appear in the ISACA CPE RECORDS
tab on the MyISACA page after completing the required viewing time.

• Please be patient. This process could take up to 48 hours for your CPE Certificate
and the CPE credit to be applied to your account.

• As a reminder, ALL ISACA webinars, the CPE credits and CPE certificates expire
365 DAYS POST LIVE EVENT. Please make sure you save the appropriate
documents to your personal records.

3
TODAY’S SPEAKER

Adam Rosen
VP of Product Strategy
Netwrix
 SENSITIVE DATA IS EVERYWHERE

Unstructured data Structured data

Windows file
NAS SQL Oracle
servers

SharePoint Exchange PostgreSQL MySQL

Azure
Microsoft 365 AWS S3 AWS databases
databases

Box Dropbox
Directory services

Azure Storage Endpoints Active Directory Azure AD

5
 THINK LIKE AN ATTACKER

CLO U D O N -P REM EN DP O IN T

Da ta

V V V V
Da t a Ce n t e r Co -Lo ca t io n Wo r k s t a t io n La p t o p

VDI
V V V V
6 Br a n ch Office
 THINK LIKE AN ATTACKER

7
 THINK LIKE AN ATTACKER

8
 PATH TO LEAST PRIVILEGE

01 02 03 04 05
DISCOVER COLLECT & ANALYZE MONITOR RESTRUCTURE GOVERN

Discover where Collect & Monitor activity Restructure Govern access

data lives to Analyze to understand access to ongoing to
obtain a relevant data user achieve Least ensure security,
complete view points to answer interactions with Privilege compliance, and
of your data critical data principles and operational
footprint. questions (e.g. position for standards are
sensitivity, effective met
access, governance
ownership, age,
etc.)

9
 POLLING QUESTION

How often do you audit who has access to

sensitive data across all systems?
 Weekly
 Monthly
 Quarterly
 Annually
 Never

10
 DATA PRIVACY ESSENTIALS

Subject Access Breach Detection &

Data Discovery Privacy by Design
Requests Response
• “Identity-centric” • Report on-demand • Implement least • Multi-layered
discovery of subject which records privilege model approach
profiles. pertain to a specific aligning with Privacy • Mitigate, prevent,
• Maintain an data subject by Design and detect, and respond
understanding of • Automate workflows Default to advanced threats
which records for fulfilling Subject • Maintain record of • Orchestrated,
pertain to which data Access Requests who granted access automated response
subjects. and why.

11
 DATA PRIVACY WORKFLOW
IDENTITY SUBJECT IDENTITY
CONNECTORS UNSTRUCTURED
PROFILES SCANNER
DATA

IDENTITY INDEX STRUCTURED

DATA

AnyID
CONNECTOR AnyDATA
CONNECTOR
PRIVACY SERVICES

REPORTING REMEDIATION RISK

DSAR BREACH ATTESTATION

12
 SUBJECT PROFILES

58% of companies surveyed stated that they

could not respond to a DSAR within a month.¹

The most effective DSAR

strategy is to know the answer
before the question is asked.

13
¹ www.ciodive.com/news/58-of-companies-fail-to-meet-gdprs-data-request-deadlines/568416/
 AUTOMATING PRIVACY BY DESIGN

PERMISSIONS CONTENT ACTIVITY

Understanding Understanding what Understanding activity
existing access rights type of content exists helps in determining
helps to depict the within each file and who needs access to
extent to which who has access to it the data (and at what
access has been helps in prioritizing level of permission)
overprovisioned risk right now

14
 RESTRUCTURING ACCESS WITH RESOURCE-BASED GROUPS

Current State Ideal State

OPEN 3 GROUPS,
ACCESS FIXED
DEPARTMENTAL PERMISSIONS,
SHARE NO MESSING
SINGLE AROUND
USERS

LOTS OF
OPTIONS

15
 Current State Ideal State
- READ
- READ/WRITE

READ WRITE

Remove

16
 AUTOMATED OUTCOMES

1. Eliminate inadvertent granting or revoking of access

2. Align access with least privilege principles
3. Position resource for actionable governance workflows
Entitlement Reviews, Self-Service Access Requests, etc.

17
 ADDING ROLES

READ WRITE
Role Exception Role Exception

Sales Reps Sales Managers Chief Financial

Officer

18 Marketing Admin Sales Ops

 REMEDIATING OPEN ACCESS

EVERYONE

READ WRITE
Role Exception Role Exception

19
 PRIORITIZING BASED ON RISK

- Access? = Everyone - Access? = All Domain Users - Access? = All Authenticated

- Amount of Data? = 100 MB - Amount of Data? = 1 TB Users
- Sensitive Data? = None - Sensitive Data? = 400 Files - Amount of Data? = 10 TB
20
- Sensitive Data? = 15,000 Files
 CALCULATING AND ASSIGNING OWNERSHIP

• Calculating Ownership NAME RECOMMENDATION

• Document Metadata Jerry Seinfeld Responsible for 2% of all activity

• Activity Elaine Benes Responsible for 5% of all activity

• User Attributes Cosmo Kramer Responsible for 0% of all activity

George Costanza Responsible for 85% of all activity

• Assigning Ownership Susan Ross Responsible for 1% of all activity

• Communication Ruthie Cohen Responsible for 1% of all activity

• Verification Bubble Boy Responsible for 6% of all activity

• Negotiation

21
 ONGOING GOVERNANCE AND ACCESS CERTIFICATION

Sales Share Review

FULL
NAME DEPARTMENT TITLE READ MODIFY CONTR RECOMMENDATION
OL
Jerry Seinfeld Executive CEO    Read: User has only read activity

Elaine Benes Sales Director of Finance    Read: User has only read activity

Cosmo Kramer Marketing Marketing Admin    None: User has no activity

George Costanza Administration Administrative Assistant    None: User has no activity

Susan Ross Sales VP, Sales East    None: User has no activity

Ruthie Cohen Sales Director, Sales Mid-Market    None: User has no activity

Bubble Boy Sales Pre-Sales Engineer    None: User has no activity

22
Questions?
 THANK YOU FOR ATTENDING

24
 This training content (“content”) is provided to you without warranty, “as is” and “with
all faults”. ISACA makes no representations or warranties express or implied, including
those of merchantability, fitness for a particular purpose or performance, and non-
infringement, all of which are hereby expressly disclaimed.

You assume the entire risk for the use of the content and acknowledge that: ISACA
has designed the content primarily as an educational resource for IT professionals and
therefore the content should not be deemed either to set forth all appropriate
procedures, tests, or controls or to suggest that other procedures, tests, or controls
that are not included may not be appropriate; ISACA does not claim that use of the
content will assure a successful outcome and you are responsible for applying
professional judgement to the specific circumstances presented to determining the
appropriate procedures, tests, or controls.
Copyright © 2022 by the Information Systems Audit and Control Association, Inc. (ISACA). All rights reserved. This webinar may not be used, copied, reproduced,
modified, distributed, displayed, stored in a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise).

25