Heartbleed — The “Data Map” Lesson — Intro

The Heartbleed vulnerability is, by now, an item about which we have all assuredly heard a lot.   To get caught up on your reading on the technology aspects of this issue, see the linked articles I have compiled in the “To Learn More” section at the end of this post.    Note, though, that one key lesson is much more of a common-sense, communication and organizational one.  Most every organization could readily beef up its information-security by creating and then maintaining an up-to-date chart or “ data map” of the who/what/when/why/where of its electronically stored information (ESI).


  Where’s Your Organization’s Data?

In the 1960’s, a local New York City TV station came up with the phrase “It’s 10 PM. Do you know where your children are?”   In the 21st century, any organization would do itself a favor by asking the same question about its electronically stored information (ESI).  No matter its shape or size, many a company diffuses its information-management and information-security among various people, systems and locations.   So, generating a chart listing every key vat inside and outside the company’s physical and virtual walls is a must.

A simple spreadsheet is better than nothing and also better than having a disparate set of protocols/lists.   There should be a row for each key repository, e.g., each:

  • Database
  • Website
  • Cloud environment

And the columns (some of which would entail YES/NO) could include:

  • System Name
  • Content Type
  • In-House or Cloud
  • Owner Name (point of contact)
  • Owner Contact Info.
  • Encrypted at Rest
  • Encrypted in Transit
  • Retention/Deletion Rule(s)
  • Back-up Schedules
  • DR/BC Status (Disaster-Recovery/Business-Continuity)

For Cloud-stored data, additional columns could be:

  • Segregation from Others’ Data
  • Notice-of-Breach Duty Shifted

Finally, to paraphrase George Orwell in “Animal Farm,” some data is more private than other data.  Several categories of information thus warrant special in-the-trenches attention once their locations have been idenitfied:

  • Personally identiable information (PII)
  • Protected health information (PHI)
  • Payment card industry information (PCI)

Now, it’s time to begin charting . . . and to start mapping . . .


  

To Learn More

 

Some resources as to ESI data-mapping:

—  Brownstone, Electronic Records Retention, Nat’l Const. Confs. Webinar Slides, at 25 (Mar. 20, 2014)

—  Stephenson, Streamline electronic discovery using a data map, Lawyers USA (Jan. 12, 2012) [quoting me :) ]

—  Brownstone, Data-Mapping & Electronic Information Management, Lorman Webinar Slides (Nov. 4, 2009)

                                        And even more as to “Heartbleed”:

—  Codenomicon, The Heartbleed Bug (last visited 5/6/14)

—  Qualys, SSL Server Test (last visited 5/6/14)

—  Valsorda, Heartbleed test (last visited 5/6/14)

—  Goodin, Confirmed: Nasty Heartbleed bug exposes OpenVPN private keys, too, ars technica (4/16/14)

—  Lee, Here’s why it took 2 years for anyone to notice the Heartbleed bug, Vox (4/12/14)

—  Geuss, Private crypto keys are accessible to Heartbleed hackers, new data shows, ars technica (4/12/14)

—  Schneier, Heartbleed is a catastrophic bug in OpenSSL, Schneier on Security (4/11/14)

—  Felten, How to protect yourself from Heartbleed, Freedom to Tinker (4/11/14)

—  Grant, The Bleeding Hearts Club: Heartbleed Recovery for System Administrators, EFF (4/10/14)

—  Cipriani, Heartbleed bug: Check which sites have been patched, CNET (4/9/14)

—  Shankland, ‘Heartbleed’ bug undoes Web encryption, reveals Yahoo passwords, CNET (4/8/14)

—  Kumparak, Massive Security Bug In OpenSSL Could Affect A Huge Chunk Of The Internet, TechCrunch (4/7/14)

—  Timson, Who is Robin Seggelmann and did his Heartbleed break the internet?  Sidney Morning Herald (4/11/14)