1. 1© Copyright 2012 Axis Technology, LLC
Sensitive Data Assessment
Information Security

2. Sensitive Data Assessment - About
Regulatory Control functions, such as Operational Risk, Compliance and Audit, increasingly raise
questions around the scope, management, and identification of sensitive data within distributed
and mainframe application environments.
• Processes and tools used to Identify Sensitive Data need to provide clearly auditable results.
• Discovery of Sensitive Data needs to occur across the entire environment including
distributed systems.
mainframe and
• The results of the data assessment need to be actionable.
• Assessment of Controls Maturity for the Entitlement Process of these systems.
2© Copyright 2012 Axis Technology, LLC
Sensitive Data Includes:
Customer data Employee Data
Name, Phone number, e-mail, address, SSN, Birth date, Credit
card #, bank account #, Internal sequence key…
Employee or Corporate ID, Salary, Benefits, HR status, Family
data, Manager information, Cost Center data…

3. Sensitive Data Assessment - Approach
Axis leverage the data profiler component of DMsuite to create a secure online sensitive
data inventory which shows you exactly what data you need to mask.
•
•
•
Utilize our proprietary Top down/Bottom up approach
Proven Data Analysis Tools
DMsuite TM
– Unmatched Data Profiling Capabilities across multiple Data Base Types
• Populate an inventory of sensitive data including:
–
–
–
–
–
–
–
Where data is stored
Categorizing risk associated with the sensitive data
Why each piece of data is being collected
How the data flows when it is received into the environment
Identify any variations in security when data flows from system to system
Categorize each sensitive data element by type of risk
Population of a repository to enable personnel to easily refer to and maintain this information
• Develop a road-map for securing sensitive data in the environment
3© Copyright 2012 Axis Technology, LLC

4. Sensitive Data Assessment - Expertise
DMsuiteTM Profiler•
– Unmatched Data Profiling Capabilities across databases, mainframe copybooks, to identify the location of sensitive or
non-public data.
Profiler can reduce work up to 80% associated with manual search of sensitive data in databases and mainframe files
Ability to identify sensitive data using metadata such as database column names
Ability to search through data itself using data pattern matching for sensitive data such as names, addresses, social
security. Especially useful for notes and descriptions fields.
Out of box ability to identify sensitive data for ERP software such as Oracle E-Business Suit, Lawson, SAP etc.
Pre-packaged search solutions for the following verticals: Financial, Healthcare, and Retail
Pre-packaged search solution for HIPAA & PCI Compliance
Profiler has a fast search ability where we can search through sensitive data in a Peoplesoft database with 37,000
tables under 90 minutes.
Profiler data profiling can also search through every row in a database to identify the location of the sensitive data
based on patter matching.
–
–
–
–
–
–
–
–
• RAIDTM
– Maintains a complete detailed analysis of your current data architecture including:
•
•
•
•
•
•
Report producers and consumers
Serves as a Report/Query Catalog
Identifies each data source and Lineage
Documents report data sources
Documents how data is accessed
Becomes the data dictionary for reports and central repository for audit and compliance
4© Copyright 2012 Axis Technology, LLC

5. DMsuite Profiler: Type of Data Searched
DMsuiteTM Profiler
– Out-of-the box ability to search for fields for the following information.
– Profiler user can also create their own search algorithm using the product.
5© Copyright 2012 Axis Technology, LLC
Type I
PII - Public identifier of a customer or employee
Or Risk of direct misuse
Type II
Company - Internal identifier of a customer or
employee
Type III
Inference - Information other than Type I or Type
II that may disclose the identity of an individual
through inference
Risk = High: information is publicly available to
identify an individual or misuse the data directly
Risk = Medium: information is not publicly
available but may be known to employees and
contractors
Risk = Varies : Inference risk must be analyzed on a
case-by-case basis, documented, and raised to
security stakeholders
 Name
 Phone number, e-mail
 Address
• Street address, Zip+4
• Care of…, Attn: ...
 SSN or other national identifier
 Birth date and other dates
 Credit card #, bank account #
 Comment fields
 Customer ID
 Account#
 Internal sequence key
 Employee or Corporate ID
 Salary, Benefits
 HR status
(termination, personnel issues)
 Family data
 Manager information
 Cost Center data
 Vendor Data
 Security Identifiers
• CUSIP, ISIN, SEDOL
 Other Identifiers
• NAV, type of Security
• Name, Number, Symbol
 Activity
• Account balances,
transactions, trade date
 Financials
• Price, quantity,
legal fees, vendor payments
 Assets/holdings
 Trade dates

6. Sensitive Data Assessment - Drivers
DMsuite™ profiler addresses the need to secure sensitive data in the following situations:
–
–
–
In-house Application development for development, testing and integration work.
Offshore - masked data provides the same level of quality as production and is safe.
Third Party Vendors - If a vendor application breaks, 90% of problems can be reproduced and fixed using
masked data, eliminating the risk of exposure to third parties.
Analytics uses data from different systems to provide insight about the health of your business. Why are
the analysts receiving patient address information if they are looking at clinical trial results?
–
• JAPAN: Apr 2005 – Personal Information Protection Lawsimilar to Senate Bill No 1386 – State of California
6© Copyright 2012 Axis Technology, LLC
Any Businesses Falling Under
 HIPAA - Healthcare and Pharmaceutical are required to secure  Sarbanes-Oxley Act (2002)
Patient Health Information  Multi-nationals - face requirements including:
 MA MGL93H - Companies with customers in Massachusetts • CANADA: Jan 2005 – Personal Information Protection and
 State privacy laws - All companies must follow their own Electronic Documents Act
 Gramm-Leach-Bliley Financial Services Modernization Act • FRANCE: Oct 2005 – Computing and Liberties Act
(1999)

7. www.axistechnologyllc.com
70 Federal Street
Boston, MA 02110
(857) 445-0110
7© Copyright 2012 Axis Technology, LLC