数据安全与测试数据管理方案

数据安全与测试数据管理方案技术沙龙51Testing第68届软件测试沙龙上海站议程议程议程议程数据安全管理的大趋势和重要性好的工具和方法是成功的基石成功经验分享数据安全为什么重要????•高效的应用交付•基础构架配置最佳化•IT员工效率•供应商价格合理化•全球采购成本管理IT正面临更多基于业务的挑战•需求管理•符合监管•数据漂白条件•IT安全规定条件•内部和外部审计业务结合•IT交付业务价值•灵活的上市时间•以服务为导向的交付•经验值的质量•管理层可视性竞争优势•服务管理•质量管理•资源配置最佳化•流程应用−ITIL,CMMi,六西格玛服务提升业务需求时间今天业务价值效率一个数据违反(DataBreach)案例花费多少？Ponemon研究所估计每个违反安全的案例平均花费$4.5M–研究覆盖了31个公司–平均违反有26,000条记录–导致全部损失大约为$148M•每个记录全部平均花费为$182(比2005上涨30%)–直接增量成本=每笔记录$54或每个公司1.4–间接生产费用=每笔记录$30或每个公司800K–客户机会成本=每笔记录$98或每个公司$2.6PonemonInstitute2006AnnualStudy:CostofaDataBreach7©2010CompuwareCorporation—AllRightsReservedDirectDirectDirectDirectLostLostLostLostCustomerCustomerCustomerCustomerIncrementalIncrementalIncrementalIncrementalProductivityProductivityProductivityProductivityOpportunityOpportunityOpportunityOpportunityTotalTotalTotalTotalCostCostCostCostCostCostCostCostCostCostCostCostDetection&EscalationDetection&EscalationDetection&EscalationDetection&EscalationInternalinvestigationInternalinvestigationInternalinvestigationInternalinvestigation$1.38$1.38$1.38$1.38$4.10$4.10$4.10$4.10----$5.48$5.48$5.48$5.48Legal,audit,&consultingLegal,audit,&consultingLegal,audit,&consultingLegal,audit,&consulting4.384.384.384.381.411.411.411.41----5.805.805.805.80$5.76$5.76$5.76$5.76$5.51$5.51$5.51$5.51$11.28$11.28$11.28$11.28InitialNotificationInitialNotificationInitialNotificationInitialNotificationLettersLettersLettersLetters$5.30$5.30$5.30$5.30$1.11$1.11$1.11$1.11----$6.41$6.41$6.41$6.41EmailsEmailsEmailsEmails0.340.340.340.340.530.530.530.53----0.860.860.860.86TelephoneTelephoneTelephoneTelephone7.307.307.307.3010.4710.4710.4710.47----17.7617.7617.7617.76PublishedmediaPublishedmediaPublishedmediaPublishedmedia0.030.030.030.03--------0.030.030.030.03WebsiteWebsiteWebsiteWebsite0.060.060.060.060.060.060.060.060.120.120.120.12$13.03$13.03$13.03$13.03$12.16$12.16$12.16$12.16----$25.19$25.19$25.19$25.19Post-NotificationPost-NotificationPost-NotificationPost-NotificationMailMailMailMail$0.13$0.13$0.13$0.13$0.10$0.10$0.10$0.10----$0.23$0.23$0.23$0.23EmailsEmailsEmailsEmails0.150.150.150.150.860.860.860.86----1.001.001.001.00Tel.tointernalcallcenter1.88Tel.tointernalcallcenter1.88Tel.tointernalcallcenter1.88Tel.tointernalcallcenter1.883.283.283.283.28----5.165.165.165.16Tel.tooutsourcedcallcenter1.40Tel.tooutsourcedcallcenter1.40Tel.tooutsourcedcallcenter1.40Tel.tooutsourcedcallcenter1.404.624.624.624.62----6.036.036.036.03LegaldefenseservicesLegaldefenseservicesLegaldefenseservicesLegaldefenseservices5.515.515.515.511.121.121.121.12----6.636.636.636.63Criminalinvestigations(forensics)1.38Criminalinvestigations(forensics)1.38Criminalinvestigations(forensics)1.38Criminalinvestigations(forensics)1.381.101.101.101.10----2.482.482.482.48PublicorinvestorrelationsPublicorinvestorrelationsPublicorinvestorrelationsPublicorinvestorrelations1.161.161.161.160.890.890.890.89----2.052.052.052.05FreeordiscountedserviceFreeordiscountedserviceFreeordiscountedserviceFreeordiscountedservice23.8023.8023.8023.80--------23.8023.8023.8023.80$35.42$35.42$35.42$35.42$11.97$11.97$11.97$11.97----$47.39$47.39$47.39$47.39BrandImpactBrandImpactBrandImpactBrandImpactCostofturnoverCostofturnoverCostofturnoverCostofturnover--------$93.62$93.62$93.62$93.62$93.62$93.62$93.62$93.62Costoffewernewcustomers-Costoffewernewcustomers-Costoffewernewcustomers-Costoffewernewcustomers-----4.704.704.704.704.704.704.704.70$98.32$98.32$98.32$98.32$98.32$98.32$98.32$98.32TotalcostofdatabreachTotalcostofdatabreachTotalcostofdatabreachTotalcostofdatabreach$54.22$54.22$54.22$54.22$29.64$29.64$29.64$29.64$98.32$98.32$98.32$98.32$182.17$182.17$182.17$182.17Post-EventITSpendingPost-EventITSpendingPost-EventITSpendingPost-EventITSpending$6.85$6.85$6.85$6.85--------$6.85$6.85$6.85$6.85违规恢复费用8全世界都在面对数据漂白问题•政府监管…………–美国金融现代化法案（Gramm-Leach-BlileyActGramm-Leach-BlileyActGramm-Leach-BlileyActGramm-Leach-BlileyAct）,,,,萨宾斯----奥克斯利法案（Sarbanes-OxleyActSarbanes-OxleyActSarbanes-OxleyActSarbanes-OxleyAct）–欧盟个人信息保护,1998,1998,1998,1998–义务型可携带式健康保险法案(HIPAA)(HIPAA)(HIPAA)(HIPAA)–澳大利亚2000200020002000隐私修正法案–日本个人信息保护法–加拿大个人资讯保护与电子文件法案(PIPEDA)(PIPEDA)(PIPEDA)(PIPEDA)•迫使内部审计人员对数据保护进行控制和采取措施，尤其针对境外使用////外包情况。•风险暴露可导致巨大的损失–企业的尴尬，诉讼，负面报道，罚款，客户流失，等第3部分:维护易受攻击的管理程序–要求#6:发展和维持安全系统及其应用•6.3在工业实践基础上发展软件应用并包括整个软件开发期的信息安全。包括以下:支付卡行业(PCI)数据安全标准要求6.3.4:生产数据(livePANs)不用于测试或开发。保护客人信息安全控制的一般标准所有存储或处理信用卡的成员，商人和服务提供者都要遵守这些数据保护标准。1010101010ITITITIT安全管理的演化RestrictInternalAccessRestrictInternalAccessRestrictInternalAccessRestrictInternalAccessRestrictExternalAccessRestrictExternalAccessRestrictExternalAccessRestrictExternalAccessMonitorTrustedUsersMonitorTrustedUsersMonitorTrustedUsersMonitorTrustedUsersTechnologiesTechnologiesTechnologiesTechnologiesIT/BusinessIT/BusinessIT/BusinessIT/BusinessIssuesIssuesIssuesIssuesPCsPCsPCsPCsWebEnablementWebEnablementWebEnablementWebEnablementInternetInternetInternetInternetCICSCICSCICSCICSIMSIMSIMSIMSDB2DB2DB2DB2RACFRACFRACFRACFTopSecretTopSecretTopSecretTopSecretE-mailE-mailE-mailE-mailInstantMessagingInstantMessagingInstantM