This will be the final entry in our current CISO Survival series. And we’re taking a step back. We’ve talked about the role of the CISO in protecting an organization’s sensitive data. We’ve also discussed how a CISO can lead the charge to identify where data resides and how to best assess the associated risks.
However, we have (somewhat) put the cart before the horse. A key step in any data risk assessment is initially defining what information your organization will classify as “sensitive.”
In its broadest context, sensitive information is defined as data that should be protected against intentional or unintentional disclosure outside of legitimate business processes. Protection of such data may be required for compliance or regulatory reasons. Or it may be driven by the need to safeguard the personal privacy of customers, employees or partners. Or it could be in the interest of protecting proprietary information.
Some examples of sensitive data and the scope of protection required are:
- Protected health information as defined by the Health Insurance Portability and Accountability Act (HIPAA).
- Credit card data as defined by the Payment Card Industry (PCI) Data Security Standard.
- Student education records as defined by the Family Educational Rights and Privacy Act (FERPA).
- Customer data as defined by the Gramm Leach Bliley Act (GLBA).
- Personal information as typically outlined in state-specific data privacy and identity theft regulations.
- Confidential data that is usually covered in state-specific public records regulations.
An effective first step to an organization’s data risk analysis strategy is to first define the types of data you are dealing with. Do you support direct deposit capabilities for your employees? Do you maintain individual health information in any systems? Do you manage credit card information?
You have to then prioritize that data into buckets defined by the level of risk and liability associated with the exposure and/or loss of that data. A typical risk and liability bucket breakdown might look like this:
Typically, the most sensitive classification – this bucket will include:
- Financial records
- Health records
- Credit card data
- Social security numbers
- Student records
A step below Confidential in terms of risk and liability, but reasonable efforts should still be taken to secure data in this bucket.
- Personal contact data (non-student related)
- Trade secrets
- Company generated user identifiers
- Publicly accessible financial data
- Publicly accessible company contact data
These are guidelines to assist an organization in efforts to define what constitutes sensitive data in their business environment. Every company is different, so be sure to fully understand the nature of the information flowing in and out and being stored before focusing on how to classify it.
Please contact us to learn how Appsian can help in assessing the risk associated with your ERP data. This exercise is especially critical for legacy ERP systems, where years of use can lead to a myriad of data being stored.