In our previous post, we talked about the role of the CISO and how the rapidly evolving, connected economy is creating challenges around the cataloging and security of sensitive data within an organization. We also discussed the perils of being a CISO and not knowing where that sensitive data resides – much less how it’s secured.
And it is key to remember, that in companies where a CISO role is not in place, you can probably substitute CIO or CTO when thinking about those responsibilities.
So how does a CISO get a handle on where sensitive data resides in their organization? And how do they take those first steps in assuring that the data is secured?
Identifying where sensitive data exists may sound like a simple task, but anyone in IT will tell you, it’s not. Applications are complex and always changing. Storage systems are even more complex and prone to being orphaned and forgotten about. Sensitive data can exist in multiple production environments and is often replicated for lower testing and development environments. It is also frequently archived and sent to the land of misfit zip files.
To make the task even more daunting, the identification of sensitive data is a continuous job. If you identify your data today, that’s great! But it will change in a month, a week or even a day. New applications are implemented. New data comes in. New test and development environments are created.
One approach that many companies take, is to utilize tools to figure out how data moves from system to system and where the storage silos are.
This allows for the discovery of where sensitive data is originating and where it is being sent or replicated. If sensitive data ends up being stored outside of fully secured databases, a company needs to be able to track how it got there.
And while there are many tools that excel at doing automated data discovery across an enterprise, some companies choose to go the manual approach – using pen, paper and spreadsheets. After all, it’s their company and their data, shouldn’t they be able to figure out where the data is?
It’s a step in the right direction, but picture an auditor or investigator coming in and asking for an inventory of your sensitive data. Pulling out a spreadsheet that may be weeks or months out of date is not going to go over well.
Data discovery tools are typically designed by companies that focus on data security and tailor their solutions to perform comprehensive examinations of a company’s data infrastructure.
So, you have a tool in place that produces reports on where your sensitive data lives. What now?
Now you have to assess the risks associated with the access, management and storage of data deemed “sensitive.” Data security can longer be viewed as an IT problem. It is a business problem that affects multiple departments and the company’s financial stability. And that risk has to be owned by someone. In today’s regulatory driven environment, it typically rolls up to, you guessed it… the CISO.
A good next step in assessing data risk is to have a Privacy Impact Assessment.
A Privacy Impact Assessment is structured to identify data security issues and, as all sensitive data is not created equal, typically provides a data classification matrix with risks associated with the tiered levels of sensitive data. For example, exposed bank account numbers are typically a higher tier of risk than a vendor identification number.
A comprehensive Privacy Impact Assessment will provide:
- The movement patterns of sensitive data between departments and data storage mechanisms.
- The amount of sensitive data the company processes and stores.
- The physical and virtual locations of that data.
- The number and roles of users that have access to the data
- A liability cost estimate associated with the exposure of that data.
The Privacy Impact Assessment should provide the data needed to construct a phased plan to address the identified risks. Don’t try to boil the ocean. Typically a company will move to address the areas of highest liability first, ensuring that comprehensive controls are put in place before moving down the risk priority list.
Please contact us to learn how Appsian can be a key component in helping to address data risk.