Gordon Rapkin, president and CEO of Protegrity, has come across every conceivable data security issue. Here he has highlighted the most common ones, along with some advice on resolving the problems.
1. – Not knowing who uses what data and where it is.
You can't secure data without knowing in detail how it moves through your organisation's network.
Begin by doing a thorough inventory of sensitive data (See fig 1).Then develop a “Sensitive Data Utilisation Map" documenting your findings. Also consider building a series of diagrams to show where and how data moves through the system. All the parties involved should check these diagrams, and this process will itself raise awareness of both the value and the risk to sensitive data.
2. – Treating all data equally
Business managers need to classify data according to its sensitivity and its worth to the organisation so they can correctly evaluate and fund different levels of protection. “Data Asset Valuation” is a very worthwhile ROI-type of activity.
The goal is to correlate a variety of criteria, including regulatory compliance mandate, application utilisation, access frequency, update cost and competitive vulnerability to arrive at both a value for the data and a ratio for determining justifiable security costs.
3. – Focusing solely on regulatory compliance concerns
Virtually all government and industry privacy and security regulations boil down to the most basic best practices of data security. So being able to pass a regulatory audit does not automatically ensure effective security.
Instead of trying to protect your organisation's data assets by solely striving to meet individual regulatory requirements, focus on complying with security-centred processes, policies and people, reinforced by security solutions such as automated policy enforcement, encryption, role-based access and system auditing. In other words, do the right things instead of just the required things.
4. – Keeping what you don't need
You can reduce the risk of retaining sensitive customer data by removing the electronic and paper data from all systems and files. However, just deleting files with infrequently accessed, highly sensitive data won’t work - it would violate multiple data retention regulations not to mention annoying your marketing department. A better way is to look at the specific data retention and protection regulations governing each of the sensitive data elements that need protecting, working in conjunction with legal department and the data librarian who will usually know the relevant regulations.
5. – Security triage
We have to move beyond dealing with the crisis of the moment and focus on securing data holistically and consistently. And while it may be difficult to free up the time and the budget to institute a comprehensive data security plan, ultimately a unified approach will be far more effective than the fragmented practices present at too many companies, increasing security and saving both time and money.
Data-driven security cannot be an occasional event sparked by a crisis; it needs to be an integral part of the organisation's daily routine.
6. – Outsourcing responsibility
Virtually all data protection and privacy regulations state that firms can’t share the risk of compliance, which means that if your outsourcing partner fails to protect your company's data, your company is at fault and is liable for any associated penalties or legal actions that might arise from the exposure of that data.
Laws concerning data privacy and security vary internationally. To lessen the chance of sensitive data being exposed deliberately or by mistake, you must ensure that the company you are partnering with — offshore or domestic — takes data security seriously and fully understands the regulations that affect your business.
7. – Putting too much faith in risk assessments
The simplistic Yes/No questions that are part of the generic ISO 17799 and PCI requirements focus on whether a particular technology, policy or control is in place, and not how effective these controls can be against careless or malicious insiders or outsiders.
Risk assessments tend to look at one item at a time, and do not offer a holistic view of the system. Each component may look secure, but risk may still occur at the interface points or the points of inconsistency across systems. Think holistically to secure a system, considering the flow of data through the entire system rather than testing individual points.
8. –Settling For Less Than Real Security
Knowing what enterprise data protection technologies, policies and procedures are “reasonable” relative to peer organisations is useful information, but don't allow others' actions to determine your security plan and goals. Model your policies and processes after the best practices of the most secure organisations in your industry, rather than those used by the common denominator. Strive for excellence.
9. – Fragmented processes and policies
Despite claims that protecting data assets is strategic to an enterprise, the scope of data protection projects is all too often either regulation or department-specific.
Look at developing an enterprise-wide data protection strategy instead. The goal of the project is not to produce a report, but to build awareness and executive support for the treatment of sensitive data assets with technologies, policies and procedures that match with the regulations, the utilisation and the potential loss if the data assets were to be compromised.
10. – Retaining sensitive data without balancing risks against rewards
Retaining sensitive data can be very valuable for analytic, marketing and relationship purposes. The rewards can be very high, provided you can properly secure the data and reduce the risks of storing it.
Make sure that your organisation's risk reward ratio is balanced toward reward and the data is being used in a way that brings real benefits to your organisation. And if securely storing data is costing more than its value to your organisation, it's time to refine your data retention policy.
About the author:
Gordon Rapkin is President and CEO of Protegrity with more than 20 years of wide-ranging experience as an executive in the software industry. Prior to joining Protegrity, Gordon held executive positions at Transcentive, Inc., Decisionism Inc. and at Hyperion Software (now Hyperion Solutions, Inc.). Gordon holds a degree in biochemistry from Syracuse University, as well as an MBA and a law degree, both from Emory University.
Protegrity is exhibiting at Infosecurity Europe 2008, Europe’s number one dedicated Information security event. Now in its 13th year, the show continues to provide an unrivalled education programme, new products & services, over 300 exhibitors and 11,700 visitors from every segment of the industry. Held on the 22nd – 24th April 2008 in the Grand Hall, Olympia, this is a must attend event for all professionals involved in Information Security. www.infosec.co.uk