[BreachExchange] Implementing a best practice approach to risk-based data protection

Inga Goddijn inga at riskbasedsecurity.com
Wed Dec 14 23:07:51 EST 2016


https://gcn.com/articles/2016/12/14/risk-based-data-protection.aspx

As government agencies create participatory, transparent and collaborative
environments for their employees and citizens, they are often responsible
for collecting, using, appropriately sharing and protecting data. These
central information repositories may become a treasure trove of sensitive
information, making them a potential target for cyberattacks.

Data without controls can create operational, privacy and security gaps
that could put an agency at risk. It can create unintended consequences and
increases the potential for inadvertent or unauthorized disclosure of
sensitive information. As agencies develop and implement their cloud and
infrastructure consolidation strategies, they face additional challenges in
balancing access to information with protecting information that should not
be available.

The explosion of data and the raising of expectations about data
accessibility has introduced a more complex, evolving environment to
protect. More applications and transactions happen over the internet, the
cloud is completely changing notions of a digital perimeter, worker
mobility is redefining the IT landscape and shadow IT is quickly becoming
enterprise IT.

So what does this mean for the economics of a security program? How can
agencies protect everything against everyone?  It is imperative that
compliance, governance and cyber assurance solutions for government data
repositories and collaboration systems are established and sustained.  This
is the reality of the new cyber landscape:

*Protect the weaker targets.* While most organizations simply do not have
the budget to protect against cyberwarfare, they can protect against
attackers looking for weaker targets. Agencies can not only make it harder
for people to attack their systems, but they can also to make it less
attractive to do so. Having proper protocols in place will likely ward off
attackers looking for an easy conquest.

*Security is about mitigating risk.* In the absence of metrics, we tend to
focus on risks that are familiar or recent. Unfortunately, that means that
we are often reactive rather than proactive when it’s most important to
understand how data, people and location weave together to create patterns
across an organization. Only by understanding the data can agencies create
for effective protection.

*The right thing should be easy to do.* In the absence of a culture in
which everyone understands that data protection is a part of their job, end
users will make poor security choices. This means that systems must be easy
to use securely and difficult to use insecurely. Create policies, rules and
IT controls that make it easier for end users to do their jobs effectively
with the approved systems and controls. At the end of the day, employees
will do what they need to do to get their job done. Join them in making it
simple to use the appropriate tools.

*Protect data from insiders.* Many breaches come from an attacker who is
already inside. Whether intentional or not, insiders cause the greatest
threat to data protection programs. Fortunately, this threat can be
addressed by using a layered approach to data classification and ensuring
that policies, training and tools are being properly understood and
integrated into the day-to-day tasks of the workforce.

*Perfect security does not exist.* In order to have a holistic and
effective data privacy and security program, agencies must adopt a
risk-based approach to implementing their data protection program.

Traditionally, there has been a perception that privacy is where IT
projects goes to die, and that security teams lead with “no.” Whether that
reputation is deserved or not, it’s important for security and privacy
officers as well as legal counsel to take the steps to bake privacy in as a
fundamental ingredient of their development lifecycles.

So how can this work operationally?

Chief information security officers and chief privacy officers must partner
with their IT and program managers to gain key executive sponsorship and
cooperation with their departments and agency programs. Privacy teams
cannot be in every meeting in which a new IT system, program or campaign is
being contemplated, but they can develop a framework that can be used by IT
departments to incorporate privacy best practices within their programs, IT
systems and across the organization.

A standardized and repeatable process for the IT department and the program
managers allows for advice, guidance and review at every step of the
process. Consider using automated tools that allow colleagues to request a
risk, security and privacy impact assessment of systems they are planning,
so everyone has a reasonable estimate and timeline. Involvement from
security and privacy teams early on will save developers or program
managers from having to make last-minute changes.

Security by design builds controls into the system as part of the initial
specification so that when a program is ready to roll off the assembly
line, stakeholders can have full confidence in its data protection elements.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161214/8481f705/attachment.html>


More information about the BreachExchange mailing list