[BreachExchange] Five Critical Questions You Need to Ask About Your Sensitive Data

[Audrey McNeil]

http://www.dataversity.net/five-critical-questions-need-ask-sensitive-data/

Data privacy regulations, interconnectivity (virtual machines, Cloud, IoT,
BYOD), and cyber threats are changing the global digital landscape. With
this transformation comes inherent risk, and adapting to a data-centric
mindset can reduce compliance risk and mitigate damage in the event of a
cyberattack.

When evaluating your organization’s Data Strategy, it’s important to ask
five critical questions: What data is considered sensitive? Where is it?
Who has access to it (and should they)?  When is data being transferred?
And how is it managed?

Answering these basic questions is increasingly difficult due to the
exponential growth of electronic data, shadow IT, data sprawl, and other
digital challenges. Nevertheless, this inquiry is the indispensable
starting point to gain the necessary insight into sensitive data to manage
security and regulatory risk.  Sensitive Data Management is not only the
cornerstone to mitigating risks, but a means to demonstrate business
priorities, corporate ethics, and competitive differentiation.  But before
crafting any Data Management Strategy, it is critical to first ask and
answer the following five questions.

1. What Counts as Sensitive Data?

Most U.S. employees understand that any work they produce during employment
belongs to their employer; by contrast, in the EU all work product belongs
to the employee. The difference in how we view data ownership across
geographies is but one reason the definition of sensitive data may be
different for each organization.

Retail firms may be most concerned about customer financial data, while
pharmaceutical companies may prioritize the protection of trade secrets and
intellectual property. Law firms, on the other hand, may consider client
data and privileged information of utmost importance.

To properly secure high-risk, high-worth data, risk management solutions
need to allow the flexibility to create custom definitions for sensitive
data and then be able to discover, categorize, and control it throughout
the enterprise.

2. Where is Data Located (and for what purpose and for how long)?

In the past, security teams worked to manage data that was often stored in
siloed geographic locations. Today, virtualization and Multi-Cloud hybrid
environments mean security teams must deal with a multi-dimensional
landscape with an increasingly large amount of data in “borderless” data
stores. Not only do information security teams need to completely map
sensitive data across private networks, cloud repositories, and third-party
applications like Office 365, but new regulations also require them to
define the business rationale for any data stored or archived longer than
necessary.

Mapping the data landscape also helps organizations focus their security
efforts around their most sensitive and business-critical data. In the
unfortunate event of a security breach, these organizations will have a
better sense of what information was actually impacted; knowing this will
also guide potential breach notification requirements.

After data is successfully mapped, organizations will likely realize the
vast extent of their data sprawl and the risks that entails. Security teams
can, however, mitigate some of these risks with proper training. For
example, human error is often to blame for propagating sensitive
information — data stored in hidden rows in Excel spreadsheets, included
within notes in PPT, or as part of long email thread. Companies can avoid
accidental distribution by scanning the enterprise for sensitive data, and
then proactively removing them from unauthorised locations.

3. Who has Access to Sensitive Data?

Once the questions of ‘what constitutes sensitive data?’ and ‘where is it
stored?’ are answered, access rights should be assigned based on roles and
responsibilities within relevant departments or business functions.
Unauthorised access to customer PII, for example, is a major source of
risk, yet organizations are often shocked by who has access to this type of
information. A good first step is to involve HR to educate employees about
the importance of proper data handling; understanding the value of data
reinforces its value as an asset that needs to be protected, just like
physical property.

While employee training is imperative to ensuring sensitive data stays with
authorized personnel, technical controls will further support proper data
hygiene. In today’s perimeter-free world, organizations must have a mindset
that hidden threats are lurking within their networks. With this
assumption, user access to sensitive information should be continuously
validated with a trust system that incorporates strict access controls.
Usernames and passwords can be easily stolen and are no longer effective
against advanced cybercriminals. Multi-factor authentication, identity
access management tools, and ‘least privilege’ frameworks are necessary to
ensure only the right people have access to the right data. Users should be
required to prove their identity and access rights with each and every
request.

4. When is Data Being Transferred?

This is perhaps the most important question for maintaining compliance.
Organizations need to understand when sensitive data is transferred to data
processors, partners, vendors, legal counsel, or others outside the
organization. And multi-national organizations subject to the General Data
Protection Regulation (GDPR) must also track how EU data subjects’ personal
information is processed and handled outside the European Economic Area
(EEA). It’s important to note that the rules follow the data; under these
regulations, data cannot be transferred unless appropriate protections are
in place. Even simply viewing a file from outside the EEA is considered a
transfer of that data. The challenge is to systematically collect, cull,
and review data in-country under local rules unless specific derogations
exist.

Cross-border data transfer issues will likely remain a top priority for the
foreseeable future.  Organizations should start the process of designing
and implementing a privacy-compliant cross-border data transfer strategy
now, as this can potentially become a lengthy and drawn-out process.

5. And Finally, How is Data Managed?

Understanding the answers to the previous questions allows an organization
to begin building a data-centric privacy strategy and management process.
To do this effectively requires an up-front investment in thought, energy,
and yes, budget. In 2017, the Ponemon Institute found that the global
average cost of a data breach was $3.6M and rising, even excluding
regulatory, legal, and reputational costs. Risk can never be fully
eliminated, but with a data-centric approach, the surface area of digital
risk can be reduced.

Protecting data and ensuring compliance with new regulations like the GDPR
is about asking simple, but inherently challenging, questions. Trust is
something businesses work hard to establish with customers every day and,
once lost, it is exceedingly difficult to regain. Proactive data management
policies, combined with the right technologies, make it much easier to
comply with new regulations and sustain that trust.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180330/8e70fe8e/attachment.html>