[BreachExchange] Incident response and establishing the hierarchy of data

Mon Jun 6 10:10:36 EDT 2016

http://www.continuitycentral.com/index.php/news/technology/1149-incident-response-and-establishing-the-hierarchy-of-data

With one corporate data breach after another hitting the news – and a
growing awareness that no organization is immune to attacks - cyber
security has, increasingly, become a matter of strategic importance.  With
implementation of the EU Data Protection Regulation on the horizon,
organizations have an added impetus to ensure that all personally
identifiable information (PII) is secured, protected and that adequate
safeguards are in place to protect against loss or theft.  The prospect of
hefty fines for data breaches – up to 4 percent of a company’s global
annual turnover – and breach notification requirements, organizations need
to get their house in order when it comes to the processes and technology
governing the way that data is stored and managed.

However, there’s a wider issue at play when it comes to building in
adequate security protections for data. The fact is that not all data is
‘created equal’ and within organizations there’s a hierarchy that exists,
which will determine not only the risk associated with the loss of
different data, but also the appropriate response to put into action should
an incident occur. Aligning this response to different data sets - be it
intellectual property, medical records, credit card information, personnel
records or payroll detail - is key.  It lays the foundations for a more
pragmatic, proportionate and efficient response, helping to save valuable
time in the aftermath of a breach and ensuring that priorities are set
according to the sensitive data profile.

Taking stock of data

Incident response can’t be based on a one-size-fits all approach; incidents
can come in all shapes and sizes, ranging from relatively minor breaches
with minimal impact on an organization’s sensitive data assets, to those
involving millions of compromised or lost records and the ensuing negative
publicity.

The loss of thousands of customer records would require a different
response than that of the loss of a new product design or marketing plan.
Whilst a blueprint or new product launch information is valuable in the
hands of a competitor it wouldn’t have the same ‘street’ value as records
containing personal information.  A risk assessment needs to have a nuanced
approach to account for these differences.

Here I outline the key steps that will help organizations not only
understand the value of their data, but can also help to build a more
tailored response plan:

Understand your data

- Take a thorough audit of your IT estate to ensure that you have the full
picture on sensitive data locations, including both internal and external
IT services.
- Understand the location of this data. One of the big challenges of fast
changing and hybrid corporate IT environments is that data is more fluid
than ever, so you not only need to understand where data is stored, but
also how it moves through an organization. There is more data held across
more data locations, and on more endpoint devices, than ever before. Ensure
that adequate safeguards are in place to restrict the movement of sensitive
data within and beyond the organization.
- Identify the high worth data. This will vary according to a number of
factors from the organization’s size and sector to regulatory factors.  It
should also take into account the cost of downtime / replacing or
recovering this data, the financial impact in terms of the organization’s
reputation and, for public companies, how it would impact the
organization’s share price, credit rating, and regulatory burden.

Inform and educate

- Once you have mapped the hierarchy of your data, make sure that all
relevant teams have been included in the process so that no surprises are
uncovered further down the line. Involve teams across departments so that
the information security team knows where the most valuable data and
documents are and can apply the appropriate security controls.
- Staff also need to be part of this process.  From my experience in
working with organizations, I’ve found that showing staff that data has a
monetary value associated with it - just like any other physical asset -
has had a significant impact on their perception of its importance.
Reinforcing its commercial value also helps them to understand that
security is not just policy for policy’s sake.

Tailor the Response Plan

- Once you have a profile of where the most significant risks are, crisis
management plans can then be tailored accordingly, so that proportionate
measures are in place to cover different scenarios. Protecting sensitive
data involves a chain of decisions that impact different departments across
an organization from IT to legal, PR and HR. With a well-documented and
tailored plan, individuals across the organization will know the correct
processes and their responsibilities, according to different incident types.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160606/7146beea/attachment.html>