Here's an image to keep in mind when it comes to how enterprises protect their sensitive customer, employee and operations data: Filing cabinets partially submerged in the middle of a toxic waste dump.
That's one way to depict the risk associated with all the databases, applications and files throughout your organisation that contain personally identifiable information about customers or employees.
The purpose of this article is to identify problems that I see most often in my work and to suggest some actions that I have found effective for reducing the impact of these problems on the enterprise.
Problem #1 - Not knowing who uses what sensitive data
Many organisations have done some kind of inventory of sensitive data. A follow-on project is to conduct a series of interviews to develop a sensitive data utilisation map. One of the values of this project is that it shows which data is no longer needed, and which data is redundant or obsolete.
Another project is to build a series of data flow diagrams that cross departments. These diagrams should be vetted by all the parties involved, and this process will itself yield new awareness of both the value and the risk to sensitive data.
Problem #2 - Redundant regulations yield redundant compliance projects
PCI projects tend to focus only on protecting credit card data, while Sarbanes-Oxley is about accounting records.
To reduce redundant compliance efforts, a useful project is to develop a regulatory compliance grid - which shows which databases and which files contain data elements covered by the various regulations. The goal is to identify and minimise redundant regulatory compliance projects and to broaden the scope of any one.
Problem #3 - Not protecting sensitive data appropriate to its value
It is important that business managers have a sense of what sensitive data is worth to the organisation, so they can correctly evaluate and fund different levels of protection. Data asset valuation is a very worthwhile ROI-type of activity.
The goal is to correlate a variety of criteria, including regulatory compliance mandate, application utilisation, access frequency, update cost and competitive vulnerability to arrive at both a value for the data and a ratio for determining justifiable protection costs.
Problem #4 - Cleaning up your toxic data dump
The cheapest way to reduce the risk of retaining sensitive customer data is to purge the electronic and paper data from all systems and files. Simply deleting files with infrequently accessed, highly sensitive data won't work, as that would violate multiple data retention regulations and annoy a lot of marketing executives.
A better project is to analyse the specific data retention and protection regulations that govern each of the sensitive data elements that need protecting, working in conjunction with legal and the data archivist who will usually know the relevant regulations.
Problem #5 - Outsourcing sensitive data handling is like a black hole
Most enterprises have relatively simple language in their contracts with service providers that require them to protect their customer's sensitive data. Even when contracts contain a provision for on-site inspection of the procedures used to protect data, this is virtually never done.
A more reasonable project is to define a browser-based service provider security assessment tool that can be used to gather data on procedures and inventory and rate the various data protection technologies, policies and procedures actually employed by the service provider.
Problem #6 - Annual security awareness programs don't cut it
It's time to show employees and contractors that your enterprise is serious about security. A simple activity is to pilot a data protection testing program.
The goal is to shift the focus from simple awareness of security to testing a set of sensitive data handling policies and procedures to be sure if they are being followed. This can be supplemented by informal interviews with a sample of employees and contractors who handle sensitive data.
Problem #7 - Risk assessments tend to underestimate the risk to sensitive data
The kind of simplistic yes/no questions that are part of the generic ISO 17799 and PCI requirements focus on whether a particular technology, policy or control is in place, and not how effective these controls can be against careless or malicious insiders or outsiders.
A simple project is to implement data protection effectiveness metrics. The focus of the metrics should be on understanding how employees get around existing controls and revising policies that are not effective because they are based on a level of trust of employees or contractors that is inappropriate.
Problem #8 - Not being sure what is reasonable protection for different types of data
Since the legal test of security technology is relative to industry benchmarks, one simple action is to implement a data protection benchmarking study to help determine whether enterprise data protection technologies, policies and procedures are reasonable, relative to peer organisations.
Using a third party may be preferable, in the event that the enterprise has to defend its data protection practices in court, should there be a breach.
Problem #9 - Retaining sensitive customer data offers more risk than reward
Sensitive customer data is often widely dispersed throughout enterprises and may add little value to marketing and sales decisions. Customer data integration (CDI) software and services help enterprises gain more value from customer data.
Unfortunately, CDI offerings focus little on protecting this customer data. A valuable project is 'secure CDI' and can be jointly managed by the security and marketing teams, focused on reducing the risk to customer data before, during and after the integration process.
Problem #10 - Protecting data is often a series of reactions and not a strategy
Despite claims that protecting data assets is strategic to an enterprise, I often find that the scope of data protection projects is either regulation or department-specific. A very useful project is to begin developing an enterprise-wide data protection strategy.
The goal of the project is not to produce a report, but to build awareness and executive support for the treatment of sensitive data assets with technologies, policies and procedures that match with the regulations, the utilisation, and the potential loss if the data assets were to be compromised.
