Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Protegrity advice on combating the top 10 issues of protecting data.

Protegrity : 13 August, 2007  (Technical Article)
Dr David Taylor, Vice President of data security strategies at Protegrity provides guidelines on overcoming the main problems associated with data protection.
Here's an image to keep in mind when it comes to how enterprises protect their sensitive customer, employee and operations data: Filing cabinets partially submerged in the middle of a toxic waste dump. That's one way to depict the risk associated with all the databases, applications and files throughout your organisation that contain personally identifiable information about customers or employees.

The purpose of this article is to identify problems that I see most often in my work and to suggest some actions that I have found effective for reducing the impact of these problems on the enterprise.

Problem #1 - Not knowing who uses what sensitive data. Many organisations have done some kind of "inventory" of sensitive data. A follow-on project is to conduct a series of interviews to develop a Sensitive Data Utilisation Map. One of the values of this project is that it shows which data is no longer needed, and which data is redundant or obsolete. Another project is to build a series of data flow diagrams that cross departments. These diagrams should be vetted by all the parties involved, and this process will itself yield new awareness of both the value and the risk to sensitive data.

Problem #2 - Redundant regulations yield redundant compliance projects. PCI projects tend to focus only on protecting credit card data, while Sarbenes-Oxley is about accounting records. To reduce redundant compliance efforts, a useful project is to develop a Regulatory Compliance Grid - which shows which databases and which files contain data elements covered by the various regulations. The goal is to identify and minimise redundant regulatory compliance projects and to broaden the scope of any one.

Problem #3 - Not protecting sensitive data appropriate to its value. It is important that business managers have a sense of what sensitive data is worth to the organisation, so they can correctly evaluate and fund different levels of protection. "Data Asset Valuation" is a very worthwhile ROI-type of activity. The goal is to correlate a variety of criteria, including regulatory compliance mandate, application utilisation, access frequency, update cost and competitive vulnerability to arrive at both a value for the data and a ratio for determining justifiable protection costs.

Problem #4 - Cleaning up your "Toxic Data Dump." The cheapest way to reduce the risk of retaining sensitive customer data is to purge the electronic and paper data from all systems and files. Simply deleting files with infrequently accessed, highly sensitive data won't work, as that would violate multiple data retention regulations and annoy a lot of marketing executives. A better project is to analyse the specific data retention and protection regulations that govern each of the sensitive data elements that need protecting, working in conjunction with legal and the data archivist who will usually know the relevant regulations.

Problem #5 - Outsourcing sensitive data handling is like a "black hole." Most enterprises have relatively simple language in their contracts with service providers that require them to protect their customer's sensitive data. Even when contracts contain a provision for on-site inspection of the procedures used to protect data, this is virtually never done. A more reasonable project is to define a browser-based "Service Provider Security Assessment" tool that can be used to gather data on procedures and inventory and rate the various data protection technologies, policies and procedures actually employed by the service provider.

Problem #6 - Annual security awareness programs don't cut it. It's time to show employees and contractors that your enterprise is serious about security. A simple activity is to pilot a "Data Protection Testing Program". The goal is to shift the focus from simple "awareness" of security to testing a set of sensitive data handling policies and procedures to be sure if they are being followed. This can be supplemented by informal interviews with a sample of employees and contractors who handle sensitive data.

Problem #7 - Risk Assessments tend to underestimate the risk to sensitive data. The kind of simplistic "yes/no" questions that are part of the generic ISO 17799 and PCI requirements focus on whether a particular technology, policy or control is in place, and not how "effective" these controls can be against careless or malicious insiders or outsiders. A simple project is to implement Data Protection Effectiveness metrics. The focus of the metrics should be on understanding how employees "get around" existing controls and revising policies that are not effective because they are based on a level of trust of employees or contractors that is inappropriate.

Problem #8 - Not being sure what is "reasonable" protection for different types of data. Since the legal test of security technology is relative to industry benchmarks, one simple action is to implement a "Data Protection Benchmarking Study" to help determine whether enterprise data protection technologies, policies and procedures are "reasonable" relative to peer organisations. Using a third party may be preferable, in the event that the enterprise has to defend its data protection practices in court, should there be a breach.

ProbIem #9 - Retaining sensitive customer data offers more risk than reward. Sensitive customer data is often widely dispersed throughout enterprises and may add little value to marketing and sales decisions. Customer Data Integration (CDI) software and services help enterprises gain more value from customer data. Unfortunately, CDI offerings focus little on protecting this customer data. A valuable project is "Secure CDI" and can be jointly managed by the security and marketing teams, focused on reducing the risk to customer data before, during and after the integration process.

Problem #10 - Protecting data is often a series of reactions and not a strategy. Despite claims that protecting data assets is strategic to an enterprise, I often find that the scope of data protection projects is either regulation or department-specific. A very useful project is to begin developing an enterprise-wide data protection strategy. The goal of the project is not to produce a report, but to build awareness and executive support for the treatment of sensitive data assets with technologies, policies and procedures that match with the regulations, the utilisation, and the potential loss if the data assets were to be compromised.

Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo