Today, we’re going to try and tackle the million dollar question of how to protect your organization’s sensitive data. Keep in mind, this isn’t going to be a single, magical answer. There is no silver bullet when it comes to security, but when it comes to tackling a broad topic like this, we’ll try and give you a place to start. If you’re asking yourself, “Gee, how do I protect my company’s sensitive information,” there’s a good chance you may not even know what that information consists of, where it is, or what the business impact would be if it was disclosed in a breach. Let’s start with the basics.
Data is an asset to your company. And sensitive data is probably one the most important assets to your company. So in order to protect it, you’ve got to know what you have and where it lives in your environment. This may sound extremely straightforward, but it is a non-trivial exercise to identify the sensitive data stored in your environment and all the business processes that touch that data, resulting in an inflow or outflow of sensitive information. This has got to be your starting point to successfully run an information security program and truly understand (and mitigate) some of your organization’s risks.
This may be something you want to outsource, as it can be incredibly time consuming and resource intensive to not only dig out all of this information from different departments, but also to document it in an understandable data register that can be maintained. We’ve helped large organizations do just that in the past, helping to find and document sensitive data flows and storage locations. In the process, a number of unnecessary or risky flows of data were also uncovered, allowing some of these potential vulnerabilities to be fixed in the process.
But if this is something you want to take on yourself, you can consider this process:
- Understand the Environment – This may sound silly, it’s your own IT environment, of course you know it well. But really what we mean by this is get your hands on updated network diagrams or your traditional asset inventory so you can match this with presumed data storage. Make sure you know who holds the contracts for third-parties in your organization (a lot of data may flow in and out of those third-parties). Get a sense of what executive leadership considers to be sensitive data and how sensitive that data is for them, so you know what to look for.
- Conduct Interviews – This can be a very interview heavy process. You want to meet with members across the organization, across all departments, that understand the business processes they partake in on a day-to-day basis. Following these processes will be where you find sensitive data (both ingress/egress/ and final resting location).
- Research/Confirm Interview Results – A lot of the information you get during interviews may be incomplete, anecdotal, or plain wrong. It’ll be your job to determine what you’ve got and finalize your reporting results. This could be as easy as asking someone to show you these data storage locations or asking IT to walk-through logging into each system and database that you’ve got noted. It’s crucial to weed out the incorrect information you receive before moving on in the process.
- Document – This is critical, because this will be what drives future efforts surrounding security controls applied to this data, based on its classification. Usually, this documentation set will consist of a full data inventory, complete with storage locations, data owners, ingress/egress, etc. as well as data flow diagrams showing how sensitive data is entering and leaving the organization.
Now that you know what you’ve got and where it lives, how well does it need to be protected? Well rather than guess, a data classification policy is usually a good place to start. This is a high-level document built on input from the business (a.k.a. executive leadership), covering everything from what types of data are allowed to be stored, where they’re allowed to be stored, how critical each type of data is to the business, and then based on that criticality, what security controls must be applied. This will also lead into the retention policy for that data, which may or may not be a separate policy entirely.
Besides business input, this is where you’ll also need to brush up on your regulatory requirements that your business is bound to follow. Things like PCI DSS, HIPAA, SOX, and NIST each have their own sets of standards with which they want you to protect their type of data. Working all this into a policy first will allow you to balance security best practice, regulatory compliance, and strategic business direction when trying to protect sensitive data in your company.
Now that you’ve got something that resembles a data inventory and a general understanding of how that data is classified, you’ve actually got to go about protecting it! Those tasks of inventorying data and creating a classification policy are no small feat, and each could take you months to actually roll out. But in the long run, they will save you resources when it comes to security.
How are they going to save me resources? Glad you asked. If you know specifically what you need to secure and how well it needs to be secured, you can make much more focused decisions on security that allow you to maximize benefit for less money and less time to manage said security controls. Rather than treating everything like Fort Knox, you can apply the expensive, management-intensive controls to just what assets need them, keeping the rest of your operations streamlined. One example might be multi-factor authentication. While it’s a good idea to use everywhere, that may not be feasible currently. So rolling it out to just your users that have access to sensitive data and your administrators could save you thousands.
If all your proverbial eggs are in a centralized data warehouse, maybe taking some extra time and effort to ensure only users with a valid need-to-know have access makes a lot more sense than doing a full account scrub across the organization. Ultimately, getting an inventory of your data and then classifying that data simply allows you to make more informed decisions about your security. We’ll cover some places to start protecting your company’s sensitive information from a technical security control perspective in a later blog. Check out Part 2 here.