NIST Privacy Framework : Our Essential Data Protection Guide

Close

Ten Steps to an Effective Data Protection Program

What is a data protection program?

Data protection involves securing sensitive data so organizations can use it for business purposes without compromising consumer privacy. Thus, a data protection program is the multi-step process of implementing those security measures.

An effective data protection program minimizes your sensitive data footprint and helps keep business-critical and regulated data secure and out of the hands of attackers. If the worst does happen, a data protection program can help reduce the impact of a breach by securely restoring affected data. Here are ten steps for building an effective data protection program.

1. Define sensitive data

Sensitive data is any data that, if lost, stolen, or exposed, could financially hurt your organization, cause reputational damage, or harm the data owner. The first step in creating a data protection program is to determine which information your organization collects meets the definition of sensitive. This will clarify exactly which data needs to be protected and the legal regulations that cover it.

2. Understand the data lifecycle

To protect your sensitive data most effectively, you need to understand its lifecycle. The data lifecycle stages include create, store, use, share, archive, and destroy. Knowing the stage of each piece of sensitive data determines in large part which policies and tools you should implement to best protect it at each point of its lifecycle.

3. Know which sensitive data regulations you are subject to

Compliance is the other major factor influencing the policies and tools you implement to protect your organization’s data. For example, storage practices must include encryption and firewalls to comply with data privacy regulations. They also call for access controls and audit logs to trace data use and sharing back to an individual. Lastly, regulations often require data to be disposed of in a timely and secure manner, so policies need to be implemented to ensure compliance.

It’s important to remember that compliance does not equal security. Just because you comply with PCI DSS, HIPAA, or GDPR rules, your data’s security isn’t guaranteed. In fact, you’re better off setting more-stringent standards for data privacy and protection than the privacy laws require.

4. Decide who can access information

Access to sensitive data should only be given to employees needing it to fulfill their job responsibilities. To ensure this, require authentication and authorization permissions to access certain data.

Authentication methods can include passwords, PINs, access cards, or biometrics, such as fingerprints or facial recognition. Having authentication in place to access certain data will help IT departments keep track of any changes made to it and trace those changes back to a specific person.

All authenticated individuals should have permission roles assigned to them. Not everyone needs modification abilities, and only those requiring this access should be allowed. Assigning roles such as viewer, editor, and administrator can help limit opportunities for sensitive data misuse.

5. Involve all employees in security awareness

It’s essential that your organization educates all individuals, even those who don’t touch any sensitive data, about the data security responsibilities attached to certain roles. Everyone should understand that their actions regarding sensitive data can directly affect the organization’s success and reputation, as this will help employees recognize and call out improper handling of sensitive data, as well as prevent any inadvertent sharing of it.

6. Conduct regular backups

In addition to fortifying your data’s storage locations, be prepared to back up that data as often as needed and have different, yet just as secure, places available to store it. For example, if your primary storage is cloud-based, consider backing up to a physical location. In the case of a breach, you can use these backups to restore lost or corrupted data, which can ultimately lessen the financial blow to your organization.

While there’s no specific recommendation for how often to conduct a backup, think about the impact losing an hour, day, or week’s worth of data will have on business operations and determine frequency from there.

7. Document any processes using sensitive data

Many data privacy regulations require you to be able to share with consumers how their sensitive data is being used in your organization’s business processes. By documenting the types of data collected, contexts of use, and collection, storage, and sharing methods, you uphold compliance while also gaining a clearer picture of the data you possess and how it’s handled. In the unfortunate case of a compromise, you can audit this documentation to identify where in your organization’s process or infrastructure (or with whom) a vulnerability resides.

8. Take inventory of your data

Everything — from security to compliance — begins with locating your sensitive data. To find it, look at cloud repositories, physical file servers, computer hard drives, HR databases, your CMDB or eGRC platform, and any other system of record. Once you identify sensitive data, you know exactly what to protect to uphold compliance and reduce the risk of data breaches. You’re able to apply increased security measures for all existing data at the various stages of its lifecycle and will be better prepared to handle the creation of new data moving forward.

9. Plan to organize the data you want to protect

To protect data and meet compliance requirements, you must classify data according to its level of sensitivity. Classification systems help you set those use and modification access controls we mentioned earlier, acting as a natural next step to protect data once discovery is complete. Classification schemes you can use include role-based, data-oriented, access- or location-based, and hybrid. Most organizations categorize or bucket data as variations of a four-level data classification schema — public, private, confidential, and restricted.

10. Automate processes for strong ongoing protection

If all of this sounds difficult to do manually, that’s because it is. Human error is inevitable, which can cause an oversight during manual discovery and leave data unprotected. Manual classification can lead to inconsistent labeling or overlooking the critical context of a piece of data, which eventually causes it to be misclassified and left vulnerable.

Even tasks like backing up data, logging its uses, and purging it in accordance with regulatory requirements risk haphazard execution when handled manually, which in turn increases the chance of financial and reputational damage from a breach or noncompliance.

Once your program is in motion, automation tools are what will help it run efficiently and accurately. They enable enterprise organizations to gain critical visibility of their must-protect assets across clouds, networks, devices, and endpoints. You can’t have an effective data protection program without automation software on your side.

Get serious, get systematic, get peace of mind

Developing an effective data protection program may seem like a daunting task at the outset, but it’s doable with the right people and tools on your side. Spirion’s Sensitive Data Platform automatically discovers sensitive data wherever it lives within your organization and accurately classifies it, making it possible to enact your data protection program. Ready to get started? Contact us today.