NIST Privacy Framework : Our Essential Data Protection Guide


How valuable is your data?

About the author

From security architecture to data management, Cory Retherford brings 20 years of technical experience to his position as Principal Advisory Solutions Engineer at Spirion providing real world solution implementation strategies within large and complex environments. With a focus in data security, privacy, and operational data security risk reduction, Cory believes in protecting sensitive data because privacy matters to us all.

Or, perhaps more importantly, do you know your data? If you aren’t intimately knowledgeable about the data your company has—what it consists of, how it is used, where it is stored—your data loses some of its value as a business driver for the organization. Not only that, but poor data management increases the risk of a data breach and both financial and reputational losses.

To gain the most economic value from sensitive data and to keep it protected from potential cyber risks (not to mention meeting the criteria for data privacy and governance regulations), companies need to deploy an effective data management system. This provides visibility into the entire lifecycle of the data held within the organization.

Of course, not all data management tools are alike, and not all organizations have the same needs surrounding their data management. IT leadership and business decision-makers must make informed assessments about their data management needs and build a strategic plan around how to best take each piece of information through its lifecycle. To do that, you must know everything about your data.

Separating the Sensitive from the Clutter

Not all data is created equal. That email reminding you about your weekly office video conference is certainly important when you receive it, but after that meeting, the email is cluttering up your data repository.

Many organizations don’t bother to separate sensitive and important data from the clutter. This becomes troublesome when you need to collect data for discovery or receive a “right to forget” request from a customer. The clutter becomes noise in the data management process. Knowing which data is important to keep and which data can be deleted puts the data management lifecycle into motion.

The next phase of the sensitive data management lifecycle—location—is arguably the most important. Location includes where the data travels in transmission, where it is in rest and how long it is kept. The overall location of data and the ability to identify that sets the purpose and scope to follow in all security and privacy activities. Bottom line, the most effective data management protection programs consist of the ability to report on the location of and types of sensitive data.

Determining the value of data can begin once you’ve classified it as sensitive and identified the location. Understanding the data’s organizational worth leads to building a data-centric security and compliance privacy program. The results include avoiding cyber risk and maintaining a good corporate brand image.

Do You Know Where Your Data Lives?

At the core of any successful data security management program is an automated data discovery process. Done right, this process accurately locates sensitive data so that it can be effectively managed and protected.

When you consider the vast amount of data that was collected before the data management system was adopted, the discovery process can be overwhelming. Think about how a single database of sensitive information may be used across your organization.

First, there are the people who have access to the information. How many individuals are using it and for which job duties? How long is that data in use for a specific project and how many times is it accessed? Is it being replicated with each new person who touches it?

Second, where is this sensitive data stored while it is in use? Most sensitive data is stored on workstations, file servers, databases, and cloud repositories, increasing in volume every day.

Third, where is this sensitive data stored while at rest? How often are individuals downloading a file from the cloud, for example, and using it on their work computer, then transferring it to their smartphones and home computers, where it is never deleted? It isn’t just the volume of data that has increased exponentially over the years, but also the breadth of data storage vessels.

How can you make informed decisions about protecting your data if you don’t know where it lives and how redundant it is? (The answer is: You can’t.) How many copies of the same pieces of sensitive information are readily accessible within your network infrastructure? How accurate is your organization’s view of your sensitive data and how well can you separate the sensitive data from the clutter?

The less visibility you have into your data, the more organizations will hesitate to implement automated protective actions. Accuracy is the foundation to making the right decisions about deploying a data discovery tool that will automate the classification of files while remediating data through actions such as deletion or redaction processes.

So how valuable is your data? You won’t know until you can accurately locate, classify, and manage your most sensitive data. The better you know your data, the more valuable it will become.