An effective data protection program minimizes your sensitive data footprint and helps keep business-critical and regulated data secure and out of the hands of attackers. The best way to develop and maintain such a program is to think of it as a process, not a project. Here are ten steps to help you put your process in place.
Adopt a logical approach to a data protection strategy
First, make sure minimum-security baselines are in place, including perimeter and end-point security. Then, analyze how your business operates so you can identify and locate your sensitive data. Once you have located the data, understand how it’s created and used; classify it, and prioritize your data assets.
Define sensitive data
Sensitive data is any data that if lost, stolen or exposed, could financially harm your organization, cause reputational damage, or be reason for termination. Using that definition, your organization will come up with its own unique list of sensitive data, which may be PCI, PHI or other regulated data, as well as company-confidential data.
Understand the data lifecycle
To protect your sensitive data most effectively, you need to understand its lifecycle. The data lifecycle stages are create, store, use, share, archive and destroy. Knowing the stage a specific file with sensitive data occupies determines in large part what policies you should apply to best protect it.
Locate sensitive data
To find sensitive data, look at fileservers, HR databases, your CMDB or eGRC platform, and any other system of record. Once you identify sensitive data, apply a hybrid approach to protecting it, apply security controls to known data, enumerate the unknown data, and monitor the creation of new data.
Identify privacy and data protection roles
Data roles in a typical organization are stakeholders, owners, stewards, producers, and consumers. It’s essential that your organization educate individuals about the data security responsibilities attached to their roles and make clear to them that their actions regarding sensitive data can directly affect the organization’s success and reputation.
Establish a data security process
Approach data security as a project that will become a process. In the project phase where you lay the foundation, you need to consider: resources (people, skill sets, technology); time (Are you out of compliance or responding to an incident?); and buy-in (communicate the importance of change to get buy-in from both management and the user community).
Manage compliance and data governance
Compliance does not equal security. Just because you comply with PCI, HIPAA, SOX or other regulations and data protection laws, doesn’t mean your data is secure. In fact, you’re better off setting more-stringent standards for data privacy and protection than the privacy laws require and adding governance so that the work you do to increase security stays.
Use PPT to protect new data
Locate and protect existing data, then use data threat modeling to prepare for cyber-attacks. As part of your preparation, apply the PPT process: Have a process for identifying and handling new data; make people aware of the process; and use technology to automate as much of the process as possible.
Formulate classification levels for advanced protection
To protect data and meet compliance requirements, you must classify data according to its level of sensitivity. Classification schemes you can use include role-based, data-oriented, access or location-based, and hybrid. You may end up classifying data according to security objective and/or potential impact of unauthorized disclosure.
Get serious, get systematic, get peace of mind
Developing an effective data protection program may seem like a daunting task at the outset, but if you take it step by step, and employ the right people and technology, it’s easily doable. Moreover, the alternative—ignoring data protection and hoping nothing bad happens—makes no sense for any responsible organization.