For years, security experts focused primarily on protecting their organization’s networks from malicious use. Sites like privacyrights.org have documented successful attacks against all sectors of commerce, government and education. Only recently have governments started to change the goals from securing networks and devices to protecting sensitive data. Data breach notification laws, cybersecurity insurance and government data protection requirements provide motivation to change existing security strategies. The emergence of cloud computing in its various forms forces companies to figure out ways to protect their high risk data. Before we start with data protection, we should note that cloud computing has forced us to assume the network is hostile. We cannot protect the “network” because we don’t know where its “borders” are located. Here’s a straightforward strategy that can serve as an example.
• Create data management framework
Who are the owners of the data in your organization? Who has the final say if a business process wants to access and process your financial data? Typical data owners include the Chief Financial Officer, the Controller/Comptroller, a governance group consisting of members of business processes who handle financial data. Data stewards are usually the people who make the day to day decisions. Your organization should have this framework defined in policies and standards.
"Security awareness programs should be proactive as part of a “prevention” program. The last step of a generic incident response process is follow-up"
• Create data classification framework
Simple is better. We adopted Stanford University’s data classification definitions and reduced our data categories to 3 – High, Moderate and Low. Here’s our high risk definition:
Data and systems are classified as high risk if: 1. Protection of the data is required by law/regulation, and 2. Virginia Tech is required to self-report to the government and/or provide notice to the individual if the data is inappropriately accessed; or 3. The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on our mission, safety, finances, or reputation.
A clear and concise data classification framework provides the foundation for the next steps in your data protection strategy.
• Create Sensitive Data Search framework
Simply put, you have to find high risk data before you can protect it. Some examples of high risk data include spreadsheets that contain employee travel information, medical records, scanned purchase orders and strategic business dealings. How do you find this data? There are commercial tools that will search your systems for social security, passport, driver’s license, bank, debit and credit card account numbers. You should run these tools on all of your company owned assets. Start with the business processes that handle high risk data on a daily basis.
• Create Sensitive Data Protection framework
Now that you’ve found where your high risks data, how do you protect it? The generic strategy is use an encryption system based on peer-reviewed mathematical algorithms. If a vendor or developer says they’re using a proprietary algorithm, run away. Selecting a workable encryption system is difficult. It’s relatively straightforward if your data is only passed around internally. The challenge is when your data travels outside of your organization. In this case, both sides have to use a common encryption solution. Do you use certificate based authentication or multi-factor authentication? As you can imagine, this can be quite challenging.
• Create Sensitive Data Breach framework
What happens once a high risk data breach is confirmed? Do you have processes for notifying affected people, paying for credit monitoring, have prepared press statements for the media, have the funds available for paying fines, judgments, etc., making cyber security insurance claims? Are there any processes not mentioned here that need to be? Do you have a governance committee?
Security awareness programs should be proactive as part of a “prevention” program. The last step of a generic incident response process is “follow up”. Follow up security awareness is technical where the technical staff learns what went wrong, how it was fixed and more importantly, steps to take to hopefully prevent another breach.
Hopefully, these general steps will help you develop your own strategy or help validate an existing strategy.