By Derek Sliger, Sr. Director Information Security, Children’s Health
Data Protection at its core is the processes and practices that are used to safeguard data. The most significant challenge today, and if you are like many companies out there, you have data across various platforms and many locations. You will have data on corporate systems, in shares, in the cloud, on corporate mobile devices, in some cases on non-company assets, providing your data to other third-party companies, etc. Many companies are driven by either regulatory or legal requirements, yet others are not. It does not matter if you are or not bound by any form of those types of requirements. Your data is still core to your business operations and, in some cases, your company image.
Where do you start?
The first step is identifying what it is you need to protect. Some of the most common data types are regulatory, legal, intellectual property, financial, Human Resources, Personally Identifiable Information (PII), contract information, source code, and specific company confidential data. By no means are these all the data types. Anything that could harm your business if exploited or exposed is confidential and important data for your organization. Step one: take the time to sit down with your staff and draft all the data types that exist within your company that is confidential, and yes, that includes what is under regulatory and legal governance, but also can include one single document that contains information that you would not like anyone to see. No matter how large or small, or if you are or not under regulatory or legal compliance, you have electronic data that is confidential that needs to be protected.
No matter how large or small, or if you are or not under regulatory or legal compliance, you have electronic data that is confidential that needs to be protected.
Next, and I must say the hardest, is establishing visibility and inventory of where your confidential data is created, stored, and provided to other companies. This is the number one reason that many companies have breach incidents. They do not know where their confidential data exists. As I stated above, in today’s world, a company’s data is in many locations. It is on managed and un-managed systems and has been transmitted to other companies. To make this even more complicated, some of the data is structured, and some are unstructured. In its simplicity, that means the type of format it is stored as.
Structured data is highly organized; therefore, it is searchable. However, unstructured data does not have a predefined format and is not easily searchable. I brought structured and unstructured data in this section instead of in the previous paragraph because this point alone will determine the methods that a company must use to establish that inventory. Establishing an accurate inventory will ultimately end up being a combination of both technical capabilities and manual processes. It will include the systems and applications that you know contain specific data types and depend on your employees’ tribal knowledge. There are many companies out there that provide technical, electronic searching capabilities that can assist you with this effort. You will need to document the processes and procedures you have in place that transmit confidential data to other companies so that you can document those locations/companies as part of your external inventory. You may have some particular data formats that you know will always contain confidential data. Searching for, identifying, and documenting the systems that store and transmit those will be part of that inventory. In closing this step, you will use people and technology combined to gain your data’s visibility and inventory. This will take planning and time.
Now that you know what you need to protect and where it is, you mustdetermine how you are going to protect it. From the exercises in the paragraph above, you now have an exceptionally good understanding of where your data exists. In most cases, it will be on-prem on different type of systems, some you have complete control over and some you do not; on remote devices such as corporate laptops and phones; remote employee personally owned devices; in your cloud location, and at other companies (not a comprehensive list). The information security controls that you use at each of those are different. If you have transmitted data to another company, I would suggest that you perform a security assessment of those companies before you provide data to them to ensure they have controls in place to protect your data.
Considerations to consider are the different types of systems (servers, devices, desktops, laptops), different operating systems, network controls, endpoint controls, data governance, etc.
Take all the above into account and establish a formal data protection strategy. There are many resources available that can assist you in accomplishing this goal. Before you can do that, you must first determine for your company what you need to protect and where that exists. Once you establish those, you are truly ready to take the next step to develop a comprehensive data protection plan and implement the respective security controls to safeguard your data, network, and protect your company.