Enterprise data management: Analyzing business processes and infrastructure for data protection

Companies and other organizations alike are beginning to understand the implications of existing and forthcoming data breach, privacy and security regulations. As a result, security professionals have initiated an increasing number of technology-focused projects that address data protection obligations.

These data protection implementations take many forms. Some companies may engage in e-discovery/ or records-management projects. Others may need to satisfy Payment Card Industry (PCI) Data Security Standard requirements or protect telecommunications data like customer proprietary network information (CPNI). While the pertinent laws and regulations may differ for each industry's particular undertaking, what remains constant is that they are all focused on protection and proper handling of data.

Whether the data is related to PCI DSS, CPNI, HIPAA or any other data type or regulation, two fundamental questions need to be answered early on:

When addressing laws and regulations, as well as international data protection standards and customer/business partner contractual obligations, answering these questions can help companies measure the gap between where they are and where they need to be. Understanding "where is the data" and "how it is being used" will assist an organization in gaining a baseline understanding of where controls don't function effectively or perhaps do not even exist. Answering these important questions can possibly detect or prevent data leakage, unauthorized access and handling, as well as non-compliance with laws, regulations and contractual obligations.

Business process analysis
To answer these questions, consider following the data through the organization and examining its presence in business proce

To continue reading for free, register below or login

Requires Membership to View

To gain access to this and all member only content, please provide the following information (all fields required):

First Name:
Last Name:
Country: Select... Afghanistan Aland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory British Virgin Islands Brunei Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo Congo, Democratic Republic of Cook Islands Costa Rica Cote D'Ivoire Croatia Cuba Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia, The Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard and McDonald Islands Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati Korea, North Korea, South Kuwait Kyrgyzstan Laos Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macau Macedonia Madagascar Malawi Malaysia Maldives Mali Malta Man, Isle of Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestine Panama Panama Canal Zone Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Reunion Romania Russia Rwanda Saint Helena Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and the Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia and Montenegro Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard Swaziland Sweden Switzerland Syria Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu U.S. Minor Outlying Islands Uganda Ukraine United Arab Emirates United Kingdom United States Uruguay Uzbekistan Vanuatu Vatican City Venezuela Vietnam Virgin Islands Wallis and Futuna Islands Western Sahara Yemen Zambia Zimbabwe
Email Address:

I would like to receive a FREE subscription to Information Security magazine online.
YesNo

Do you manage, evaluate, recommend, implement, support or purchase security products, software or services?
YesNo

Please estimate the yearly security budget for your entire organization including all security products and services.
Please select... Over $10 Million $5 Million-$10 Million $1 Million-$4.9 Million $500,000-$999,999 $100,000-$499,999 $50,000-$99,999 $25,000-$49,999 $10,000-$24,999 Less than $10,000 None

What is your role in purchasing IT related products and services? (Check all that apply)
Technical decision maker
Financial decision maker
Recommend/Specify
Evaluate products
Implement Products/Services
Determine Needs
Create Security Strategy
None

By joining SearchSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

Take the order-management process at any consumer-facing organization, for example. Using interview questionnaires, one could ask the business process owner for information on more specific, sub-process parts of the order management cycle, like the creation and maintenance of a customer profile.

Investigating a customer profile process can reveal the specific customer data that a service representative captures. Some obtained personal information could include names, home addresses and email addresses. After a conversation about the specific procedure, a business process diagram can be created to document the interview results.

From the identified customer data elements, it is then possible to investigate how the order information is captured. Continuing with the previous example, interviews with customer service representatives may reveal that they capture buying behavior information as part of their order-management process. In such an activity, both structured data, like a customer's birth date, and unstructured data, like reasons for a customer's specific purchase, are added to the customer's profile. This particular data, in aggregate, can potentially rise to the level of personally identifiable information (PII), depending on the legal guidelines in the geographic location where the data is captured and where it resides.

Infrastructure analysis
The question of "Where is the data?" can also be answered by examining and documenting an infrastructure's various data elements, including file stores, desktop computers and databases. Assuming the data elements that are in scope -- like names, addresses and Social Security numbers -- have been identified, there are two methods for determining where data resides within an organization.

First, interview infrastructure owners and stakeholders, such as database administrators, system admins and network managers. These Q&A sessions should reveal the databases and systems that hold the in-scope data elements, demonstrate how the information moves from one system/database to the next, and explain what technical identity and access management mechanisms exist to protect the data elements. Similar to business process analysis, create a data-flow diagram that documents the interview information.

The second and increasingly popular method calls for automated "data discovery" technology. These tools scan a network's databases, file shares or desktop computers, searching for specific data elements that a user specifies. Some products even build a network map that shows each location of the in-scope data element.

Conclusion
Answering the questions posed above will accelerate the development of an enterprise data protection strategy and program. Knowing the location of data and how it is handled allows an organization to identify how well it complies with laws, regulations and/or contractual obligations that require an immediate, tactical response.

About the author:
Russell Jones is Partner AERS - Security & Privacy Services with Deloitte & Touche and has significant experience working with his clients in the development of information security programs, system security architectures, network security vulnerability analysis and penetration testing, privacy and data protection programs and role-based access control (RBAC) design and deployment. He has practical experience applying security frameworks such as ISO 17799:2005 and ISO 15408 against real world environments. Jones has more than 15 years of experience in the design, architecture, implementation and deployment of identity management solutions, encryption solutions, and distributed architecture application solutions. He has delivered IT Risk and Control services including broad assessments of process/control effectiveness and/or maturity for the various functional areas of IT along with identification of gaps and risks, deeper assessment. Jones has practical experience assessing security gaps and applying control frameworks such as COSO and COBIT ver 3.2 against SAP R/3, Oracle ERP and Peoplesoft 8.X and IT General Computer Control environments.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Risk Management Strategies,   Data Protection Security School,   Executing a data governance strategy,   Enterprise Data Governance,   Enterprise Data Protection,   Data Loss Prevention,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Risk Management Strategies Cloud computing security: Choosing a VPN type to connect to the cloud Cloud computing security: Routing and DNS security threats Cloud computing security model overview: Network infrastructure issues How to align an information security framework to your business model When to use open source security tools over commercial products Vulnerability test methods for application security assessments Security book chapter: Applied Security Visualization The 100-day plan: Achieving success as a new security manager Recovering stolen laptops one step at a time How to get information security buy-in from the executive team Executing a data governance strategy Quiz: Executing a data governance strategy Enterprise Data Governance Risk management must include physical-logical security convergence Simple information security mistakes can cause data loss, says expert Organizations struggle with data leakage prevention, rights management Encryption in data management should never be ignored, expert says Attackers cash in on fundamental data handling mistakes, Verizon finds Data loss prevention benefits in the real world Mass., Nev. data protection laws wrong, ineffective Cybersecurity hearing highlights inadequacy of PCI DSS Enforcing a vendor risk assessment to avoid outsourcing security risks How to Secure Cloud Computing RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cut-and-paste attack  (SearchSecurity.com) data splitting  (SearchSecurity.com) deperimeterization  (SearchSecurity.com) Google hacking  (SearchSecurity.com) masquerade  (SearchSecurity.com) snooping  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.