Companies and other organizations alike are beginning to understand the implications of existing and forthcoming data breach, privacy and security regulations. As a result, security professionals have initiated an increasing number of technology-focused projects that address data protection obligations.
These data protection implementations take many forms. Some companies may engage in e-discovery/ or records-management projects. Others may need to satisfy Payment Card Industry (PCI) Data Security Standard requirements or protect telecommunications data like customer proprietary network information (CPNI). While the pertinent laws and regulations may differ for each industry's particular undertaking, what remains constant is that they are all focused on protection and proper handling of data.
Whether the data is related to PCI DSS, CPNI, HIPAA or any other data type or regulation, two fundamental questions need to be answered early on:
- Where is the data?
- How is the data being used?
When addressing laws and regulations, as well as international data protection standards and customer/business partner contractual obligations, answering these questions can help companies measure the gap between where they are and where they need to be. Understanding "where is the data" and "how it is being used" will assist an organization in gaining a baseline understanding of where controls don't function effectively or perhaps do not even exist. Answering these important questions can possibly detect or prevent data leakage, unauthorized access and handling, as well as non-compliance with laws, regulations and contractual obligations.
Business process analysis
To answer these questions, consider following the data through the organization and examining its presence in business processes.
Take the order-management process at any consumer-facing organization, for example. Using interview questionnaires, one could ask the business process owner for information on more specific, sub-process parts of the order management cycle, like the creation and maintenance of a customer profile.
From the identified customer data elements, it is then possible to investigate how the order information is captured. Continuing with the previous example, interviews with customer service representatives may reveal that they capture buying behavior information as part of their order-management process. In such an activity, both structured data, like a customer's birth date, and unstructured data, like reasons for a customer's specific purchase, are added to the customer's profile. This particular data, in aggregate, can potentially rise to the level of personally identifiable information (PII), depending on the legal guidelines in the geographic location where the data is captured and where it resides.
The question of "Where is the data?" can also be answered by examining and documenting an infrastructure's various data elements, including file stores, desktop computers and databases. Assuming the data elements that are in scope -- like names, addresses and Social Security numbers -- have been identified, there are two methods for determining where data resides within an organization.
First, interview infrastructure owners and stakeholders, such as database administrators, system admins and network managers. These Q&A sessions should reveal the databases and systems that hold the in-scope data elements, demonstrate how the information moves from one system/database to the next, and explain what technical identity and access management mechanisms exist to protect the data elements. Similar to business process analysis, create a data-flow diagram that documents the interview information.
The second and increasingly popular method calls for automated "data discovery" technology. These tools scan a network's databases, file shares or desktop computers, searching for specific data elements that a user specifies. Some products even build a network map that shows each location of the in-scope data element.
Answering the questions posed above will accelerate the development of an enterprise data protection strategy and program. Knowing the location of data and how it is handled allows an organization to identify how well it complies with laws, regulations and/or contractual obligations that require an immediate, tactical response.
About the author:
Russell Jones is Partner AERS - Security & Privacy Services with Deloitte & Touche and has significant experience working with his clients in the development of information security programs, system security architectures, network security vulnerability analysis and penetration testing, privacy and data protection programs and role-based access control (RBAC) design and deployment. He has practical experience applying security frameworks such as ISO 17799:2005 and ISO 15408 against real world environments. Jones has more than 15 years of experience in the design, architecture, implementation and deployment of identity management solutions, encryption solutions, and distributed architecture application solutions. He has delivered IT Risk and Control services including broad assessments of process/control effectiveness and/or maturity for the various functional areas of IT along with identification of gaps and risks, deeper assessment. Jones has practical experience assessing security gaps and applying control frameworks such as COSO and COBIT ver 3.2 against SAP R/3, Oracle ERP and Peoplesoft 8.X and IT General Computer Control environments.
This was first published in October 2007