Security can be viewed in various ways, but ultimately, it always centers around data. We secure our networks, our passwords and even the doors to our buildings -- all in an effort to protect our data. Regardless of how that data is managed or transported, guarding that information through a data privacy framework is essential. Let's look at three key areas.
Daily production. When we think about data, we naturally pay the most attention to the everyday challenges fueled by keeping data secured and private.
Inside the workplace, data privacy is enabled by linking specific users to predetermined data access rights. To do this, companies employ access control lists (ACLs) to ensure privacy.
With ACLs, data access rights are mapped to match job functions. User groups are set up and linked to these rights definitions, and finally, users are assigned to one or more groups. ACLs are a primary tool used to oversee data privacy, yet how often are they reviewed for accuracy?
To illustrate: Does your current security administrator just assume that the work done to determine ACLs by her predecessor was accurate? Administrators who don't confirm the validity of existing ACLs could be making a big mistake, especially at companies that have grown dramatically in a short time. When the company was smaller, security may have been lax, and data privacy might not have been an important issue. Conducting a detailed review of ACLs and group assignments can help ensure privacy and make sure they present an accurate reflection of your company's current needs.
Once privacy is assured inside the company, the next challenge is to maintain that privacy by keeping the data within the company's confines. Data loss prevention (DLP) is a relatively new set of technologies designed to work proactively to prevent data exfiltration -- that is, keeping private data from being removed from company computers via external drives or via the company data network.
DLP typically works by installing an agent in a company's endpoints -- computers, phones, tablets -- that monitors data flow. DLP software usually comes with templates for common privacy data types, like those formatted for PCI DSS and HIPAA. Once enabled as part of a data privacy framework, the DLP system can log an alert and/or prevent sensitive private data from being sent outside the organization.
Backups. Security is always about identifying the weakest link and then fortifying it. Even with the best internal security, your data privacy can be compromised in other ways -- even when it leaves the building in an approved fashion. Review your data backup policies and procedures to be sure they support your data privacy initiatives.
Determine whether privacy or security ACLs are backed up with the data. This means verifying the backup data is still protected from unauthorized access. For example, is the backup data encrypted or backed up in plain text?
Given enough time, hackers can break through most encryption algorithms, so be sure someone can't surreptitiously make a copy of your backup data. Verify the physical security of your backups, and know what happens when backup media -- for example, tapes -- are retired. Find out if data is wiped before backup media are discarded or recycled.
If your backups are transmitted to a cloud provider, verify its privacy policies to ensure your data is protected.
Partners. Your weakest link might not be within your organization at all. The June 2019 breach of 12 million Quest Diagnostics patient records occurred because Quest's billing vendor was hacked. To ensure privacy, you need to determine if any of your company's private data is shared with partners and then obtain the necessary information explaining how those partners maintain and guarantee data privacy.
The bottom line is: Make no assumptions with your data privacy framework. Always look for the weakest link in your data privacy strategy, and don't forget that it might lie outside your organization.