Endpoint

1/28/2016
10:00 AM
Heidi Maher
Heidi Maher
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
100%
0%

Data Privacy: Key Elements Of An Information Governance Plan

For Data Privacy Day! Do you have the policies in place to safeguard your company's most strategic information? Here are nine best practices.

Today, big data initiatives using customer data are driving new personalized services, innovative insights, optimized operations and new business models. That all sounds terrific, but there’s a dark side to big data, and if you don’t get a handle on it, your company's new analytics projects may cause far more problems than they solve.

We see it nearly every day. Data gets hacked and stolen, and private customer and employee information is continually being accessed by the wrong people. The Edward Snowden leaks demonstrate that even top-secret government documents are vulnerable. The Ponemon Institute has estimated that criminal data breaches now cost companies an average of $174 per record, and to gauge the significance of this, consider that Target’s breaches in December 2014 and January 2015 involved as many as 110 million customers.

Evolving regulations in the U.S., and even more so in the EU, make it clear that companies that get breached or that inadvertently expose private information are subject to a variety of regulatory and legal penalties. The increasing reliance on the cloud only increases security concerns, especially with regard to the adequacy of cloud vendor protections and certifications and the transfer of data across borders. Public cloud services such as Dropbox, AWS, iCloud, and Google Drive should also give security and privacy-conscious companies pause because of the ease with which private information can be shared with just about anyone. In addition to fines, failure to comply with privacy regulations can actually result in significant damage to a company’s reputation.

Despite these risks – and in the face of headline after headline loudly proclaiming how vulnerable organizations are – far too many companies insist on making the situation worse. They stick their collective executive and board heads in the sand and, in the name of big data, permanently parking every bit of information they collect in storage systems and archives “just in case” they should ever need it.

But the math here is simple: the more data you have, the more complex your infrastructure must become to support it, so the more vulnerable it is to breaches and privacy violations.

Many companies will claim they are doing everything they can to protect data by investing in the latest intrusion prevention and detection solutions. But there are two problems with this. First, these solutions, while getting better all the time, are constantly doing battle with evermore sophisticated attackers, and the attackers keep winning. Second, these solutions are focused on keeping outsiders out, but they do little to prevent breaches from within.

According to an industry watch report and survey conducted by AIIM, 51 percent of respondents had data-related incidents in the past 12 months, including 16 percent suffering a data breach – half from external hacking and half from staff. Staff negligence or bad practice is the most likely cause of data loss (20 percent).

Contrary to the belief of most IT executives, minimizing the risk of both outside and inside threats to data does not start with a technology solution. Instead, it starts with developing policies and practices that enable you to:

  • Clearly understand the full scope of the data under your control, including data put in cloud storage and shared with third parties.
  • Assess the value of that data to the various stakeholders throughout your organization and the risks associated with it, including whether or not it should be identified as private or sensitive and whether or not it really has any potential big data value.
  • Identify all information that has no business, regulatory or legal value so it can be defensibly disposed. According to a combined Compliance, Governance and Oversight Counsel (CGOC) and EDRM survey in 2014, approximately 70 percent of data that companies now keep falls into this category, and eliminating it would result in a dramatically simpler infrastructure and reduced risk.

Developing such policies and practices is the function of an information governance (IG) program. IG programs provide a comprehensive approach to safeguarding a company’s most strategic information. They create end-to-end, repeatable, and -- where possible -- automated processes that help determine what data is most important to the organization and how best to use it securely in day-to-day operations. Key elements of an IG program include:

  1. Establish who owns the oversight of data privacy and compliance.
  2. Identify where private and sensitive information exists in business processes and IT systems.
  3. Understand how much is shared outside the organization.
  4. Assess and balance the risks and value of this data, especially with regard to big data projects.
  5. Establish policies to meet privacy and security requirements.
  6. Limit the locations where private and sensitive information can be stored and who can access it, making it easier to protect.
  7. Dispose of unnecessary information to avoid liability and simplify the infrastructure.
  8. Use encryption where possible.
  9. Provide full audit, logging, monitoring, and alerting capabilities.

When it comes to priorities in the age of big data, information governance usually isn’t near the top of the list, but once company leaders recognize the potential dark side of all that data – both financial and ethical – information security teams can take the lead in pushing for a comprehensive IG program.

Related Content:

Heidi Maher is an attorney and a legal technology specialist who has advised hundreds of organizations on information governance around data security, compliance and eDiscovery. From assessing maturity levels and drafting readiness plans to helping implement internal ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.