A version of this post originally appeared on the CMSWire blog.
Information security teams often overlook the sixth step in the Information Security kill chain, Data Theft.
To assess your organization's readiness to protect against data theft, ask these four questions:
- Do we know what data lives in what systems, who owns it, who has access to it, and who is in fact accessing it?
- Do we have agreement from key stakeholders on how to manage sensitive data, junk data, and stale data, in order to reduce risk and increase value?
- Do we have the policy and compliance infrastructure in place to allow us to manage data to reduce risk and increase value?
- Do we have the technology in place to allow us to manage data to reduce risk and increase value in an efficient and sustainable way?
Let’s look at each one of these to help you see whether — and to what degree — your InfoSec function is ready to effectively prevent data theft.
Assess Your Readiness to Prevent Data Theft
Map Your Data
This is the most straightforward of the four issues: if you don’t know what information you have, you have zero chance of managing it effectively.
Most firms don’t have a configuration management database (CMDB), let alone a data map. A CMDB provides a list of all the applications that indicates the technology each runs on, the application and business owners of each, and any relevant integrations, along with a basic description of the functionality and purpose of each.
An effective data map takes a CMDB and adds to it. Typically, the data map includes information on the type of data contained in each application, the security level of the data, and the record series of each type of data and its legal risk level (i.e. likely discoverable or not).
Agreement from Key Stakeholders
While the lack of a data map makes it nearly impossible to manage information effectively, lack of agreement is probably the most challenging hurdle firms face in effectively addressing their information management challenges.
Here’s why. If Legal, IT, line-of-business stakeholders, Records Management, and InfoSec can’t agree on the general principles that will guide how they manage information, the firm will never make significant progress in addressing its information management risk. The result is they end up doing nothing. Which means they never pull the trigger on disposing of information that’s past its legal or operational life. Which is why the vast majority of firms keep everything forever.
Following are the typical stakeholder perspectives on information management that are responsible for creating the impasse:
- Legal wants to keep everything forever because they believe that 1) there’s too much risk in purging anything and 2) the more information they retain, the greater chance they’ll be able to produce evidence that will exonerate them in a future lawsuit.
- IT won’t make a decision one way or the other on purging because the data isn't theirs; they simply own the systems it lives on.
- The business wants to keep everything forever because they may need a piece of information to satisfy a customer or stakeholder request sometime in the future.
- Records Management wants to purge the information according to the records schedule, but doesn't have the pull to override Legal or the business.
- InfoSec wants to protect whatever sensitive data the firm has, but doesn't care about whether it should dispose of it.
Given these perspectives on information management, it’s nearly impossible for a firm to decide to delete anything. And without agreement on the conditions are for purging, archiving and preserving information, the default stance will be to retain everything indefinitely.
Policy and Compliance Infrastructure
Knowing what information you have where and gaining stakeholder agreement on what to do with it will only get you so far. You also need to have in place the policy and compliance infrastructure to govern how you execute. Without it, two things will happen:
- End users won’t follow the corporate policies because they have no direction on how to comply with them while getting their jobs done.
- End users will comply, but the organization will be unable to defend its actions in court or in front of regulators because of the lack of framework in which these actions can reasonably be considered repeatable, predictable, and auditable.
An effective policy and compliance infrastructure requires four things:
- First, a clear set of corporate standards that describe the rules of the road within which all work must operate to remain compliant.
- Second, a streamlined, clear set of policies that stipulate what the organization should do to operate within the guidelines.
- Third, updated departmental procedures which ensure that, if employees follow them, the policies are being adhered to (and thus the standards are being followed).
- Finally, detailed directions on how to execute the policies using specific systems, such as Exchange, SharePoint, Salesforce, SAP, etc.
The Technology to Support It All
The final piece of the puzzle is to have adequate technology in place to support information management. This allows you to make real progress. Without it, you’re left asking end users to manage information manually, which (we should all know by now) will never happen.
No matter how many shared drive cleanup days you set aside, no matter how much awareness you raise about the importance of good information management, and regardless of how much support from the top to encourage buy-in, end users simply will not spend the time it takes to manually clean up their information. And if by some miracle they do, they’ll be much less effective at it than they would be if they were supported with technology.
A number of suitable technology solutions are out there to help; it would take an entire post (or two) to review them. But the important thing is to find the ones that work for you and deploy them to support your end users in complying with your standards and policies to manage the organization’s information more effectively.
Ready to Get Started?
This article isn’t a step-by-step guide to help you manage your information better; no number of posts can accomplish that.
But hopefully it’s given you some inspiration and guidance for how to start tackling the problem of information management at your organization, so you can better prevent data theft and shore up your kill chain defense.