Information Management: A Link in the Cybersecurity Kill Chain

A version of this post previously appeared on CMSWire.

 

Lockheed Martin pioneered the Cybersecurity Kill Chain as a way to help information security professionals organize the work they do preventing breaches, as well as to help minimize the impact of those breaches when they occur.

At this point it’s fairly ubiquitous in information security circles, and has undergone many adaptations since its introduction.

Someone shared a version at an AIIM conference recently that I find effective:

kill-chain

Modified Lockheed Martin Cybersecurity Kill Chain

How Information Management Can Help

What I want to look at is how information management can help information security professionals with one very critical link in the Kill Chain: data theft. 

Data theft is what happens when a bad actor — either internal or external — enters the network and takes control of a device or devices in order to steal or compromise data (e.g. through encryption).

The market is flooded with products that help organizations prevent data theft. Two main categories of software tools that impact data theft are data loss prevention (DLP) and information rights management (IRM).

However, a well-designed and -executed information management program is equally, if not more powerful than any of these tools. Here’s why.

Your Best Protection Against Data Theft: A Well-run Information Management Program

An effective information management program helps organizations keep the data they need (i.e. data with legal or operational use) and purge the data they don't (i.e. data that's past its legal or operational life).

Effective information management reduces an organization’s information footprint, which means less data for bad actors to steal. It also means that an organization’s limited resources can focus on protecting a smaller set of relevant data, which increases the chances of success for the DLP, IRM, or other tools.

For example, if we have a billing system that's 20 years old and haven’t ever purged data from it (even though our corporate records retention schedule says we should purge billing records after, say, 7 years), we’ve got 13 more years of billing data (with PII/PCI in it) than we should, according to our own corporate policies.

When a breach happens, these 13 extra years of data will substantially magnify both its impact and severity due to our mistake of over-retention.

Key Steps to Ensure Proper Data Retention

Although executing on information management is a complex undertaking, at a high level, you need to take a few key steps:

  1. Data map– Determine what data you have, where the data is, and who owns it.
  2. Policy infrastructure– Put policies in place to manage information throughout its lifecycle (including data that’s been orphaned or abandoned).
  3. Content assessment– Scan content to determine what is junk, stale, and/or sensitive (PHI, PII, PCI, intellectual property), as well as whether the security and access for this content is appropriate.
  4. Remediation and clean-up– Based on policy and the results of the content assessment, purge junk/stale content and remediate inappropriate security and access.
  5. Monitoring and prevention– Scan the environment on an ongoing basis to identify both non-compliant activity (e.g. mishandled PHI) and the ongoing growth of stale/junk data and take action to address them.

Granted, this post has been high level. But hopefully it’s shown you how information management can contribute to traditional cybersecurity activities.

At many firms, the two functions cooperate very closely, and in some cases they join forces under the same roof. And given the degree of attention and the resources and dollars cybersecurity gets these days, this is a very good thing for information management, which all too often doesn't get this level of support.

 

Rich Medina
Joe Shepley
I’m VP and Practice Lead, focusing on developing Doculabs’ InfoSec practice and its applications in a wide range of industries.