Data Security 101: Make Sure You Know Where Your Data Is and How It’s Working for You
Data is the key to your operation. Make sure you’re keeping it safe.
Whether it’s the data you receive from your customers, information you use to run your business, or the source code for your applications, data is at the very heart of any organization. Securing that data is job #1 for any information security program.
A good place to start is understanding where the data is, who uses it, and why it’s being used, so you can determine how to best secure it.
Once all the important data has been identified, commit the details to documentation by creating a data flow diagram so you know where all of your organization’s data is at any given time.
A data flow diagram maps the flow of data within your organization and its networks. This diagram is the key to understanding the data stored in your environment.
To learn more about creating your own data flow diagram, watch this short video:
When thinking through data flows, it’s useful to walk through a data lifecycle model. For instance, one popular model considers that data is created, shared with others, used by personnel or applications to accomplish something meaningful, stored electronically or physically for later use, archived for a long period “just in case” and finally destroyed. By considering each of these steps, an informed understanding of how data moves throughout your organization is well within reach. Knowing where your data is and how it’s being used will strengthen your organization’s data security.
In addition to understanding the movement of data throughout your organization, the requirements for preserving the confidentiality, integrity, and availability of each type of data should also be captured. Not all data is subject to the same set of requirements – your public website probably has low confidentiality and high integrity and availability requirements, but healthcare data usually ranks high in all three categories. By fleshing out these requirements, the protections that should be afforded the data will become clearer.
For instance, encryption can be used to ensure both data confidentiality and integrity requirements are being met. To do so, your policies should require appropriate encryption for both data-at-rest and data-in-motion. Likewise, mechanisms to manage access to data should be in line with these requirements. Finally, availability requirements will drive the system design, business continuity planning, IT resiliency, and other information management considerations.
Data has a useful life, and you must make sure you abide by it. This means understanding and enforcing data retention requirements. In some cases, this is defined by various laws and regulations, and in others, it’s up to your organization to define.
Data retention requirements should be formally defined and then implemented to eliminate (“destroy” in the data lifecycle model) the data such that it’s no longer recoverable. It’s only after this step that the protections are no longer required because data that you no longer have in your possession doesn’t need to be secured.
Work with a KirkpatrickPrice Expert to Make Sure Your Data Is Secure
Data security can be an intimidating goal, especially with the amount of data organizations are responsible for these days. It can be difficult to keep up with what data is being used, who is responsible for certain data, and even what data is still relevant to your organization. At KirkpatrickPrice, our data security experts are here to help you understand your data’s lifecycle and how to best protect that data.
Connect with an expert today to make sure you’re doing everything you can to secure your data.
About the Author
As a 30-year IT veteran, Randy Bartels has experienced nearly every facet of information technology management from help desk and software development to architecture and budgets. For the past 15 years, Randy has been providing information security consulting services to clients of all shapes and sizes and he currently serves KirkpatrickPrice as their VP of Operations. He holds CISSP, CISA, CSSLP, QSA, CCSK certifications.