Information security teams often overlook the sixth step in the Information Security kill chain, Data Theft.
To assess your organization's readiness to protect against data theft, ask these four questions:
- Do we know what data lives in what systems, who owns it, who has access to it and who is in fact accessing it?
- Do we have agreement from key stakeholders on how to manage sensitive data, junk data and stale data to reduce risk and increase value?
- Do we have the policy and compliance infrastructure in place to allow us to manage data to reduce risk and increase value?
- Do we have the technology in place to allow me to manage data to reduce risk and increase value in an efficient and sustainable way?
Let’s look at each one of these to help you see whether — and to what degree — your InfoSec function is ready to effectively prevent data theft.
Assess Your Readiness to Prevent Data Theft
Map Your Data
This is the most straightforward of the four issues: if you don’t know what information you have, you have zero chance of managing it effectively.
Most firms don’t have a configuration management database (CMDB), let alone a data map. A CMDB provides a list of all the applications that indicates the technology each runs on, the application and business owners of each, a basic description of the functionality and purpose of each, and any relevant integrations.
An effective data map takes a CMDB and adds to it. Typically this includes the type of data contained in each application, the security level of the data, the record series of each type of data and its legal risk level (i.e., likely discoverable or not).
Agreement from Key Stakeholders
While the lack of a data map makes it nearly impossible to manage information effectively, lack of agreement is probably the most challenging hurdle preventing firms from effectively addressing their information management challenges.
The result is that the vast majority of firms keep everything forever.
Here’s why: If InfoSec, IT, Legal, Records Management and line of business stakeholders can’t agree on the general principles that will guide how they manage information, the firm will never make significant progress in addressing information management risk.
The result is they end up doing nothing. Which means they never pull the trigger on disposing of information that’s past its legal or operational life.
The following typical stakeholder perspectives on information management create the impasse:
- Legal wants to keep everything forever because they believe that 1) there’s too much risk in purging anything and 2) the more information they retain, the greater chance they will be able to produce evidence that will exonerate them in a future lawsuit
- IT won’t make a decision one way or the other on purging because the data isn't theirs, they simply own the systems it lives on
- The business wants to keep everything forever because they may need a piece of information to satisfy a customer or stakeholder request sometime in the future
- Records Management wants to purge the information according to the records schedule, but doesn't have the pull to override Legal or the business
- InfoSec wants to protect whatever sensitive data the firm has, but doesn't care about whether it should dispose of it
Given these typical perspectives, it’s nearly impossible for a firm to decide to delete anything. And without agreement on what the conditions are for purging, archiving and preserving information, the default stance will be to retain everything indefinitely.
Policy and Compliance Infrastructure
Knowing what information you have where and gaining stakeholder agreement on what to do with it will only get you so far. Without the policy and compliance infrastructure in place to govern how you execute, two things will happen:
- End users won’t follow the corporate policies because they have no direction on how to comply with them while getting their jobs done
- End users will comply, but the organization will be unable to defend its actions in court or before regulators because of the lack of framework in which these actions can reasonably be considered repeatable, predictable and auditable
What's needed is three things. First, a clear set of corporate standards that describe the rules of the road within which all work must operate to remain compliant. Second, a streamlined, clear set of policies that stipulate what the organization should do to operate within the guidelines. Third, updated departmental procedures that ensure that, if employees follow them, the policies are being adhered to (and thereby the standards are being followed).
Finally, detailed directions on how to execute the policies using specific systems, such as Exchange, SharePoint, Salesforce, SAP, etc, are needed.
The Technology to Support it All
The final piece of the puzzle, having adequate technology in place to support information management, allows you to make real progress. Without it, you’re left asking end users to manage information manually, which will never happen.
No matter how many shared drive clean up days you set aside, no matter how much awareness you raise about the importance of good information management, and regardless of how much support from the top to encourage buy in, end users simply will not spend the time it takes to manually clean up their information. And if by some miracle they do, they’ll be much less effective at it than they would be if they were supported with technology.
A number of suitable technology solutions are out there to help — it would take an entire post (or two) to review them. But the important thing is to find the ones that work for you and deploy them to support end users in complying with your standards and policies to manage information more effectively.
Ready to Get Started?
This article isn’t a step by step guide to help you manage your information better — no number of posts can accomplish that.
But hopefully it’s given you some inspiration and guidance for how to start tackling the problem of information management at your organization so you can better prevent data theft and shore up your kill chain defense.