As a computer geek at heart, I tend to gravitate toward technical solutions, for example using data leakage prevention (DLP) tools to inventory information. DLP is indeed powerful and can help tally data ranging from personally identifiable information (PII) to intellectual property. However, to get a complete picture of where critical information resides, it is very important to inventory at the business process level.
Obviously, DLP will not help find paper-based records. Also, DLP does not follow the lifecycle of information and shifting data classification. Something that is sensitive one day might change its data classification due to time criticality or other factors.Further, DLP is not a silver bullet in locating data. Backup tapes, USB drives, mobile devices and more may not be included in your inventory depending on the device type, the type of DLP that you use, or other variables.
Starting with the business process and following the data lifecycle provides a more thorough view of where and in what form your data lives – from creation to destruction and places in between. However, inventorying at the business process level is not a one-time endeavor. It is iterative and needs to be updated on a regular basis. In addition, all organizations are not created equal, so it is important to know who in the organization will be able to help with the business process inventory. Some likely candidates include:
Human resources: As the keepers of some of the most sensitive data in an organization, HR is key in determining where employee records live, both in electronic and paper formats. A Jordan Lawrence survey found that fewer than 16 percent of companies address the appropriate management of sensitive information within corporate record management policies. This is thus another item to review with the human resources office.
Finance and line of business owners: Credit card and customer information, financial data and intellectual property are just a few vital areas where business owners' input is needed.
Legal: The general counsel and other legal resources have a wealth of knowledge regarding sensitive information, mergers and acquisitions and other areas of interest.
Information technology: They are critical allies in partnering technical data flows with the business process information collected.Finding sensitive data and applying data classification policies to it is never an easy task. However, following a structured methodology that starts with the business process information, augmented with technology-based inventory assessments, such as DLP, will lay the foundation to ensure the analysis is conducted in a consistent, rigorous and reliable manner that will provide lasting benefits.