Managing critical or sensitive data is a key corporate governance issue, and organizations often struggle with the increasing complexity of compliance and legislative demands that now regulate how businesses handle particular types of information. To protect data, it is essential to first discover the data that needs to be protected. Identifying and determining the location of critical data across the enterprise can be challenging – unless a structured data discovery strategy is implemented.
Lack of visibility into critical data assets can leave organizations exposed to significant risks, and numerous well-documented cases of critical data leakage only serve to highlight the consequences for organizations – including criminal and civil litigation, reputational and brand damage and hefty financial implications.
Data discovery is a fundamental factor in risk mitigation and a control in assessing governance and compliance capabilities. Whether engaging in governance, compliance or information security, one must establish a full and comprehensive understanding of where potentially exposed information resides on the corporate network.
Organizations often accept payment in the form of cardholder data from multiple sources, but often struggle to demonstrate to external security auditors that appropriate security measures are in place to protect such data throughout its lifecycle, i.e., how this sensitive information is collected, stored and used. The lifecycle of data should include a comprehensive approach to managing an organization's assets, involving procedures, practices and applications. Discovering where sensitive information is stored is the first and most critical step toward securing it.
Therefore, one must ensure that after due consideration to location, security and data volumes, critical details are maintained within protected areas of the corporate network. User access rights to these secure information repositories should be restricted by network logon credentials, which are managed by the network administrator. Data discovery is the exercise whereby the network is audited for the presence of critical assets (e.g., cardholder data) and frequent information discovery exercises should be used to audit for the presence of unsecured sensitive and critical data. Data auditing is part of ongoing auditing that is specified in standards to ensure assets remain secure and that the security process is working effectively.
There are technologies to help in this process, but before implementing one, one must make sure that the solution is flexible in the manner in which it can configure the criteria for data discovery. As well, the speed of network scanning and congestion should be weighed. Another consideration is the ease of use for data categorization and classification models, as well as the ease of deployment and management. Finally, one should look for comprehensive reporting that identifies meaningful and actionable results.
With a technology tool in place, the next step is to ensure that corporate and governance policies are communicated effectively to the staff. It is essential to maintain operating discipline and efficient data security initiatives for managing sensitive data as a key enterprise asset.Identifying exposures to critical assets is fundamental to an effective protection strategy, and discovery is core to this process. Lack of visibility will leave organizations weakened and exposed to significant risks. Through effective data security software and policies, organizations can significantly mitigate risk, gain clear visibility and take full control of their corporate data and IT assets.