There are two significant trends occurring right now that shouldn’t be a surprise to anyone reading this post. First, businesses are gathering and leveraging more and more data to improve their core services. Second, more compliance and regulatory standards are popping up from governments and private organizations. As these businesses realize that collecting and utilizing data improves efficiencies, sales or other goals, regulators are waiting in the wings to scrutinize how the data is being used.
This is for the best, of course. Businesses need to be able to access and use data quickly to maintain profitability and effectiveness, but they also need to ensure they are securing the data to protect the privacy interests of everyone involved. An organization’s productivity is essentially rendered meaningless if it begins incurring fines from violations of GDPR, HIPAA, PCI or any of the numerous and growing state regulations on personal data.
Good data governance requires businesses to keep productivity high while also securing the privacy and integrity of the data. In this article, I offer advice on how to properly handle sensitive data in the 2020 landscape.
Defining Sensitive Data
There is no way to accomplish your goals unless you first create the framework for defining them. Many organizations get enthusiastic about upgrading their technology or creating new ways to work, but they don’t consider the structure around this until later. If you want to get better outcomes and avoid liability, policy should really come first.
The first step is to define what you deem to be sensitive information. It can be hard to list every piece of data that could be considered sensitive, so you need to keep this broad.
One approach is to list things you know are sensitive such as user lists, passwords and system information. You can then continue with collected data such as client names, trade secrets, medical records, financial information and so on.
By listing out a lot of specific examples but also leaving the policy open-ended for data you may collect in the future, you set the expectation that much of the information your staff collects is sensitive. That way, when they are faced with a piece of data that may be new or perhaps not specifically defined in your list, the policy should help guide your staff to think critically in the moment and make the right decisions.
Data can also be classified into different categories. All private data is important, but it is obvious that a credit card or Social Security number is more sensitive than, say, the work in progress advertisement that marketing is putting together.
It is also a good idea to define types of data that staff should never handle. For example, maybe you want to avoid the regulatory scrutiny associated with collecting credit card information due to PCI requirements. In that case, you’ll want to specifically state in your policy that staff is not to collect credit card details under any circumstances. Once data is collected intentionally, you are liable for it whether you decided as a business that you wanted it or not.
Chances are your organization is already somewhere in the cycle of handling sensitive data whether you have just started to collect it and build out your system or you are already managing a system and thinking about the next phase in your technology roadmap. Either way, some kind of compliance and/or risk assessment is appropriate on a regular basis, perhaps annually, although that will vary based on your specific needs.
While building and managing a system that handles sensitive data in a way that adheres to best practices, you are going to have to make adjustments along the way. Even if you think you are doing everything correctly, a good assessment will identify areas where you missed the mark. Plus, assessment reports that outline shortcomings will give you the clarity to make the right decisions in the first place. Most businesses have smart people who are experts in their line of business but not necessarily managing PCI compliance, for example. Keep in mind that the standards evolve and change over time, anyway, so you can’t take for granted that the sensitive data controls you have in place now will be sufficient in the future.
Assessments should also occur in the event of some kind of major issue such as a system failure that results from things like loss of connection, power outage, hardware failure or security incident that exposed you to unacceptable risks of a data breach.
Once you have defined what sensitive data is, you can start creating rules for how sensitive data exists within your environment. This starts with how you store your data.
First, consider how you want your data organized digitally when stored at rest regardless of the platform. You should probably arrange data in a way that aligns logically with the sensitivity of the data. This will help create access rules for staff with minimal privileges and help you design security and risk management solutions specifically for sensitive data. You will want to apply this to wherever the data sits, but if it’s not organized logically, you can’t sufficiently manage your data. Many organizations have these kinds of challenges even though they have excellent security tools.
Chances are, especially during these unprecedented times, that you will likely be leveraging the cloud in some way to store your sensitive information. But even if you are storing data locally, compliance standards such as HIPAA, PCI, GDPR and so on will need to be taken seriously. It is not enough to simply find a cloud storage provider who claims to be secure. Identify what compliance standards you need to take and make sure that the vendors you are looking at can attest to having secure solutions that speak to those standards. Many providers offer excellent services…but they aren’t always enough for specific types of sensitive data.
Getting into the specifics of what controls you will need is beyond the scope of this blog, but you will be looking for things like multi-factor authentication; encryption in transit and at rest; backup and redundancy solutions; data center certifications, geography, and auditing history; and other areas where the storage of your sensitive data faces potential compromise or lack of compliance. The investments you make in these technology solutions and the vendors you associate with will be proportional to the importance of the data. Sophisticated encryption is not necessary when sharing emails asking about what we are eating for lunch, but it is important when holding medical records on a server you utilize.
Assuming you have set up proper controls in your storage environment (perhaps a big assumption), the next step is to make sure your team is actually using it properly. This brings us to the concept of shadow IT. This is where end users decide to utilize technology that is not managed or approved by the organization. This has become especially prevalent now as more people work from home and are using their personal devices. No system can properly handle sensitive data if it is not being used in the way it is designed.
Despite legitimately disconcerting stories about data breaches and malicious hacks in the news, organizations that properly utilize compliant technology solutions are far less likely to find themselves on the wrong end of a security incident with sensitive data.
Data doesn’t exist in a vacuum. Most of the time, organizations that receive sensitive data are going to pass it on to other parties for important reasons. Your HR department, for example, takes the sensitive data from your employees and passes it on to the government, payroll companies and so on.
But imagine if your HR department took that information and decided to send some of it by regular mail in a clear envelope. Or they used four different ways to send it depending on their mood with little means of tracking. Or perhaps worst of all, they simply didn’t validate the names and addresses of the parties they shared this information with, volunteering personal information to a criminal in the process.
In order to properly share sensitive data as part of the normal course of business, you need to establish procedural and technical controls. To achieve this, first start with the process and workflow. Take the technology out of the equation and just think about what the people in your team who share sensitive data with third parties have to accomplish. From there, you can establish a working process that can then be augmented with technology solutions. If you know what your team needs to do to get the core work done, you can then find the right products to do it in an appropriate way.
You will undoubtedly need to implement encryption in transit for any data going out to a third party. Furthermore, you’ll want to implement identity verification solutions so that when you do share sensitive data with a third party, you can be confident that it’s going to the right people. You should also consider endpoint monitoring and device management solutions to protect the devices that touch sensitive data from being compromised.
Finally, actual methods to share sensitive data should be limited. There are many file sharing or messaging solutions that can encrypt data in transit and meet compliance standards associated with sensitive data, but that doesn’t mean you should utilize all of them. The more technology you implement to share data, the more tools you will have to manage and secure, which adds up to increased risk along the way. Once you establish your technology solutions, force your staff to utilize them and stay away from unauthorized sharing solutions.
Removal and Destruction
As businesses gather more and more data, they create vaults of information that they need for operations. But as they create a bigger repository, they also create more liability and more potential for data breaches that could result in fines, audits and other consequences. Plus, devices and users both eventually leave the organization, creating the potential for exposure of data. So, you need to have good policies and processes in place to deal with the removal and destruction of data.
Devices that store any kind of sensitive data at rest should have their hard drives shredded when they’re retired from daily use. And the destruction should be done by a company that does so in a compliant and documented fashion. For devices that don’t store sensitive information but may have touched it in the past, it is best to restore these devices to factory settings before you send it off for recycling or donation. Specific standards for removal and destruction of data will vary based on your specific compliance needs.
Furthermore, when a user leaves your organization, make sure their credentials are changed or revoked so they can no longer access the information to which they were once privileged. This is a key responsibility of management, as IT departments and service providers are not usually aware of staffing changes but can respond to the change management needs to protect the company from risk.
Diligence and an Open Mind
For businesses that handle any kind of sensitive data, there are going to be limitations on what can be done, so you have to get the most risk management for the investments you make with regard to protecting your sensitive data. Handling sensitive data in a safe and compliant fashion requires constant diligence and never assuming that everything is safe. Keep an open mind that the only constant is change.
About the Author: Ben Schmerler is a Director of Strategic Operations at DP Solutions, an award-winning managed service provider (MSP) headquartered in Columbia, MD. Ben works with his clients to develop consistent strategies not only for technical security, but also policy/compliance management, system design, integration planning, and other business level technology concerns. You can follow DP Solutions updates on LinkedIn or their website: www.dpsolutions.com.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.