Many IT decision makers look at assets as hardware, but really they should consider why they have the hardware in the first place.
These decision makers remember the very significant investments they made in servers, PCs, firewalls, and so on in order to deploy that new CRM or Electronic Medical Records System. They think of the tens of thousands of dollars they spent just to get their system functional. It’s understandable then that the memory of this investment makes many decision makers forget why they invest in these systems in the first place, which is to gather and manipulate data for critical organizational functions. So the real asset they are protecting is that data.
Think about it. Perhaps there is some difficulty to do it, but if a PC or server fails, you can generally get another piece of equipment in and replace it. These pieces of hardware are just tools, and tools are replaceable. Data is not easily replaceable if lost. For this article, I’d like to speak about things to think about when it comes to managing your data assets, which is the most important element of your system.
Classify Your Data
The first step in coming up with a proper data management strategy is creating some sort of classification system. What data does your organization use on a day-to-day basis? How does this data vary? Is it subject to compliance or regulatory concerns? What about trade secrets? This can be a very difficult step for me to work on with my clients when I perform my assessments because the organization often looks at data as a big bucket of stuff. “We have a file server” or “It all goes in the system” are some of the lines I usually hear. That’s fine, but ultimately there needs to be distinctions when it comes to what matters and why.
Centralizing data to known locations, like servers, are great, but there should be some logical separation within that centralized space. The best way to segment data is based on ideas like who needs access to that data, data that flows in and out of the organization freely (or not), vendor-specific data, data that is subject to special compliance or regulatory standards, HR data, and so on. Certainly, this list is not extensive, but it gives you an idea of the things to think about as you create your own classification system that fits your needs. Once data is classified, you should easily be able to determine with your IT support team where and how this data should be stored and centralized.
Determine Value Of Data
Now that you have determined what data matters to your organization and how you want it to be stored, you need to come up with a “value” for the different types of data we just classified. While most people think of value as a monetary concept, it’s definitely a relative concept. Perhaps some data is just expensive to replace or would result in fines if exposed in a cyber-security incident. That’s certainly one type of value to consider. But a trade secret getting out could have fundamentally existential consequences to an organization if it got out.
Another type of value to consider is the value you place on integrity and confidentiality. It is a professional and ethical responsibility in many organizations that data be protected from exposure. An attorney who allows his clients’ data to be exposed has violated his duty. Other kinds of data have emotional consequences. Certainly, nobody is fining you if you lose family pictures, but you would pay an emotional price for losing it. Other data may not be that valuable. An old quote you provided someone a long time ago may be nice to have around, but maybe it doesn’t actually matter if it is exposed or lost.
Whatever type of value you assign to data, it is important that you ultimately place some kind of value score on it. Something that reflects the pain you would experience should the data be stolen or lost. Just remember to ask yourself why the data matters when assigning it a value.
Review System for Data Asset Storage Locations
While data should be centralized, classified, and then stored in accordance with those ideas, it’s inevitable in most organizations that you will experience “data sprawl”. Sometimes a user may take a document off the server onto a laptop and then travel with that laptop. Now there’s an extra copy of that document on their laptop. Most users will put that file (perhaps edited) back on the server after they are done with it and have the opportunity to do so. But people make mistakes and forget. Even worse, sometimes people will store this data in environments you can’t control, like personal online storage accounts or USB drives.
Computers themselves can also create these problems at times. I was recently performing an assessment and discovered that tax preparation software was not purging Social Security Numbers that were relegated to some kind of temporary file the application was using to do its work. The user did nothing wrong, intentionally or unintentionally. The software left a remnant of the sensitive data. So if that PC was exploited, Social Security Numbers could have been exposed. We discovered this using a hard drive scanning tool, which I encourage most organizations to do if they care about data management. Between end user responsibility and review, as well as technical scanning tools, you can generally get a sense of where your data is stored to avoid the sprawl that can lead to data loss or breaches.
Communicate Data Asset Policies and Review
Once all of the technology questions have been answered, it’s very important that all of the logic behind the data management decisions are communicated to end users. There should be formal documentation signed off by staff acknowledging their understanding that outlines what data the organization cares about, why it matters, the liabilities associated with it, and the general rules of engagement like what devices can touch this data and where it can be stored.
I find very often that users are simply unaware of the importance of data management and their role in it. This is understandable. Most end users are focused on the primary responsibilities of their job and don’t necessarily consider themselves a part of IT risk management. Good policies can help create a better culture for data management and create engagement from staff.
Certainly, there are more things to consider with data management, and many of these steps may require assistance outside of your organization, but I hope these principles have given you food for thought to consider how your organization manages data and what changes may need to be made.
About the Author: Ben Schmerler is a vCIO Consultant at DP Solutions, one of the most reputable IT managed service providers (MSP) in the Mid-Atlantic region. Ben works with his clients to develop a consistent strategy not only for technical security, but also policy/compliance management, system design, integration planning, and other business level technology concerns. You can follow DP Solutions updates on LinkedIn or their website: www.dpsolutions.com.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.