There’s no denying that the days of printed documents are a distant speck in the rearview. Industries are becoming much more reliant on automated systems and processes versus the manual ledgers and manila files of yesteryear.

Industries continue to make significant investments to move toward the digital age through the implementation of new, more efficient systems and the conversion of physical records to electronic records.

It’s sometimes hard to categorize all the types of data that your organization maintains.  Most companies retain financial data, healthcare data, trade secrets, payroll data, personnel records; the list can get quite large the more you think about it.

With the daily pressures of work, limited time, and the lack of resources, many organizations have been unable to prioritize inventory of all of the types of data that they consider to be integral for continued operation. The challenge is that there are many different departments and divisions within an organization and each generates and maintains specific types of data.

As a best practice, management should consider performing a thorough inventory of the data that resides within an organization.

DataInventoryInfographic.jpg

Organizations should assign a data champion in each department/division. The first step the data champion should take is to ask questions such as what types of data are being generated and their signifance? Where is the data being stored and how long is the data required to be retained? The data inventory process can be time consuming and should involve input from a multitude of individuals within a department.

Once a thorough data inventory has been completed for your organization, management should review the various categories of data and determine its sensitivity to the company. For any data that is considered to be sensitive to your organization, management should work with IT management to ensure that the data is being stored in a secure manner.

-  When data is stored locally on company workstations and laptops, IT management must ensure that these devices are properly encrypted and kept physically secure.

-  If the data is stored on network shares within a department, responsible IT personnel should ensure that access to these shares is properly restricted to only employees with a business need.

-  For data that is stored on backup tapes, IT management should review the backup tapes and ensure that they are physically secure and that the tapes are encrypted.  

-  If a cloud backup solution is used, IT management should ensure that only authorized personnel, both at your organization and your cloud service provider, have access to the backup data.

The transfer of company data to offsite customers, clients, and other parties is a critical risk if proper planning is not considered.

Before agreeing to transfer company data, management should ensure that proper data ownership and security agreements are in place between the company and the receiving party.

Company management should also review the transfer methods be used, such as SFTP, SSH, VPN, or TLS, to ensure that sufficient security is considered by both the sender and the receiver of the data.

If sensitive data is required to be emailed, company IT management should ensure that encryption software is installed on the mail server that automatically scans both the body of the email and attachments, as well as properly encrypt sensitive data.

IT management should establish, and enforce, policies that spell out the required level of data transfer security that must be met by any party that is receiving your sensitive data.

Failure to follow security protocols for data transfer could result in data breaches that could lead to large fines and the tarnishing of a company’s reputation.

Data truly is the most integral element in business operations today. Performing a data inventory assists management with the identification, classification, and security of critical data. Using the data inventory, management can make the concerted effort to properly secure the data both internally and when transmitting it to customers and clients to protect its confidentiality, integrity, and availability.

 

Subscribe to HORNE Cyber Blog

 

COMMENTS

THIS POST WAS WRITTEN BY Bryan Allison

Bryan is a director of information technology assurance and risk services. He focuses on information technology regulatory compliance to include Sarbanes-Oxley, HIPAA, SOC reporting, information privacy and security, fraud prevention, disaster recovery, and business continuity.

Find me on: