Every publicly traded company has an alphabet soup of regulations to follow: SOX, PCI-DSS, HIPAA, SEC/NASD/NASDAQ, etc.
In addition to the standard regulatory reporting requirements, a critical component of most are the protection of private and sensitive data, at rest, in use, and in motion. Some include specific implementation requirements, while others simply demand appropriate encryption.
The specific regulations cover separate types of data, such as financial, healthcare, individual, confidential/sensitive business, and military/government data.
Discovery and classification are critical components of regulatory compliance. First you need to find the data and then determine its level of sensitivity to ensure that it is protected correctly. The classification system must be able to define the basic governance of the who, what, when, where, and why of every action performed on every piece of sensitive data, determining the file type, original and new locations, and whether the file has been copied, printed, etc.
It also needs to be able to track the “individual” pieces of sensitive data. For example, if someone decides that it is too risky to steal an entire credit card file, they instead choose to steal only 30 numbers. Your system needs to be able to identify and track the location of those numbers.
Of course, being in compliance can be a daunting task. Where and when do you start? Definitely do not start after you’ve failed a security audit or, even worse, been sued for negligence. Start now. How?
Examine your basic business processes. Questions to ask include:
Where is the data created?
Who owns it?
Who uses it?
Where does it go?
What departments can use the data?
Who can read it?
Who shouldn’t ever see it?
Where is it physically located?
To what degree should the data being created be protected?
Under what regulations do these particular pieces of data fall?
Do the regulations change based on where the data is stored?
Is your cloud provider in a different jurisdiction?
How does that affect your compliance?
Answers to these questions will determine your basic governance policies for data creation and protection.
Once you have the policies, you need to enforce them in a manner that complements the organization’s business. You may want to have the classification done automatically based on corporate strategy, let end users decide, use a crawler to scan the data at rest, or connect directly to the organization’s main applications (like CRM, SAP etc.) to classify data at the point of creation.
You might also like to combine some of these classifications methods. Of course, it must also adjust these policies over time – sensitive data today may not be sensitive tomorrow.
(About the author: Yoran Sirkis is CEO of Covertix, which offers the SmartCipher line of technologies).
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access