Implementing a best practice approach to risk-based data protection
- By Dana Simberkoff
- Dec 14, 2016
As government agencies create participatory, transparent and collaborative environments for their employees and citizens, they are often responsible for collecting, using, appropriately sharing and protecting data. These central information repositories may become a treasure trove of sensitive information, making them a potential target for cyberattacks.
Data without controls can create operational, privacy and security gaps that could put an agency at risk. It can create unintended consequences and increases the potential for inadvertent or unauthorized disclosure of sensitive information. As agencies develop and implement their cloud and infrastructure consolidation strategies, they face additional challenges in balancing access to information with protecting information that should not be available.
The explosion of data and the raising of expectations about data accessibility has introduced a more complex, evolving environment to protect. More applications and transactions happen over the internet, the cloud is completely changing notions of a digital perimeter, worker mobility is redefining the IT landscape and shadow IT is quickly becoming enterprise IT.
So what does this mean for the economics of a security program? How can agencies protect everything against everyone? It is imperative that compliance, governance and cyber assurance solutions for government data repositories and collaboration systems are established and sustained. This is the reality of the new cyber landscape:
Protect the weaker targets. While most organizations simply do not have the budget to protect against cyberwarfare, they can protect against attackers looking for weaker targets. Agencies can not only make it harder for people to attack their systems, but they can also to make it less attractive to do so. Having proper protocols in place will likely ward off attackers looking for an easy conquest.
Security is about mitigating risk. In the absence of metrics, we tend to focus on risks that are familiar or recent. Unfortunately, that means that we are often reactive rather than proactive when it’s most important to understand how data, people and location weave together to create patterns across an organization. Only by understanding the data can agencies create for effective protection.
The right thing should be easy to do. In the absence of a culture in which everyone understands that data protection is a part of their job, end users will make poor security choices. This means that systems must be easy to use securely and difficult to use insecurely. Create policies, rules and IT controls that make it easier for end users to do their jobs effectively with the approved systems and controls. At the end of the day, employees will do what they need to do to get their job done. Join them in making it simple to use the appropriate tools.
Protect data from insiders. Many breaches come from an attacker who is already inside. Whether intentional or not, insiders cause the greatest threat to data protection programs. Fortunately, this threat can be addressed by using a layered approach to data classification and ensuring that policies, training and tools are being properly understood and integrated into the day-to-day tasks of the workforce.
Perfect security does not exist. In order to have a holistic and effective data privacy and security program, agencies must adopt a risk-based approach to implementing their data protection program.
Traditionally, there has been a perception that privacy is where IT projects goes to die, and that security teams lead with “no.” Whether that reputation is deserved or not, it’s important for security and privacy officers as well as legal counsel to take the steps to bake privacy in as a fundamental ingredient of their development lifecycles.
So how can this work operationally?
Chief information security officers and chief privacy officers must partner with their IT and program managers to gain key executive sponsorship and cooperation with their departments and agency programs. Privacy teams cannot be in every meeting in which a new IT system, program or campaign is being contemplated, but they can develop a framework that can be used by IT departments to incorporate privacy best practices within their programs, IT systems and across the organization.
A standardized and repeatable process for the IT department and the program managers allows for advice, guidance and review at every step of the process. Consider using automated tools that allow colleagues to request a risk, security and privacy impact assessment of systems they are planning, so everyone has a reasonable estimate and timeline. Involvement from security and privacy teams early on will save developers or program managers from having to make last-minute changes.
Security by design builds controls into the system as part of the initial specification so that when a program is ready to roll off the assembly line, stakeholders can have full confidence in its data protection elements.
Dana Simberkoff is chief compliance and risk officer for AvePoint.