Implementing a best practice approach to risk-based data protection

Featured eBooks
Whole-of-State Cybersecurity
The State of Trust in Government
Cybersecurity in State and Local Government
By Dana Simberkoff
 

Connecting state and local government leaders

By Dana Simberkoff

|

A standardized and repeatable process for the IT department and the program managers allows for advice, guidance and review of security and privacy at every step of the process.

As government agencies create participatory, transparent and collaborative environments for their employees and citizens, they are often responsible for collecting, using, appropriately sharing and protecting data. These central information repositories may become a treasure trove of sensitive information, making them a potential target for cyberattacks.

Data without controls can create operational, privacy and security gaps that could put an agency at risk. It can create unintended consequences and increases the potential for inadvertent or unauthorized disclosure of sensitive information. As agencies develop and implement their cloud and infrastructure consolidation strategies, they face additional challenges in balancing access to information with protecting information that should not be available.

The explosion of data and the raising of expectations about data accessibility has introduced a more complex, evolving environment to protect. More applications and transactions happen over the internet, the cloud is completely changing notions of a digital perimeter, worker mobility is redefining the IT landscape and shadow IT is quickly becoming enterprise IT.

So what does this mean for the economics of a security program? How can agencies protect everything against everyone?  It is imperative that compliance, governance and cyber assurance solutions for government data repositories and collaboration systems are established and sustained.  This is the reality of the new cyber landscape:

Protect the weaker targets. While most organizations simply do not have the budget to protect against cyberwarfare, they can protect against attackers looking for weaker targets. Agencies can not only make it harder for people to attack their systems, but they can also to make it less attractive to do so. Having proper protocols in place will likely ward off attackers looking for an easy conquest.

Security is about mitigating risk. In the absence of metrics, we tend to focus on risks that are familiar or recent. Unfortunately, that means that we are often reactive rather than proactive when it’s most important to understand how data, people and location weave together to create patterns across an organization. Only by understanding the data can agencies create for effective protection.

The right thing should be easy to do. In the absence of a culture in which everyone understands that data protection is a part of their job, end users will make poor security choices. This means that systems must be easy to use securely and difficult to use insecurely. Create policies, rules and IT controls that make it easier for end users to do their jobs effectively with the approved systems and controls. At the end of the day, employees will do what they need to do to get their job done. Join them in making it simple to use the appropriate tools.

Protect data from insiders. Many breaches come from an attacker who is already inside. Whether intentional or not, insiders cause the greatest threat to data protection programs. Fortunately, this threat can be addressed by using a layered approach to data classification and ensuring that policies, training and tools are being properly understood and integrated into the day-to-day tasks of the workforce.

Perfect security does not exist. In order to have a holistic and effective data privacy and security program, agencies must adopt a risk-based approach to implementing their data protection program.

Traditionally, there has been a perception that privacy is where IT projects goes to die, and that security teams lead with “no.” Whether that reputation is deserved or not, it’s important for security and privacy officers as well as legal counsel to take the steps to bake privacy in as a fundamental ingredient of their development lifecycles.

So how can this work operationally?

Chief information security officers and chief privacy officers must partner with their IT and program managers to gain key executive sponsorship and cooperation with their departments and agency programs. Privacy teams cannot be in every meeting in which a new IT system, program or campaign is being contemplated, but they can develop a framework that can be used by IT departments to incorporate privacy best practices within their programs, IT systems and across the organization.

A standardized and repeatable process for the IT department and the program managers allows for advice, guidance and review at every step of the process. Consider using automated tools that allow colleagues to request a risk, security and privacy impact assessment of systems they are planning, so everyone has a reasonable estimate and timeline. Involvement from security and privacy teams early on will save developers or program managers from having to make last-minute changes.

Security by design builds controls into the system as part of the initial specification so that when a program is ready to roll off the assembly line, stakeholders can have full confidence in its data protection elements.

NEXT STORY: How blockchain will transform our cities

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.