| |
By Rob Monnes, CPA,
CISA, Beacon Mutual Insurance Company, Rhode Island
It has become increasingly common to hear or
read about lost, stolen, or compromised data. Laptops stolen
out of cars, backup data tapes left on the subway, networks hacked
through Web sites, and the list goes on. The impacts are also
well known: reputational damage to the company, regulatory
violations and fines, costs to monitor customers’ or employees’
credit, and potential lawsuits, among others. Frightening
indeed.
However, a surprisingly large number of organizations still do not
have a full understanding of how their data is exposed to those
outside the company or where it ends up. As a result, it
is difficult to ensure that the appropriate data safeguards are in
place and operating effectively. Where do you start?
Begin by inventorying the methods in which data
can leave the company, categorized in two ways:
- External
transmission (e.g. file feeds to vendors, agent reports, e-mail,
fax, discarded documents, etc.)
- External
access by employees and other third parties (e.g. remotely
logging into the corporate network or Web site, Blackberries,
flash drives, backup tapes, etc.)
For each transmission and access method, it is
important to identify and document what data is involved and its
degree of sensitivity, as defined by the company’s internal
policies and external regulatory bodies. It is also important
to document who is responsible for the data, who is able to view
the data and for what business purpose. One of the benefits of
such an analysis is providing a quick determination of which data
transmissions and accesses no longer have a valid business purpose
and can be shut off. This will eliminate vulnerabilities and
may yield operational efficiencies by reducing the number data feeds
and reports produced and reviewed.
Once the detailed external data inventory is finalized, a
prioritized risk-based approach can be used to ensure adequate data
controls are aligned according to the sensitivity of the data
involved. The foundation of such a risk-based data
controls program is created by two components: people and
technology.
People. The easiest data breaches to prevent are caused
by inappropriate transmissions of data by employees, whether
inadvertent or not. On the external access side, there is a
high likelihood that employees can lose data on unsecured flash
drives, laptops, Blackberries, misplaced backup tapes, etc. For malicious third parties, it is usually much easier to capitalize
on employee behavior lapses, such as asking and getting sensitive
data from unknowing employees or intercepting careless data
communications, than to hack into a company’s systems.
Therefore, a strong, detailed corporate security policy, which
clearly governs employees’ data handling and security behavior, is
a high priority. This policy should address all modes of data
communication, including discussions of confidential data;
non-disclosure of system passwords; e-mail best practices; and
production, custody, and destruction of sensitive documents. For the security policy to effectively mitigate employee behavioral
risks, management must measure and monitor employee compliance and
periodically provide employee training and data security awareness
programs.
A well worn cliché says that data security and
related technology controls can only be as strong as the employees
supporting them.
Technology.
The strength of the technology used to secure data transmissions
such as data feeds, Web site downloads, and e-mail should be assessed
for adequacy and effectiveness in relation to the risk-prioritized
data inventory. An analysis will determine whether certain
outgoing data feeds and e-mails are appropriately encrypted; whether
critical outgoing data files (e.g. spreadsheets) should be password
protected; and if company Web site downloads are providing too much
and/or unnecessary sensitive information.
For external access to company data, the
inventory of sensitive data should identify the systems and devices
through which data can be externally viewed, copied, and edited.
Both the systems and devices must be physically secured at all times
and have complex password protection that periodically changes. Further, management should ensure that the list of employees and
external parties with viewing, copying, and editing rights is
periodically reviewed and approved for appropriateness.
In an attempt to identify and remediate
technology security vulnerabilities, management should consider
periodically performing attack and penetration testing to simulate
data hacking attempts by malicious third parties.
Additionally, the company’s data controls
program must extend to external third parties handling sensitive
data. If any third parties are not able to provide a SAS 70
controls report or the report does not cover data security and
privacy, management should verify with the third party that such
controls are adequately in place.
In summary, it is imperative to perform a
periodic evaluation of what data is transmitted and accessed outside
the company and determine whether the company’s existing security
controls program and employee behaviors sufficiently mitigate the
risk of sensitive data loss. And that will help everyone get a
better night’s sleep.
|
