Incident response and establishing the hierarchy of data
- Published: Tuesday, 31 May 2016 07:10
Nick Pollard outlines the key steps that will help organizations not only understand the value of their data, but can also help to build a more risk-based and tailored incident response plan.
With one corporate data breach after another hitting the news – and a growing awareness that no organization is immune to attacks - cyber security has, increasingly, become a matter of strategic importance. With implementation of the EU Data Protection Regulation on the horizon, organizations have an added impetus to ensure that all personally identifiable information (PII) is secured, protected and that adequate safeguards are in place to protect against loss or theft. The prospect of hefty fines for data breaches – up to 4 percent of a company’s global annual turnover – and breach notification requirements, organizations need to get their house in order when it comes to the processes and technology governing the way that data is stored and managed.
However, there’s a wider issue at play when it comes to building in adequate security protections for data. The fact is that not all data is ‘created equal’ and within organizations there’s a hierarchy that exists, which will determine not only the risk associated with the loss of different data, but also the appropriate response to put into action should an incident occur. Aligning this response to different data sets - be it intellectual property, medical records, credit card information, personnel records or payroll detail - is key. It lays the foundations for a more pragmatic, proportionate and efficient response, helping to save valuable time in the aftermath of a breach and ensuring that priorities are set according to the sensitive data profile.
Taking stock of data
Incident response can’t be based on a one-size-fits all approach; incidents can come in all shapes and sizes, ranging from relatively minor breaches with minimal impact on an organization’s sensitive data assets, to those involving millions of compromised or lost records and the ensuing negative publicity.
The loss of thousands of customer records would require a different response than that of the loss of a new product design or marketing plan. Whilst a blueprint or new product launch information is valuable in the hands of a competitor it wouldn’t have the same ‘street’ value as records containing personal information. A risk assessment needs to have a nuanced approach to account for these differences.
Here I outline the key steps that will help organizations not only understand the value of their data, but can also help to build a more tailored response plan:
Understand your data
- Take a thorough audit of your IT estate to ensure that you have the full picture on sensitive data locations, including both internal and external IT services.
- Understand the location of this data. One of the big challenges of fast changing and hybrid corporate IT environments is that data is more fluid than ever, so you not only need to understand where data is stored, but also how it moves through an organization. There is more data held across more data locations, and on more endpoint devices, than ever before. Ensure that adequate safeguards are in place to restrict the movement of sensitive data within and beyond the organization.
- Identify the high worth data. This will vary according to a number of factors from the organization’s size and sector to regulatory factors. It should also take into account the cost of downtime / replacing or recovering this data, the financial impact in terms of the organization’s reputation and, for public companies, how it would impact the organization’s share price, credit rating, and regulatory burden.
Inform and educate
- Once you have mapped the hierarchy of your data, make sure that all relevant teams have been included in the process so that no surprises are uncovered further down the line. Involve teams across departments so that the information security team knows where the most valuable data and documents are and can apply the appropriate security controls.
- Staff also need to be part of this process. From my experience in working with organizations, I’ve found that showing staff that data has a monetary value associated with it - just like any other physical asset - has had a significant impact on their perception of its importance. Reinforcing its commercial value also helps them to understand that security is not just policy for policy’s sake.
Tailor the Response Plan
- Once you have a profile of where the most significant risks are, crisis management plans can then be tailored accordingly, so that proportionate measures are in place to cover different scenarios. Protecting sensitive data involves a chain of decisions that impact different departments across an organization from IT to legal, PR and HR. With a well-documented and tailored plan, individuals across the organization will know the correct processes and their responsibilities, according to different incident types.
Nick Pollard is UK General Manager, Guidance Software.