Companies of all sizes become the victims of their own ignorance when they learn that they’ve breached data they didn’t even know they had. If it’s true that “you can’t fix what you don’t know is broke” then it should follow that “you can’t protect what you don’t know you have.” The first job of protection is to know what needs protecting. Before you build the fence you need to know what you’re putting in the field. You need to take stock of what you have.
Stand and be counted
From a networking point of view, there are 3 areas to inventory: the assets, the people and the data. Most organizations “inventory the headcount” as part of ongoing compliance efforts such as Sarbanes Oxley requirements. Assets (both hardware and software) are likely accounted for through the purchasing process. Likewise, you should know what types of data exist within the myriad storage arrays and devices within the organization. This insight will inform decisions about where to place your defenses in order to best protect the most sensitive data. But that’s the rub. How do you inventory data?
It’s 11:00 PM. Do you know where your data is?
For some, the first step may be just finding the data. Once you know where the data is it’s time to enumerate it by type. Knowing the types of data that exist within an organization allows you to proceed to the next step – Classification.
A classification is simply a way of rating the sensitivity of data so that you know which types of controls, safeguards and countermeasures are appropriate for protecting that data type. Simple is better. Most classification systems use three or four levels of sensitivity such as Public, Private and Restricted. An example of Public data might be a marketing brochure. Private data could be a departmental phone contact sheet. Details about your security systems or financial accounts would be examples of Restricted data and would, therefore, require the strongest safeguards.
Mapping the flow
Data Mapping is a deliberate exercise to identify how specific sensitive data types move through the organization’s “plumbing” in order to find the red flags of potential exposure, alteration or improper destruction. This means examining the safeguards protecting the data in motion and at rest. Data Mapping can be a time consuming task (if done properly) but is one of the most rewarding (and most overlooked) activities to be conducted by a security program. It provides a level of clarity and insight that enhances all other aspects of security, not to mention, an ability to reduce costs and improve efficiencies throughout the entire security architecture. But to get there, you must know what you have in the first place.