Many surveys have suggested that the number of known records containing confidential personal information involved in security breaches measures in the hundreds of millions. In today's regulatory environment, the compromise of such confidential data costs more than consumer confidence and the price of resolution-it costs hard cash in the form of heavy fines. A number of high-profile laws and regulations require that companies take steps to protect personal data or face the consequences.
But how and where do we protect it, and how do we do it without adversely affecting the business?
Data at rest (on your disk drives) needs to be secured. We all make sure that the data centers are secure, access to the data is controlle
d, and tight physical controls are checked and rechecked, but we also need to ensure that data is not leaving the organization in an unauthorized way or, when authorized, in an insecure way. When it does, it is known as data leakage.
Our task is to minimize this risk, but how?
Here are some steps that you can do to help mitigate your risks:
1) Create a chart of "risk vectors." This is a list of all the ways data can leave your organization.
a. First, quantify each risk as a high, medium, or low. You can do this by creating a 1-100 scale, with 100 being "high risk" based on risk, probability, and impact. NIST 800-30, Risk Management Guide for Information Technology Systems, Section 3.7.1 does a great job of explaining how to quantify risks.
b. On a piece of paper or on your PC, draw a circle and put your company name in the middle. This represents your data. Draw lines coming out of your circle. At the end of each line, draw another, smaller circle, and in each circle, label the various ways data can leave your organization. These may include hackers, removable media, FTP, laptops, etc. Color these as follows:
RED = Unauthorized. These need to stop.
BLUE = Authorized. These need to be secured.
The larger the circle, the bigger the risk factor.
2) Prioritize each vector based on:
a. Cost of the solution
b. Amount of reduction of risk
c. Hours of resources needed
You may find you have some "low hanging fruit" and some costly but large-gain projects.
3) Create separate project teams to work on each risk vector, making sure they communicate often to maintain synergy between the teams.
4) Recalibrate every three months to take into account changing risks and priorities.
No one can ever stop all risks. If you try to, you may cripple your business. It is important to determine your target and create a metric to track your progress towards that goal. A risk vector chart can be an excellent tool to use not only for compliance and auditing, but for project overview and budgeting. Such a metric will help you communicate your team's progress every step of the way.
Bob Pappagianopoulos is the corporate director of Technical Services and Operations and CISO at Partners Healthcare System in Boston, MA. He is a member of the Security Executive Council and teaches at Northeastern University. For information about the Security Executive Council, visit www.csoexecutivecouncil.com/?sourceCode=std.
