Opinion: Is your data safe and sound?

Methods you can use to better protect one of your organisation’s most valuable assets.

Methods you can use to better protect one of your organisation’s most valuable assets.

Organisations invest a lot of time, money and effort in collecting, storing and mining data to derive positive outcomes for their business.

Throughout its lifecycle, data may be collected in various formats (electronically, paper, telephone) and converted to other formats (scanned documents, spread sheets, entered into databases). It is possible that the data may exist in many, or all, of these formats - particularly if the original is not deleted or destroyed.

Data is collected for a reason and it therefore has an intrinsic value. Organisations need to determine whether appropriate measures are in place to protect their investment in data. In order to protect data, organisations need to identify the following.

What type of data is it?
Determining what type of data you have is the first step to defining the appropriate controls to secure it. For example, many online merchants and their service providers store cardholder data (CHD) and are obliged to comply with the Payment Card Industry Data Security Standard - PCI DSS).

Where is the data?
You need to know where the data is to properly protect it. As mentioned previously, data can exist in various formats throughout its lifecycle. Before converting data from one format to another, determine whether the original format is still required. If it is, it should be securely archived. If not, it should be securely purged.

Data could reside in computers and servers on-site, or off-site at a datacentre. Frequently, outsourced service providers are used and data may be stored on shared (multi-tenanted) infrastructure, particularly where cloud based and virtualised services are used. Data can also be on personal devices such as laptops, mobile phones, smart phones and removable storage such as USB keys.

Where data is stored in cloud services the actual locality of the data may also impact an organisation, as legal requirements may be imposed by the country where the data is stored.  For example, some countries, such as the USA, may have laws that compel service providers to disclose or make available data to authorities.

With some cloud service providers, the data may actually be across numerous international jurisdictions where inter connected data centres are located across the globe. This may further complicate compliance reporting and forensic investigations in the event they are required.

How and where is it stored?
Broadly, electronic data may be assigned to two classes: structure and unstructured data. Structured data is stored in databases; unstructured data is stored in multitudes of other locations such as file servers, emails and applications and may be in a variety of document and image formats.

Whatever class and format the data is in, technology solutions are now available that enable organisations to control access to the data and also audit or report on the use of the data. This is of particular importance where regulations and standards demand strict controls for data, such as PCI DSS in relation to accessing credit card information.

Protective controls
Do you know who has access to your data? In general, access should be granted on a business need to know. This is a requirement when dealing with sensitive data, such as credit card data.

Do you have methods in place to restrict access? This could be done by physical measures (locks, doors, datacentres) and by logical measures (accounts, passwords, applications).

Has the data been protected in the system that is storing it? For example if credit card information is stored it must either be encrypted or truncated. Have you taken reasonable measures to protect other information such as date of birth, residential address and any financial related data? Is all access to data logged? Is it auditable?

How long can you retain data?
The period that data can be stored will depend on the type of data collected. Data retention may also be regulated by industry, or state and federal laws. For example the PCI DSS requires audit trail history (of the access to credit card data) be retained for at least one year, with a minimum of three months immediately available for analysis.

Data destruction
Once you no longer need data, appropriate measures are required to securely delete it. The archiving and purging methods you use will need to be commensurate with the value or sensitivity of the data.

Implications if compromised
The implications for a data breach can be very serious, ranging from reputation damage and financial losses to exposure to legal risks.

It’s also worth noting that the Australian Government is considering revisions to the Privacy Act to include provisions for mandatory disclosure in the event of a data breach. Consider the costs of being required to notify all record holders on your databases if there had been only a partial breach, but you didn’t know which records were lost!

Murray Goldschmidt is co-founder and Chief Operating Officer at Sense of Security, an independent provider of information security and risk management consulting services.

Join the CSO newsletter!

Error: Please check your email address.

Tags dataprivacy actOpinionssecuritydata privacymining datanewsPCI DSSAhead of the Game: Blueprint for the Reform of Australian Government Administrationencryped dataassets

More about Sense of Security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Murray Goldsmith

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts