By: Nate Latessa
In a previous blog post, I discussed the importance of having a data map to effectively protect sensitive information. During my research, I discovered that only 54% of companies know where all of their sensitive data is stored, and I would argue that number is probably much lower. In my experience, even the companies that think they know where their sensitive data resides are not considering or aren’t aware of every possible location.
SENSITIVE DATA LOCATION
I recall doing a data map for a large corporation. During the fact-finding portion of our data mapping engagement, we were told that their employee data was stored in Workday and SAP. As we moved into the discovery phase, we started to find large amounts of unstructured sensitive data outside these platforms on workstations and fileshares, which matched the data in Workday and SAP. After speaking with employees in human resources, we uncovered a shadow process that was the cause of the leak. The same information entered into Workday also needed to be entered into SAP. The company had no direct integration between the two systems, but they did have the ability to create XML (text) exports from Workday and import that information into SAP. Once the XML files were imported, there was no formal process in place to delete those files – they were left on the machine unmonitored and mostly unprotected. We were able to correct the problem quickly, but this practice may not have been discovered until a breach occurred.
Knowing what data you have and where it’s located is a good first step, but it’s not enough. You also need to know how data flows in and out of your systems. It didn’t take much digging to uncover a shadow process in the example above. The unstructured data outside the system was just as valuable as the structured data inside the system. The organization had a false sense of security that it was adequately protecting employee data when in fact it was largely vulnerable. Knowing your data flows is a critical component to a good data map.
Once you know where your sensitive data resides and how information flows, it’s important to understand access controls – who or what can view or use a resource. In the same example above we found that some HR employees were exporting XML data from Workday to a fileshare instead of local workstations. An examination of the access controls on the fileshare showed that some employees, who should not have access to employee information, had full access to the data on the share. The data mapping exercise helped expose the potential risk of overly broad privileged access rights and helped the company adopt a principle of least privilege policy.
AUDIT & REPEAT
Understanding where sensitive information resides, how it flows through your organization and who has access to that information is critical to protecting your data from cybersecurity threats, limiting exposure to non-compliance events and reducing the cost and burden of eDiscovery. Once you have a data map, it’s important to regularly audit and update it. New systems and updates to existing systems can change data flow; new employees joining and existing employees leaving or changing roles can affect how and where data is stored and managed; new and emerging compliance and privacy regulations can have an affect how you use and store information; and the evolving landscape from both internal and external threats must be constantly evaluated. Data maps should be audited and updated regularly to keep up with changes in your business.
Creating a data map can sound like a massive undertaking and without the right resources, it can be. The experts at Innovative Discovery are uniquely qualified to get your data mapping project off the ground. Contact us today to learn how to get started.