With an ever-expanding collection of corporate data, organizations face more challenges than ever before in protecting their data. Data of all types may be stored in the cloud, in on-premises repositories, or even on employees’ personal laptops and mobile devices, making an understanding of what data an organization handles, how it is being used and stored and how it can be protected more complicated than ever before.
By answering these essential questions, organizations can be empowered to protect data throughout its lifecycle. A structured approach to data protection is centered around the basics: people, processes and technology. These foundational principles can ground a sustainable data protection program (DPP) to solve today’s challenges, while preparing for the future, no matter where organizations are in the process.
As DPP development begins, it is vital to identify key program stakeholders who can bring perspective from across the organization. Data protection is not just a technology or security problem, but one that affects the entire business, so continuously seeking business buy-in and input is crucial to its success. Stakeholder outreach can take many forms, such as regular committee meetings incorporating status updates regarding accomplishments, risks, blockers and next steps. A periodic outreach campaign should be established, including additional interviews and working sessions with key leaders throughout the process to ensure business involvement and input are shaping the program throughout its maturity.
In addition to identifying business leaders and stakeholders, roles and responsibilities should be defined for the employees and teams responsible for program strategy, technology engineering, user support and data incident response. This may include members of the organization’s information technology, cybersecurity, legal and compliance teams in addition to the business. An example of a key role to be identified would be business data owners, who are responsible for determining the appropriateness of access to data and approving such access on a need-to-know basis. Roles often vary based on organizational structure and industry but must be defined and documented to ensure accountability for key areas and tasks throughout the data protection program development.
Once key stakeholders are identified and the roles for those involved in the organization are defined, the process development phase should begin, structuring the organization’s key drivers for implementing a data protection program. These drivers may range from protecting the organization’s brand reputation and customer trust, complying with emerging regulatory and compliance requirements, data protection requirements from the business, optimizing technology investments, or responding to pressure from the board and third parties. Identifying drivers from the start allows all stakeholders to measure current progress against the key objectives that should come out of its deployment.
At the start of the project kickoff, the first task should be to develop a comprehensive data inventory to guide conversations around what data should be protected. Develop this inventory by performing interviews with various business unit leaders to understand what types of data each business unit works with and gather additional context. These small group working sessions should include gathering metadata such as a description of the dataset, file types, storage locations, business purpose and acceptable handling guidelines to paint a complete picture of the role the data set plays in the business and what protection requirements are necessary. This information can be used to document the data flows of sensitive data to ensure the storage repositories and data transmission methods are understood and can be easily conveyed to stakeholders for training, protection and compliance purposes.
Following the initial intake process and development of the data inventory, policies and procedures should be established to standardize classification guidance, acceptable storage and handling of sensitive data. This should include the development of a data protection policy, along with any other supplemental policies and procedures, that clearly define organization-wide standards for the storage, access, transmission and deletion of sensitive data.
Once the DPP has been initiated, the organization should work to establish uniform reporting capabilities to ensure accurate measurement of the program’s process towards defined goals and outcomes. This includes communicating metrics to relevant individuals and management. Metrics often vary between organizations and industries, making it essential that stakeholders be heavily involved when establishing which metrics should be tracked in reporting. Once metrics are finalized, they can be highlighted in ongoing reporting and used to measure program progress and assess effectiveness of technical controls.
In tandem with the lack of visibility into organizational data, organizations often do not understand the coverage and level of risk mitigation of their existing technologies. Before jumping straight into implementing data protection solutions, it is important to understand the existing capabilities’ coverage across applications, workstations, mobile devices and databases. Perform an assessment of the tools currently used across the enterprise, including identifying capabilities, integrations and gaps in coverage. Gaining this understanding of current tool coverage yields many benefits, including identifying technology redundancy, potential misconfigurations and opportunities to implement additional tools where necessary, all reducing the risk surface to an acceptable level for the organization.
While working through a rollout, organizations should leverage a crawl, walk, run approach when deploying and testing capabilities. This involves a staged rollout that incorporates testing, validation and iterative deployment at every step of the process. Once the technology landscape has been inventoried, organizations should look to leverage out-of-the-box capabilities in monitoring mode to gain visibility into movement of sensitive data within the business. These policies can be scoped to sensitive data of interest to the organization and can monitor areas such as email transmissions, cloud storage locations, workstations, mobile devices, on-premises repositories and databases. The information gathered from these policies enables the organization to see what sensitive data is currently being stored and sent in real-time and can help supplement interviews and working sessions and standardize reports for stakeholders.
Once stakeholders have assessed the results from monitoring mode, policies can be expanded to enforce active protective controls on sensitive data. These protections should balance the organization’s risk tolerance with potential impacts on existing business processes to be effective in minimizing exposure of sensitive data while avoiding disruption to employees’ day-to-day workflow. Protections may include encryption, tokenization and restrictions on use of removable media or web and cloud applications.
Deploying a DPP is a high-touch, high-impact initiative, so it is essential to engage organizational change management to ensure proper communication, training and awareness are distributed for each protection enabled. This includes periodic announcements, upcoming changes, expected impacts and relevant highlights and news.
An effective DPP combines a solid foundation of policy guidelines with a dedicated team of individuals and optimal use of leading data protection tools. Understanding the key drivers underlying the organization’s push to establish a data protection program enables a tailored solution that addresses an organization’s current state and risks. Leveraging a structured approach around people, processes and technology empowers the organization to identify who needs to be involved, what data needs to be protected, how to protect it and ultimately how to support these goals through business processes to ensure program effectiveness.