Where are your crown jewels?

June 2019 Commercial (Industry), Cyber Security, Security Services & Risk Management

We have all heard of the missing sock theories and conspiracies. We know for a fact that it went into the washing machine, but it has suddenly vanished. It has to be somewhere, but where? Such a minor occurrence can be irritating, so imagine extrapolating that scenario into the business world where no one knows the whereabouts and details of huge amounts of personal data.

Craig Rosewarne
Craig Rosewarne

Consider our humble sock (data) being part of a whole bundle of washing delivered to the laundromat. Once delivery has taken place, who assumes accountability for the whole load? Ultimately it has to be the owner of the business, the data owner. Other workers may take care of different parts (pants, shirts, dry cleaning, etc.) and they take on the roles of data stewards.

Understanding what data they store and analyse is gaining increasing urgency for organisations that are now accountable to new(ish) privacy regulations such as the EU’s General Data Privacy Regulation (GDPR) and our country’s Protection of Personal Information Act (PoPIA). Historically, companies have invested in various technologies to create an inventory of their physical assets (servers, PCs, etc.) but fell behind in the latest methods to find, map and inventory their data assets.

In simple terms, the purpose of the PoPI Act is to ensure that all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity’s personal information by holding them accountable should they abuse or compromise your personal information in any way. The PoPIA legislation basically considers your personal information to be ‘precious goods’ (content granularity) and therefore aims to bestow upon you, as the owner of your personal information, certain rights of protection and the ability to exercise control over ownership, processing, consent, reasons, purpose, access, removal, safeguarding and accuracy (See https://www.workpool.co/featured/popi for more information).

What are the basics needed to set-up a data registry?

Create an inclusive list of what data is kept, where and why. Creating an enormous data warehouse will be simply muddying already muddy waters. Continuously backing up huge amounts of duplicated data will severely hurt your storage capabilities and add to costs. It is far more simplistic, realistic and cost effective to create the registry in an index-like map focusing on five functionality and operational characteristics:

1. Content granularity: As discussed above.

2. Usage context: This requires operational, technical and business knowledge, such as who can access this data, what applications are consuming the data, what third-parties have access to the data, what is the purpose for collecting this data and does the organisation have adequate consent to collect and process the data.

3. Data source coverage: Organisations need to create a process that covers both unstructured file shares and structured databases, big data, cloud, NoSQL, logs, mail, messaging, applications and more.

4. Ability to scale: Organisations gather and analyse tens, if not hundreds of petabytes of data. A petabyte of data is the equivalent of one million gigabytes. With increasing pressure to extract more value from data, this number is only increasing. A modern data registry not only needs to deliver an efficient index of data along with associated usage, but it must do so in a way that is scalable for a global enterprise.

Dynamic not static: Once a data registry is established, it is not the time to rest on your laurels. It must be anticipated that it could be moved or changed on a regular basis. The register should also have the ability to self-update and be compatible to any changes in as near-time as possible to provide a clear accurate picture of what data is kept where, when and who it belongs to. (See more at https://www.helpnetsecurity.com/2019/04/19/modern-data-registry/)

Enhancing the above ‘Data Governance 101’ will entail a further feature on its own. In summary, the crucial question is why this issue has become so vital to running a successful business. In the not too recent past, most companies, firms, practices and individuals had major problems in handling clients’ personal information. Remember filing cabinets groaning and bursting at the seams, personal files tattered and torn, document rooms with a rudimentary filing system that only allowed certain people with certain knowledge access?

Libraries on the other hand were (and still are) models of data governance. An experienced librarian could access the reading matter you needed in minutes thanks to the excellent Dewey Decimal Classification System. A brief no brainer would be the following benefits:

• Data sharing: Many people in a company work on the same project and easily finding a file you need and sharing it will be a load off your shoulders.

• Reusing data: Most documents can be sanitised and reused for many different projects with the minimal insertion of personal information and branding. It also helps eliminate unnecessary exchange of different versions of the same document.

• Analysing data: Management decisions rely on the analysis of data at hand to judge the direction a company is heading in. This is particularly the case in fast growing small businesses who can be caught short if the wrong choices are made.

• Backing up data: Speaks for itself. The damage a crashed hard drive can cause can be mitigated by data governance and simplified backups of data.

For more information contact Wolfpack Information Risk, +27 11 794 7322, info@wolfpackrisk.com, www.wolfpackrisk.com<a?


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Stolen credentials on the Dark Web
October 2019 , Cyber Security, Security Services & Risk Management
Over 21 million credentials belonging to Fortune 500 companies, 16 million of which were compromised during the last 12 months, are up for sale.

Stolen credentials on the Dark Web
October 2019 , Cyber Security, Security Services & Risk Management
Over 21 million credentials belonging to Fortune 500 companies, 16 million of which were compromised during the last 12 months, are up for sale.

Enterprise security must change
October 2019 , Cyber Security, Security Services & Risk Management
The recent wave of cyberattacks against local banks has highlighted the importance of protecting data against malicious users.

Kaspersky uncovers zero-day in Chrome
October 2019, Kaspersky Lab , News, Cyber Security
Kaspersky’s automated technologies have detected a new exploited vulnerability in the Google Chrome web browser.

Body-worn cameras transforming security
October 2019 , CCTV, Surveillance & Remote Monitoring, Security Services & Risk Management
Police Service Northern Ireland now has over 7 000 officers using 2 500 cameras covering approximately 173 000 incidents each year.

Protecting your customers’ data
October 2019 , Training & Education, Security Services & Risk Management
Simon Murrell, head of development and executive director at BrandQuantum says companies need to protect their customers from identity theft and data breaches.

Cyber-securing your surveillance infrastructure
CCTV Handbook 2019, Genetec, Hikvision South Africa , Editor's Choice, CCTV, Surveillance & Remote Monitoring, Cyber Security
When it comes to cybersecurity, understanding the risks and the solutions as well as engaging in open communication helps everyone.

Keeping your things to yourself
October 2019, Technews Publishing , Editor's Choice, Cyber Security, Integrated Solutions, IT infrastructure
Three experts spoke to Hi-Tech Security Solutions to offer advice on keeping your IoT working for you and not for cyber criminals.

IoT in security
October 2019, Duxbury Networking, Technews Publishing , Editor's Choice, Cyber Security, Integrated Solutions, IT infrastructure
Using the Internet of Things is not really optional these days, but securing the Internet of Things is compulsory, no matter what industry you operate in.

ContinuitySA offers ISO 22301 Lead Implementer course
October 2019, ContinuitySA , Training & Education, Security Services & Risk Management
ContinuitySA is once again offer its five-day Certified ISO 22301 Lead Implementer course on 18-22 November 2019 at the company's Midrand facility.