Where are your crown jewels?

June 2019 Commercial (Industry), Cyber Security, Security Services & Risk Management

We have all heard of the missing sock theories and conspiracies. We know for a fact that it went into the washing machine, but it has suddenly vanished. It has to be somewhere, but where? Such a minor occurrence can be irritating, so imagine extrapolating that scenario into the business world where no one knows the whereabouts and details of huge amounts of personal data.

Craig Rosewarne
Craig Rosewarne

Consider our humble sock (data) being part of a whole bundle of washing delivered to the laundromat. Once delivery has taken place, who assumes accountability for the whole load? Ultimately it has to be the owner of the business, the data owner. Other workers may take care of different parts (pants, shirts, dry cleaning, etc.) and they take on the roles of data stewards.

Understanding what data they store and analyse is gaining increasing urgency for organisations that are now accountable to new(ish) privacy regulations such as the EU’s General Data Privacy Regulation (GDPR) and our country’s Protection of Personal Information Act (PoPIA). Historically, companies have invested in various technologies to create an inventory of their physical assets (servers, PCs, etc.) but fell behind in the latest methods to find, map and inventory their data assets.

In simple terms, the purpose of the PoPI Act is to ensure that all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity’s personal information by holding them accountable should they abuse or compromise your personal information in any way. The PoPIA legislation basically considers your personal information to be ‘precious goods’ (content granularity) and therefore aims to bestow upon you, as the owner of your personal information, certain rights of protection and the ability to exercise control over ownership, processing, consent, reasons, purpose, access, removal, safeguarding and accuracy (See https://www.workpool.co/featured/popi for more information).

What are the basics needed to set-up a data registry?

Create an inclusive list of what data is kept, where and why. Creating an enormous data warehouse will be simply muddying already muddy waters. Continuously backing up huge amounts of duplicated data will severely hurt your storage capabilities and add to costs. It is far more simplistic, realistic and cost effective to create the registry in an index-like map focusing on five functionality and operational characteristics:

1. Content granularity: As discussed above.

2. Usage context: This requires operational, technical and business knowledge, such as who can access this data, what applications are consuming the data, what third-parties have access to the data, what is the purpose for collecting this data and does the organisation have adequate consent to collect and process the data.

3. Data source coverage: Organisations need to create a process that covers both unstructured file shares and structured databases, big data, cloud, NoSQL, logs, mail, messaging, applications and more.

4. Ability to scale: Organisations gather and analyse tens, if not hundreds of petabytes of data. A petabyte of data is the equivalent of one million gigabytes. With increasing pressure to extract more value from data, this number is only increasing. A modern data registry not only needs to deliver an efficient index of data along with associated usage, but it must do so in a way that is scalable for a global enterprise.

Dynamic not static: Once a data registry is established, it is not the time to rest on your laurels. It must be anticipated that it could be moved or changed on a regular basis. The register should also have the ability to self-update and be compatible to any changes in as near-time as possible to provide a clear accurate picture of what data is kept where, when and who it belongs to. (See more at https://www.helpnetsecurity.com/2019/04/19/modern-data-registry/)

Enhancing the above ‘Data Governance 101’ will entail a further feature on its own. In summary, the crucial question is why this issue has become so vital to running a successful business. In the not too recent past, most companies, firms, practices and individuals had major problems in handling clients’ personal information. Remember filing cabinets groaning and bursting at the seams, personal files tattered and torn, document rooms with a rudimentary filing system that only allowed certain people with certain knowledge access?

Libraries on the other hand were (and still are) models of data governance. An experienced librarian could access the reading matter you needed in minutes thanks to the excellent Dewey Decimal Classification System. A brief no brainer would be the following benefits:

• Data sharing: Many people in a company work on the same project and easily finding a file you need and sharing it will be a load off your shoulders.

• Reusing data: Most documents can be sanitised and reused for many different projects with the minimal insertion of personal information and branding. It also helps eliminate unnecessary exchange of different versions of the same document.

• Analysing data: Management decisions rely on the analysis of data at hand to judge the direction a company is heading in. This is particularly the case in fast growing small businesses who can be caught short if the wrong choices are made.

• Backing up data: Speaks for itself. The damage a crashed hard drive can cause can be mitigated by data governance and simplified backups of data.

For more information contact Wolfpack Information Risk, +27 11 794 7322, [email protected], www.wolfpackrisk.com<a?

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Industrial control systems under attack
News Cyber Security
According to Kaspersky ICS CERT statistics, from January to September 2022, 38% of computers in the industrial control systems (ICS) environment in the META region were attacked using multiple means.

Top fraud trends to watch in 2023
News Security Services & Risk Management
Even though financial concerns remain a significant obstacle for companies in implementing new anti-fraud technologies, 60% of businesses expect an increase in their anti-fraud technology budgets in the next two years.

Be cautious when receiving deliveries at home
News Perimeter Security, Alarms & Intruder Detection Security Services & Risk Management
Community reports of residents being held up at their gate when collecting fast food deliveries at home are once again surfacing.

Sasol ensures Zero Trust for SAP financials with bioLock
Technews Publishing Editor's Choice Cyber Security Security Services & Risk Management
Multi-factor authentication, including biometrics, for SAP Financials from realtime North America prevents financial compliance avoidance for Sasol.

Accelerating your Zero Trust journey in manufacturing
IT infrastructure Cyber Security Industrial (Industry)
Francois van Hirtum, CTO of Obscure Technologies, advises manufacturers on a strategic approach to safeguarding their businesses against cyber breaches.

Protecting yourself from DDoS attacks
Cyber Security Security Services & Risk Management
A DDoS attack, when an attacker floods a server or network with Internet traffic to prevent users from accessing connected online services, can be costly in both earnings and reputation.

Cyber resilience is more than cybersecurity
Technews Publishing Editor's Choice Cyber Security Integrated Solutions IT infrastructure
Hi-Tech Security Solutions held a round-table discussion focusing on cyber resilience and found that while the resilience discipline includes cybersecurity, it also goes much further.

Crossing the chasm
Editor's Choice News Security Services & Risk Management Training & Education
Industry reports suggest that in the next ten years, millions of jobs could go unfilled because there simply are not enough people to fill them.

Records in place now, not later
Editor's Choice Security Services & Risk Management
It is important, after an incident, to have records in place as soon as possible. Too often the matter is left for the day when the company is going to court, or a disciplinary hearing is scheduled.

Considering cloud downtime insurance?
Arcserve Southern Africa Cyber Security IT infrastructure Security Services & Risk Management
Byron Horn-Botha, business unit head, Arcserve Southern Africa, reveals three vital steps that you must consider to ensure business continuity before you buy insurance.