Find the Map, Locate the Treasure and Keep the Pirates Away, Part II: Seven More Data Security and Privacy Best Practices
In Part I of this series, I discussed how data security and privacy best practices are similar to the children’s game “Treasure Hunt,” and I offered 10 tips for protecting your booty upon arrival at your tropical island. But what are you supposed to do before you even get there? Here are seven additional best practices on how to prepare.
1. Cash Is King
Before you set out on your journey, a visit to the king is in order to secure patronage. Have you identified your executive sponsor and associated budget? If not, you may find yourself lost at sea and unable to remain afloat.
2. Watch Your Ballast
Ballast is what provides stability for your ship. Too much and you risk sinking in rough seas. In data security, the equivalent of ballast is being weighed down by manual processes and tools that don’t meet your needs. Throw them overboard! Consider using automated methods to identify what’s important, such as data sources, files and databases.
3. Beware of Traitors
A traitor could derail your entire journey by giving up your position and sharing valuable information with pirates. No one wants to talk about rogue employees and the risk of insider threats. Nevertheless, we need to be thinking like pirates at all times and anticipating all possibilities. Activity monitoring is a good way to ensure that the crew doesn’t turn against you.
4. Avoid Mutiny
If you’ve ever seen “Mutiny on the Bounty,” you know what happens when a captain does not have the crew’s respect. Worse than a traitor, your very existence could be threatened.
Being a strong leader means being clear about your team’s roles and responsibilities with respect to data protection. Who administers the policies? What mechanisms do you have in place for approvals and escalations? Using a structured approach with built-in workflows means ensuring everyone signs off on exceptions.
5. Check the Weather Often
Back in the days of sail, both wind and weather made the difference between getting to your destination, going down with the ship or succumbing to illness and starvation. In data security and privacy, the weather is the prevailing regulatory environment.
With the EU-U.S. Privacy Shield potentially replacing Safe Harbor in addition to the new EU GDPR regulations taking effect in 2018, it’s critical to understand the changes on the horizon and to anticipate how those changes might impact your plans.
6. Always Be Prepared for Battle
Being prepared means having both detective and preventive measures in place. Do you have a lookout 24 hours a day? What if a ship approaches and the pirates try to board? In data security, you must observe all activity and have a plan in place to identify and then respond to unusual activity.
Sometimes those pirates are so tricky that they foil all our best defenses, such as blocking rogue SQL, alerting, etc. How do you detect unusual data access activity patterns? This is where machine learning comes in — applying cognitive computing techniques to identify that needle in the haystack.
7. One Man’s Trash Is Another Man’s Treasure
Be careful about how you dispose of your trash. If you drop it overboard, you will be leaving valuable clues for the pirates (in addition to being a polluter).
The same is true for removing old data. It needs to be disposed of in a manner that ensures it is no longer usable. Several recent breaches involved access to unneeded data that could have been either placed into a secure archive or disposed of entirely. Old data equals risk.