The art and science known as risk management has been around for years. It is applied in a broad array of areas, including insurance, credit risk ratings, stock and other market risk ratings, foreign policy decisions, military responses and many others. The true irony is that, although risk management has been applied to many aspects of IT, such as change management, incident response, disaster recovery and business continuity, it has not been applied nearly as rigorously to data management and protection.
In some industry verticals, security is applied to certain types of data, but that application is often not based on true risk management. Banks protect account information, insurance and health providers protect personally identifiable information (PII), and chemical companies and soft drink conglomerates protect their secret formulas. Outside of what these companies see as their prized data, there is often a lapse in protection because they do not know what their information assets are or where they are located.
Organizations are at an increased risk level if they cannot answer foundational questions such as:
- Which business lines carry the greatest risk?
- What sensitive data is at risk?
- How valuable is the at-risk data?
When Risk Management of Data Fails
Each piece of information residing on corporate networks needs to be classified, evaluated and managed. Each byte must have some level of importance or it would not have been created in the first place. Some data has only momentary importance, while other data maintains its value for many years. However, this lifespan of value is not always apparent. A good example is an email about lunch plans. That message may only be important for the hours leading up to the meeting, or it could have value for much longer if the purpose of the meeting is to discuss mergers and acquisitions or organizational restructuring.
Security employees must have basic, well-maintained controls in place to protect data as part of a security program. Though not all organizations suffer from poor practices in all areas, all suffer from some of the following to varying degrees:
- Vulnerability management;
- Patch management;
- Server misconfiguration/poor change management;
- Loose or overprovisioning of user access controls;
- Use of overly broad firewall policies;
- Misconfigured security logging;
- Misconfigured incident alerting/overfiltering of alerts; and
- No user activity monitoring.
A lack of focus on any of the above areas weakens the organization’s security posture and creates an opportunity for data leakage or theft.
The November 2014 Sony data breach exemplified this kind of risk management failure and demonstrated the possible consequences. Emails and other data files to and from executives, A-list actors and other employees were released, disclosing many private conversations. At the time each was created, the participants in the transactions did not consider the ramifications of creating and retaining that information. However, when revealed, there was significant material damage to personnel involved or mentioned, up to and including loss of employment for numerous Sony employees and actors who lost contracts.
Applying Risk Management Principles to Data Management
The application of risk management principles to data security is necessary to truly protect data from loss, theft and exposure by cyberattacks and insider threats. IT, security and privacy and risk management personnel play a crucial role in creating a programmatic risk management strategy. This requires having data management, retention, containment policies and ongoing monitoring tools in place, and employee training on the processes and procedures for data management.
Each member of the organization is responsible for understanding the value and scope of the information he or she creates and receives. This does not always require a monolithic effort or the application of some huge formula to determine a risk probability, but it does require personnel to take the time to objectively determine when and where to store it, how to protect it and how long to keep it. Data owners and custodians must be part of the risk management process. They are responsible for protecting data from accidental destruction or modification, exposure to inappropriate internal and external parties and intentional theft by external cybercriminals or wayward insiders.
Line-of-business managers and data administrators also need a means to identify structured and unstructured data repositories, both on-premises and in the cloud, and the ability to classify that data by its level of impact should it be stolen, published or destroyed. If these data stewards are unfamiliar with the data they are monitoring, they must have the ability to separate the more business-critical information from that of lesser value. After all, a core tenet of risk management is to apply more resources to protect the assets of greater value. Data is no different.
Calibrating Personal and Organizational Accountability
It’s important to apply and appropriately disseminate formal risk management processes for evaluating information assets and the vulnerabilities that threaten to compromise them. Without this amount of information being managed and presented to each level of management up to and including the board level, there is no way to determine how much money to apply to make the proper decisions to combat high risks.
Risk management is an invaluable tool for calibrating personal and organizational accountability, prioritizing actions for proactive protection and reactive response, raising and informing awareness about risks and identifying appropriate or ineffective mitigation measures.