Comment: Visibility Is an Essential Component to Data Governance

"A security strategy is destined to fail unless an organization has clear visibility of what it has and needs to protect", says Curtin
"A security strategy is destined to fail unless an organization has clear visibility of what it has and needs to protect", says Curtin

Businesses that adopt a more strategic approach to governing their data are well positioned to realize the power of their information assets while reducing the risk of security breach and leakage incidents that can damage corporate reputation, compromise customer trust and erode shareholder value. Having visibility and a clear understanding of the nature, location and value of your data, sits at the heart of sound data governance and security practice.

Finding a balance between mitigating security risk, providing access to sensitive data and addressing compliance requirements can be complex. However, a security strategy is destined to fail unless an organization has clear visibility of what it has and needs to protect and where that information resides – in other words, if you can’t find your data, how can you possibly protect it?

Organizations need to understand their data entities that contribute to risk threats, asset criticality and vulnerabilities. Taking stock of data assets is a vital first step in establishing a protection framework because it’s difficult to accurately assign value to something until it’s been located and identified.

If you don’t know what you have until it’s gone, then the same reasoning applies to realizing the value of data stored on your network. An organization needs to define and classify different categories of information to limit scope and make its efforts more manageable. Otherwise the sheer volume of enterprise data can prevent organizations from effectively dealing with all types of sensitive information.

Only when an organization has this level of visibility and control, can it begin to understand the risks in identifying where their data is stored and make informed choices to remediate, manage and protect valuable data assets.

Information is the Lifeblood of Business

Data needs an even greater requirement for visibility and protection because it can cause unnecessary trouble if it falls into the wrong hands, is mishandled or lost in transit. It is this power of data that underscores one of the major challenges facing IT organizations: that is, being able to specify the exact location of critical data on an enterprise-wide basis.

The sensitive and confidential nature of corporate data, whether it is IP or trade secrets – employee information, customer information, card holder data (CHD) or other forms of personally identifiable information (PII) – means that its discovery and protection have significant governance and risk management implications if ignored.

Driving these concerns are standards and regulations, such as the Payment Card Industry Data Security Standard (PCI DSS), Data Protection Legislation, the Health Information Portability and Accountability Act (HIPAA), Sarbanes-Oxley (SOX) and the Gramm Leach Bliley Act (GLBA). These regimes place continuous onus on organizations to adequately protect and secure consumer data that is deemed to be sensitive and private. A recent report from the Privacy Rights Clearinghouse (PRC) noted 535 breaches during 2011, involving 30.4 million sensitive records. The volume and high-profile nature of data breaches, particularly at major corporations like Epsilon, Alliance Data Systems, Sony, and WordPress.com, only serve to heighten the concerns of government and regulatory bodies aiming to tighten and enforce data protection legislative procedures.

A balanced data protection structure needs also to take into account how information is used throughout an enterprise. It should consider process, compliance and governance as being just as important as technology, while ensuring that the process doesn’t become too onerous on business users.

Information is the lifeblood of all businesses, and achieving the correct balance between access, integrity, compliance and protection is essential to operational and long-term business stability. In realizing its value, an organization must have the ability to unlock the power of corporate information while also adequately protecting the data assets that matter most. To protect information and manage risk effectively, organizations need to adapt a more strategic approach to continuously detect against real threats while fostering a culture of vigilance through ongoing discovery audits, review and reporting.


 

PixAlert is exhibiting at Infosecurity Europe 2012, the No. 1 industry event in Europe held on 24–26 April 2012 at Earl’s Court, London. The event provides an unrivalled free education program, exhibitors showcasing new and emerging technologies, and offers practical and professional expertise. Visit the Infosecurity Europe website for further information.

 


Gerard Curtin is CEO of Irish software security solutions company PixAlert and is a leading information security specialist specifically in the area of data discovery auditing and image detection management. Curtin’s distinguished career spans over 23 years and his experience includes senior technical and management roles across the IT and telecom industries, including Prime Carrier, Openet Telecom, Euristix and Retix. He is a regular industry event and forum contributor and is a previous chairperson of Info Security Ireland. An honors graduate of Trinity College Dublin, Curtin holds an honors BA, BAI in mathematics and software engineering.

What’s hot on Infosecurity Magazine?