It’s difficult to protect your data when you don’t know where it is and who has access.
“Most companies don’t go through a data classification process. The No. 1 thing businesses can do to protect their data is to know where it is and the value it has,” says Joe Compton, CISSP, CISA, a principal with the Skoda Minotti Risk Advisory Services Group.
Smart Business spoke with Compton about actions companies can take to improve information security.
How do you go about finding and classifying data?
There are many different models you can use, including a simple checklist of three things:
■ Does the data contain private information?
■ Should this information be restricted to a limited number of people within the organization and from outside vendors?
■ Is it critical to the business? Would losing it negatively impact you or stop you from running your company?
If the data doesn’t fit under any of those areas, it would be considered an unprotected asset or unimportant data.
But the model can get complex; there could be 13 or 14 categories used to organize your information. The point is to develop a data classification scheme so you can protect it. You don’t want to provide the same protection for all data if it isn’t necessary.
After data has been classified, what’s the next step?
Once you know the data you have and its location, you need to establish controls. Most companies don’t have a disciplined approach to implementing security controls.
A good source for best practices is the PCI Security Standards Council, which offers downloads that provide a detailed list of controls that should be placed around sensitive data. In the case of PCI, it deals with credit card data. Most businesses handle some sort of credit card data, but even if you don’t, you could still adopt the same standards the PCI sets for credit cards and apply it to your sensitive information.
By doing so, you’ll have a very disciplined and defined approach to protecting critical data sets in terms of organized controls. There’s also a defined testing procedure you could follow on a regular basis to ensure those controls are working.
Controls can be as simple as firewalls or segregation of duties in terms of who has access to the data. It could involve logging access to databases and keeping a record of who works with data and where it is going. PCI has a list of 12 defined areas that it has built controls around that are appropriate for any business or any data set.
When you know what and where your data is and have a defined control set, then you need to address a data loss prevention (DLP) solution.
What are some examples of solutions, and how expensive are they?
DLP solutions range from the very expensive to relatively inexpensive.
For instance, if you run applications like SAP, Oracle financial, Microsoft Great Plains or various accounting systems, they have controls built into the software to prevent information from flowing out along with automatic tracking. But what happens when that data is moved off the system to a spreadsheet or mobile device? You can set policies prohibiting that, but that’s impractical.
You want to enable people to access the data, while keeping it secure. What DLP does is make sure data is appropriately encrypted. DLP software will look inside files and, if it sees data patterns that are sensitive, will force encryption before releasing that information to a device. It will also take inventory of what was on a device. If a device that was properly encrypted is lost or compromised, you can remotely wipe it through mobile management.
There are solutions that cost a fortune, and others that cost as little as $14 per month, per user. Some are preventative — they will notify you if a mobile media device is connected to a computer and catalogue the data moved over so you know what was on the device if it gets lost.
But the first step toward a solution is identifying your data. You’ll never reach the point of implementing a solution until you know what data you have and where it resides. ●
Joe Compton, CISSP, CISA is a Principal with Skoda Minotti Risk Advisory Services Group. Reach him at (440) 449-6800 or firstname.lastname@example.org
Insights Accounting & Consulting is brought to you by Skoda Minotti
As a company grows, its information technology (IT) needs to grow with it. But some areas may be overlooked in the day-to-day hustle of getting the job done, says Timothy A. Heikkila, a principal with the Skoda Minotti Technology Partners Group.
“Companies should be considering options such as the cloud, looking at the security of their data and setting up a disaster recovery plan,” says Heikkila. “An outside advisor can help you ask the right questions and identify areas of concern.”
Smart Business spoke with Heikkila about what IT issues growing businesses should be concerned about and how to address those issues.
What is the first IT issue that growing businesses should look at?
As a business’s IT needs grow, companies need to consider whether cloud computing makes sense. If you aren’t familiar with cloud computing, it’s essentially remote access to applications and services via the Internet; it gives you secure access to all your applications and data from any network device.
Would it be cost effective to take your company’s e-mail to the cloud so that you don’t have to worry about maintaining data at your own location? When considering questions like these, companies should really weigh the pros and cons of taking that step. For instance, do you already have a location for your servers in-house, are you going to have remote offices, do you have a large traveling sales force? For a single location office, the cloud may not be a beneficial or cost-effective step, but for a company with multiple locations or a traveling sales force, it could make perfect sense to have your data housed at a central location in the cloud so that everyone shares access.
How can an outside technology expert help determine your needs in the cloud?
Outside expert advice is definitely recommended because the industry is changing so quickly that the types of questions you need to ask and the way to ask them are changing daily. For example, does the cloud provider have multiple Internet connections coming in to eliminate service interruption? What is the cloud’s capacity? How much is your business going to be able to grow at your current facility without shortchanging yourself?
Security is another important area to ask about. A lot of data centers that house this equipment are having SOC Reports prepared to make sure they have the proper controls in place that ensure their data is secure and not at risk of being breached.
What other technologies should growing businesses be aware of?
We’re seeing a lot of mobility with the evolution of the iPad and other tablets. A sales force can really take advantage of those devices by using them to take notes, share presentations, adjust quotations on the fly, get signed quotes, and close deals on the spot. It benefits the sales team because they can be connected to the office immediately, respond to e-mail and get instant answers as if they were sitting at their desks in their office.
One area of concern around these devices that a company needs to consider is security. Companies need to make sure that they have a policy in place that protects the company’s data in the mobile hands of the employees. For example, companies should be able to lock down or control the devices should they get lost. If a salesperson accidentally leaves an iPad somewhere, the company needs to be able to erase all of the data on that device so that it doesn’t get into the wrong hands.
Most e-mail servers have controls built into them that allow you to send a signal wirelessly to devices to erase the data, but if you don’t have an e-mail server with that capability, you have to get a third-party, add-on product that can erase it wirelessly. Companies need to have a plan in place to cover these new and growing concerns.
What should businesses think about when considering a disaster recovery plan?
Disaster recovery is another area that can help a business grow, or at least ensure that it is not set back. As technology grows more complex, having a disaster recovery plan is becoming more vital, and planning for if something does fail has become almost as important as investing in technology to grow your business.
A disaster recovery plan starts with sitting down to figure out what disasters your company should plan for, prevent, or recover from. For example, if you are OK with a tornado coming through your building and you don’t think it’s worth the investment to plan for a second, off-site location to back up your data, then you don’t need to plan for that event.
But, if you want to prepare for a virus attack against your mail server because it’s critical to get that server up and running again, it’s a complex process. Businesses need to sit down and figure out what they want to plan for and determine the most critical pieces of technology that they need to have up and running again if something should fail. Once the company determines which critical pieces of technology they need to have up and running, the next question to ask yourself is how quickly does it need to be up and running? For example, if you need to have your e-mail fully functional within two hours, you will need to have a standby e-mail server already built and ready to go.
Too many companies understand that something could happen, but they put the blinders on and think that it won’t actually happen to them. There are a lot of things they can’t control, though, and that they may not have thought about. This is another area in which an outside technology expert can help. That person will know all of the questions that go into building a disaster recovery plan and make sure that plan can be executed if needed.
Timothy A. Heikkila is a principal with the Skoda Minotti Technology Partners Group. Reach him at email@example.com