Let's start with a definition.
Sensitive data is any private and confidential information that you must safeguard from all unauthorized users.
There are many types and classifications of sensitive data, but the more common types are Personally Identifiable Information (PII) and Protected Health Information (PHI).
You safeguard and protect this data with information security best practices designed to prevent data breaches, leaks, and unauthorized access. At the same time, you use these same best practices to allow authorized and approved users to access the data safely and appropriately.
But what are these security best practices? Do you even have sensitive data, and if you do, where is it located? Who should have access to it?
In this post, we'll try to answer these questions and more.
When it comes to keeping sensitive data protected, it's easy to focus only on technical methods. Approaches like encryption and access permissions seem easier to understand. There are some significant downsides to only focusing on technical controls, however. If we focus on the trees, we might lose sight of the forest, as they say.
Don't get us wrong. Technical controls are essential, as are physical controls like door locks and cameras. But perhaps a more foundational place to start is with training.
We've all heard that people are a company's greatest asset, which might be true. But as author and security expert Evan Francen says, "people are the biggest risk."
Why?
There are many reasons, but let's touch on just a few. First, human behavior is unpredictable and infinitely variable, it seems. We have a sense of trust that can serve us well most of the time. However, moods, events, and experiences can influence this trust. Worst of all, bad guys can manipulate it through social engineering.
The risks involving people can range from simple mistakes to unawareness to actual malicious intent.
That's where security awareness training comes in. You can manage the risk of mistakes and security ignorance among your users with proper training.
At Streamworks, we have a specific information security policy dedicated to security training and awareness. Each member of Streamworks is made aware of security implications that revolve around their functions and actions. We require all employees to participate in training at least twice per year. All new employees take our new hire information security training and have access to all of our security policies for review and reference. And, of course, all employees must acknowledge adherence to our policies.
Now that you know the crucial role of security training in protecting data, the next step is to inventory where sensitive data resides in your organization.
Protecting your sensitive data starts with knowing what information you have, where it is, and who has access. If you don't know what you have, you can't protect it!
To start the inventory process, determine how data flows through your organization and build a data flow diagram.
Data flow is simply the movement of data throughout your company. Knowing your data flow will spotlight how sensitive data comes into, moves through, and exits your business.
Additionally, your dataflow diagram shows you:
• Where data might temporarily or permanently rest
• Logical and physical systems that house sensitive data
• Hardware and software touchpoints
• Who might have access
• Possible leak points
• High-risk endpoints
Next, inspect all systems for sensitive data.
With your freshly documented data flow, you'll have a good sense of what systems to inspect. For example, do you need to look at specific critical servers and storage devices? What about user computers, laptops, and flash drives? Is sensitive data ever printed to hard copies? If so, you'll need to inspect file cabinets, offices and desks, and recycle bins.
As part of your inventory process, talk to your teams to get even more details on data flow, who has access, and where sensitive data may come to rest.
Depending on your industry, specific departments need more sensitive data access than others. Good areas to start with are Human Resources, IT, Finance, and Sales.
Are you sharing data or outsourcing services? Include vendors and partners in your data flow, inventory, and interview process.
After a thorough data inventory, you should have a good picture of where data resides in your organization and who has access to it.
Since there are varying data sensitivity degrees, it's time to put your data into specific classification levels. For example, content safe to post on your website differs from PHI or credit card numbers.
Therefore, organize your data into different classifications to help you (in its simplest form) decide where 1) data is allowed to flow and rest and 2) who has access.
Data classification is a big topic, so maybe we'll cover it again in a future post. For now, you can keep it simple and classify data into public, private, and restricted categories. Here are some examples:
• Public data - content you can put on a public-facing website or use for social media and marketing
• Private data - internal company information like business plans, proprietary documentation, or product information
• Restricted information - data that must be kept confidential (with limited access) like PHI and PII. Data breaches involving restricted information might involve legal implications, fines, media coverage, and a lengthy investigation and remediation process.
Once you know where data lives and have classified it, you can build policies around your findings.
It's best to have policies in each information security control area, namely administrative, physical, and technical controls. For example, you'll define policies around the management of sensitive data (administrative controls), physical protection and access (physical controls), and firewall rules and logical permissions (technical controls).
As we touched on at the beginning of this article, training is a great first (and ongoing) step for all employees, especially users with access to sensitive data.
It might be best to focus on security principles vs. specifics with initial training. However, after your policies are written, approved, and adopted, you should add specific training on your procedures. Do your policy training annually at a minimum, and include a policy acknowledgment that all employees sign.
As you can see, protecting sensitive data might not be easy. Still, there are specific steps you can take to make it more manageable.
Start with training and make it ongoing for all employees, especially after establishing company-wide information security policies.
Take a thorough inventory of data throughout your logical and physical systems to know where data resides and who has access.
With your data inventory completed, move forward with classifying the data into specific buckets. Start with something simple like public, private, and restricted classifications and modify from there based on your business workflow and needs.
Establish policies concerning the sensitive data in your organization, including how to protect it, how to share it safely, and how to access it. Then train again and continue training.
In future articles on this topic, we'll look at other considerations for protecting sensitive data, including various physical and technical controls and processes. Stay tuned!
If you're looking for a secure print partner who knows how to protect your sensitive data, check out our FREE Secure Marketing Communications Checklist today.