A version of this post originally appeared on the CMSWire blog.
Information security teams often overlook the sixth step in the Information Security kill chain, Data Theft.
To assess your organization’s readiness to protect against data theft, ask these four questions:
Let’s look at each one of these to help you see whether — and to what degree — your InfoSec function is ready to effectively prevent data theft.
Map Your Data
This is the most straightforward of the four issues: if you don’t know what information you have, you have zero chance of managing it effectively.
Most firms don’t have a configuration management database (CMDB), let alone a data map. A CMDB provides a list of all the applications that indicates the technology each runs on, the application and business owners of each, and any relevant integrations, along with a basic description of the functionality and purpose of each.
An effective data map takes a CMDB and adds to it. Typically, the data map includes information on the type of data contained in each application, the security level of the data, and the record series of each type of data and its legal risk level (i.e. likely discoverable or not).
Agreement from Key Stakeholders
While the lack of a data map makes it nearly impossible to manage information effectively, lack of agreement is probably the most challenging hurdle firms face in effectively addressing their information management challenges.
Here’s why. If Legal, IT, line-of-business stakeholders, Records Management, and InfoSec can’t agree on the general principles that will guide how they manage information, the firm will never make significant progress in addressing its information management risk. The result is they end up doing nothing. Which means they never pull the trigger on disposing of information that’s past its legal or operational life. Which is why the vast majority of firms keep everything forever.
Following are the typical stakeholder perspectives on information management that are responsible for creating the impasse:
Given these perspectives on information management, it’s nearly impossible for a firm to decide to delete anything. And without agreement on the conditions are for purging, archiving and preserving information, the default stance will be to retain everything indefinitely.
Policy and Compliance Infrastructure
Knowing what information you have where and gaining stakeholder agreement on what to do with it will only get you so far. You also need to have in place the policy and compliance infrastructure to govern how you execute. Without it, two things will happen:
An effective policy and compliance infrastructure requires four things:
The final piece of the puzzle is to have adequate technology in place to support information management. This allows you to make real progress. Without it, you’re left asking end users to manage information manually, which (we should all know by now) will never happen.
No matter how many shared drive cleanup days you set aside, no matter how much awareness you raise about the importance of good information management, and regardless of how much support from the top to encourage buy-in, end users simply will not spend the time it takes to manually clean up their information. And if by some miracle they do, they’ll be much less effective at it than they would be if they were supported with technology.
A number of suitable technology solutions are out there to help; it would take an entire post (or two) to review them. But the important thing is to find the ones that work for you and deploy them to support your end users in complying with your standards and policies to manage the organization’s information more effectively.
This article isn’t a step-by-step guide to help you manage your information better; no number of posts can accomplish that.
But hopefully it’s given you some inspiration and guidance for how to start tackling the problem of information management at your organization, so you can better prevent data theft and shore up your kill chain defense.