All organisations have a responsibility to ensure that their data is secured, protected and has the appropriate safeguards in place to protect against loss or theft.
Within each organisation there’s typically a ‘hierarchy’ of data and a fundamental part of effective security and crisis management is understanding the relative risk that is associated with the loss or theft of different types of data.
This means that, should a breach occur, a proportionate response can then be put into action.
From Intellectual Property to personally identifiable information such as medical records, credit card information, personnel records or payroll details – calculating the relative ‘value’ of different data is the key to implementing the right response.
This can save valuable time in the aftermath of a breach and ensure that priorities are set according to your sensitive data profile.
Correlate data value and incident response
Sensitive data in the wrong hands has a commercial ‘street’ value but it’s the relative worth of different records if a security breach occurs, that you need to understand. Without this, it’s almost impossible to perform a risk assessment.
> See also: Top tips on creating an enterprise risk strategy for wearables
This is because there isn’t a ‘one size fits all’ approach to a security protection or incident response. The response that would need to be instigated following the loss of multiple customer records would be very different to the response following the loss of intellectual property such as the blueprint for a new product.
Here are the key steps that can be followed to ensure you assess the value of your data and can implement processes to protect it adequately:
Take stock of all your data
Take a thorough audit of your IT estate to ensure that you have the full picture on sensitive data locations, including both internal and external IT services.
Classify and identify the high risk, high worth data
Assessing the value of data is a process that will vary according to the organisation size and sector. This will take into consideration factors such as: the regulatory impact of the loss of data; the cost of downtime / replacing or recovering this data, the financial impact in terms of the organisation’s reputation and, for public companies, how it would impact the organisation’s share price, credit rating, and regulatory burden.
Map and track this data within the organisation
You need to understand not only where it’s stored, but also how it moves through an organisation. What safeguards are in place to restrict this movement within and beyond an organisation? This will give you an insight into how vulnerable the data is.
Share the hierarchy with relevant teams
This is a cross departmental exercise with the ultimate aim of ensuring that the Infosecurity teams know where the most valuable data or documents are, and can implement the appropriate security controls. Make sure all relevant teams have been included in the process so that no surprises are uncovered further down the line.
Tailor the crisis management plans
Once you have a profile of where the most significant risks are, crisis management plans can be tailored accordingly, so that proportionate measures are in place to cover different scenarios.
Protecting sensitive data involves a chain of decisions that impact different departments across an organisation from IT to legal, PR and HR. With a well documented and tailored plan, individuals across the organisation will know the correct processes and their responsibilities, according to different incident types.
> See also: 5 reasons to focus on the business risk of IT security
Educate staff
Everyone in the organisation has a responsibility to protect the data they handle. Understanding its value and educating staff on the real commercial worth of records they’re creating storing and sending can help to reinforce that it’s an asset that needs to be protected, just like physical property.
Understanding the worth of your assets – beyond the ‘bricks and mortar‘ – is an important step on the road to more effective security protection and response strategies. It not only means that you can implement that right safeguards around your data, but also that the response fits the magnitude of the breach.
Sourced from Nick Pollard, UK General Manager, Guidance Software
