The purpose of a typical data protection strategy is to allow an enterprise to identify sensitive pieces of data that are subject to regulatory controls, so the appropriate level of protective controls can be implemented. Most data protection strategies however, tend to focus only on
Why? There are several reasons, including the fact that most data protection strategies are designed to satisfy privacy-related compliance requirements and tend to exclude data that's relevant to online privacy law. Another reason is simply that most organizations lack a comprehensive list of data items that they own or process, including an inventory of intellectual property (IP). The absence of such an inventory prevents them from devising a holistic strategy.
To be effective, an enterprise data protection strategy must view data as an intellectual asset. Such a data protection strategy should address not only the data that's regulated, but also the information that is not, which could cause a loss of revenue or reputation if misused or stolen. Such information would include formally identified intellectual property such as patents, copyrighted material or trademarks. It would also include "informal" intellectual property such as program source code, operating procedures, user manuals and policies, along with other written material like company memos, reports and plans. These artifacts are not typically considered IP, but their loss or corruption could be damaging to an organization's business and reputation.
As one starts to think about informal intellectual property, consider this: Information about an organization's geography, people and infrastructure could be more revealing than one might realize. Has anyone ever heard about "competitive intelligence?" Each warrants some protective controls, as well. After all, an organization may post a presentation with internal data on its website or SlideShare.net, only to have it show up on a competitor's PowerPoint presentation. An effective enterprise data protection strategy addresses information, not just data, whether raw or processed.
Where to begin with a data protection strategy
So, how does one build that strategy? First, identify stakeholders in the data protection strategy:
- IT department: IT typically manages all databases and file systems and will be crucial
in helping build an IP asset inventory, as well as implementing the strategy.
- Human resources (HR): HR data is highly sensitive in nature and includes the personally
identifiable information of employees.
- Legal: The legal department can help identify the protection needs of the formal
intellectual property. Counsels can also help develop an organizational policy for informal
intellectual policy protection.
- Finance: Financial reports are generally sensitive in nature. The data that feeds these
reports needs to be protected, whether it resides in Excel or on a mainframe.
- Facilities: Facilities maps, business continuity plans and access control lists are all forms of sensitive data that need to be inventoried and protected.
Questions to ask during information discovery
Once all relevant stakeholders have been identified, IT security managers and compliance officers should begin a discovery process by asking a lot of questions, such as:
- Does the organization have an intellectual property policy that defines what intellectual
property is and how it is to be treated?
- Is there an inventory of the formal intellectual property, including patents, trademarks and
- Is there an inventory of all source code that is owned by the organization, including any
source code under escrow?
- Does this inventory include organizational and security policies and procedures?
- Can the organization identify all operational procedures, user guides and training materials
that it has invested in developing?
- Are there any protective controls around the data? If so, what are they?
- Are there any roadblocks to developing an IP assets inventory?
- Does the organization perform regular audits of its intellectual assets?
- Does the organization conduct counterintelligence exercises to test the effectiveness of its IP
- Does the organization classify its information and label it according to its nature and sensitivity?
An effective enterprise data protection strategy should be holistic, with a well-rounded focus on information, regardless of its form. In this approach, information will be recognized and categorized by its business function and not by its file or database names.
For example, instead of cataloging an "employee database and XYZ file system," the inventory will list information assets under categories such as employee information, major customers, sales, market share, financial information, research and development, organizational information or strategic plans. These categories can also be viewed as information domains, which would then be subject to controls according to their sensitivity and privacy.
Applying information management precepts to data protection strategy
In addition to developing information domains, an enterprise data protection strategy must consider the following four precepts of information management:
- Information classification and categorization: Most organizations that claim to have an
information classification scheme will classify only information, and not the data or the system
from where it came. Even when a system is classified and declared as "highly sensitive," it is
often intertwined with low-sensitivity systems and interfaces. In such an environment, a digital
watermark is assumed to be "low" rather than the "high" it needs to be. Information needs to be
classified as high, medium or low in terms of sensitivity, and categorized
according to its business function. Information flows should be documented to understand how
information is being handled and where it might be vulnerable to exposure, loss or misuse.
- Periodic information correlation check: Many times, one information element by itself
does not reveal much. Correlating that element with other pieces of information however, could tell
a very different story. Organizations need to review information posted on their websites to
determine if it could be manipulated to extract more sensitive information. They need to examine
extracts from their databases and determine if there is a possibility that public information could
be converted into PII by matching or merging data.
- Information leak prevention: Regardless of the level of controls in place, there is
always the probability that some information will leak. That's due to the distributed nature of
computing, which touches information throughout its lifecycle as it is received, stored, processed
and shared. No matter how careful employees are when sending emails, once these emails are received
at the other end, the originator no longer has control over them. Also, as the IT workforce of
today is more transient than ever, a constant drain of intellectual property is to be
Existing data leak prevention programs place controls over current employees but have no way to control an employee who is about to leave or has already left. The technology gap in this area needs to be filled soon if an enterprise is going to have an effective data protection strategy. Data fingerprinting, steganography and identity-based encryption are some of the few emerging technologies that provide hope. Organizations need to push for innovation in these areas.
An effective data protection strategy must be comprehensive. It needs to include all information and data on what makes an organization competitive, or on where there exists a possibility of data loss. Organizations need to begin by viewing all information and all data as business IP. Once they've identified where their IP assets are, they must develop, implement and then continuously test the effectiveness of strategies that provide the required protection. In a constantly expanding digital world, information is power. An effective data protection strategy can serve to control it efficiently.
Meenu Gupta, CISA, CISM, CISSP, CIPP is president of Mittal Technologies and specializes in IT solutions engineering and IT security architecture development. Gupta consults with the U.S. government and also teaches at the University of Maryland University College.
This was first published in April 2010