How to create an effective data protection strategy for IT compliance

To build an effective data protection strategy for IT compliance, enterprises should view sensitive data as an intellectual asset.

The purpose of a typical data protection strategy is to allow an enterprise to identify sensitive pieces of data that are subject to regulatory controls, so the appropriate level of protective controls can be implemented. Most data protection strategies however, tend to focus only on  enterprise data that is managed by the organization's IT infrastructure and do not address external data.

Why? There are several reasons, including the fact that most data protection strategies are designed to satisfy privacy-related compliance requirements and tend to exclude data that's relevant to online privacy law. Another reason is simply that most organizations lack a comprehensive list of data items that they own or process, including an inventory of intellectual property (IP). The absence of such an inventory prevents them from devising a holistic strategy.

To be effective, an enterprise data protection strategy must view data as an intellectual asset. Such a data protection strategy should address not only the data that's regulated, but also the information that is not, which could cause a loss of revenue or reputation if misused or stolen. Such information would include formally identified intellectual property such as patents, copyrighted material or trademarks. It would also include "informal" intellectual property such as program source code, operating procedures, user manuals and policies, along with other written material like company memos, reports and plans. These artifacts are not typically considered IP, but their loss or corruption could be damaging to an organization's business and reputation.

As one starts to think about informal intellectual property, consider this: Information about an organization's geography, people and infrastructure could be more revealing than one might realize. Has anyone ever heard about "competitive intelligence?" Each warrants some protective controls, as well. After all, an organization may post a presentation with internal data on its website or SlideShare.net, only to have it show up on a competitor's PowerPoint presentation. An effective enterprise data protection strategy addresses information, not just data, whether raw or processed.

Where to begin with a data protection strategy

So, how does one build that strategy? First, identify stakeholders in the data protection strategy:

  • IT department: IT typically manages all databases and file systems and will be crucial in helping build an IP asset inventory, as well as implementing the strategy.
  • Human resources (HR): HR data is highly sensitive in nature and includes the personally identifiable information of employees.
  • Legal: The legal department can help identify the protection needs of the formal intellectual property. Counsels can also help develop an organizational policy for informal intellectual policy protection.
  • Finance: Financial reports are generally sensitive in nature. The data that feeds these reports needs to be protected, whether it resides in Excel or on a mainframe.
  • Facilities: Facilities maps, business continuity plans and access control lists are all forms of sensitive data that need to be inventoried and protected.

Questions to ask during information discovery

Once all relevant stakeholders have been identified, IT security managers and compliance officers should begin a discovery process by asking a lot of questions, such as:

  1. Does the organization have an intellectual property policy that defines what intellectual property is and how it is to be treated?
  2. Is there an inventory of the formal intellectual property, including patents, trademarks and copyrighted material?
  3. Is there an inventory of all source code that is owned by the organization, including any source code under escrow?
  4. Does this inventory include organizational and security policies and procedures?
  5. Can the organization identify all operational procedures, user guides and training materials that it has invested in developing?
  6. Are there any protective controls around the data? If so, what are they?
  7. Are there any roadblocks to developing an IP assets inventory?
  8. Does the organization perform regular audits of its intellectual assets?
  9. Does the organization conduct counterintelligence exercises to test the effectiveness of its IP protection?
  10. Does the organization classify its information and label it according to its nature and sensitivity?

An effective enterprise data protection strategy should be holistic, with a well-rounded focus on information, regardless of its form. In this approach, information will be recognized and categorized by its business function and not by its file or database names.

For example, instead of cataloging an "employee database and XYZ file system," the inventory will list information assets under categories such as employee information, major customers, sales, market share, financial information, research and development, organizational information or strategic plans. These categories can also be viewed as information domains, which would then be subject to controls according to their sensitivity and privacy.

Applying information management precepts to data protection strategy

In addition to developing information domains, an enterprise data protection strategy must consider the following four precepts of information management:

  1. Information classification and categorization: Most organizations that claim to have an information classification scheme will classify only information, and not the data or the system from where it came. Even when a system is classified and declared as "highly sensitive," it is often intertwined with low-sensitivity systems and interfaces. In such an environment, a digital watermark is assumed to be "low" rather than the "high" it needs to be. Information needs to be classified as high, medium or low in terms of sensitivity, and categorized according to its business function. Information flows should be documented to understand how information is being handled and where it might be vulnerable to exposure, loss or misuse.
  2. Periodic information correlation check: Many times, one information element by itself does not reveal much. Correlating that element with other pieces of information however, could tell a very different story. Organizations need to review information posted on their websites to determine if it could be manipulated to extract more sensitive information. They need to examine extracts from their databases and determine if there is a possibility that public information could be converted into PII by matching or merging data.
  3. Information leak prevention: Regardless of the level of controls in place, there is always the probability that some information will leak. That's due to the distributed nature of computing, which touches information throughout its lifecycle as it is received, stored, processed and shared. No matter how careful employees are when sending emails, once these emails are received at the other end, the originator no longer has control over them. Also, as the IT workforce of today is more transient than ever, a constant drain of intellectual property is to be expected.

    Existing data leak prevention programs place controls over current employees but have no way to control an employee who is about to leave or has already left. The technology gap in this area needs to be filled soon if an enterprise is going to have an effective data protection strategy. Data fingerprinting, steganography and identity-based encryption are some of the few emerging technologies that provide hope. Organizations need to push for innovation in these areas.
  4. Stakeholder education and awareness: Employees need to know what they can or cannot access, copy, print or go home with. Organizations have a right to expect behavior from their employees that does not put their earning power at risk. However, they need to understand that unless they communicate their expectations, they are risking the possibility that employees may inadvertently disclose, dispose or disregard the information. That's one reason why drafting and distributing an online privacy policy is essential.

More on data protection

Build data protection around intrusion detection, access controls

The Web of social media and compliance: Online privacy policy

Cloud Security Alliance releases top security threats

An effective data protection strategy must be comprehensive. It needs to include all information and data on what makes an organization competitive, or on where there exists a possibility of data loss. Organizations need to begin by viewing all information and all data as business IP. Once they've identified where their IP assets are, they must develop, implement and then continuously test the effectiveness of strategies that provide the required protection. In a constantly expanding digital world, information is power. An effective data protection strategy can serve to control it efficiently.

About the author
Meenu Gupta, CISA, CISM, CISSP, CIPP is president of Mittal Technologies and specializes in IT solutions engineering and IT security architecture development. Gupta consults with the U.S. government and also teaches at the University of Maryland University College.

Let us know what you think about the story; email [email protected] . Follow @ITCompliance for compliance news throughout the week.

Dig Deeper on Vulnerability assessment for compliance