Data is the lifeblood of most organisations. Odd, then, that many business directors can't explain how data moves in and out of their firm or how it flows through their networks.
How can you properly explain your information protection strategy if you don't know where or how your data is moving in and out of your environment?
If you do know how your data moves around, then you can:
- Improve the efficiency of your IT and data systems;
- Reduce the risk of data compromise through stronger information security controls;
- Increase compliance with industry standards and avoid audit failures;
- Improve the odds of preventing data theft by insiders;
- Provide peace of mind to senior leadership.
So how can you understand your own data flow?
1. Improve the efficiency of IT solutions geared toward data flow
Email, content management and secure file transfers all provide data movement capabilities. Understanding who will move data, where they'll move it to, and which protocol or application will be used is imperative when deploying a data transfer solution. Which users need to send data to customers? When is encryption required? What types of data are being sent? These are just some of the questions that need to be answered in order to provide the best possible solution when moving data in and out of your network.
Reduce the risk of data compromise with security controls
When you understand how your business uses data and how it moves, you can wrap better information security controls around it. Firewall rules will only allow data to be sent to previously approved recipients, or to accept data from approved senders. Network data loss protection (DLP) policies can be developed to permit data transfers only to known sources and recipients of information. Data encryption will ensure that, should it be intercepted, data cannot be read without the appropriate credentials. These are just a few examples of security controls that you can introduce.
Increase compliance with industry standards
Industry standards, such as ISO27001, require that you have measures in place to control and monitor data flow. This includes technical information security controls as well as controls related to governance, such as policies and standards. Appropriate controls to govern data flow via network zoning and segmentation or system hardening, and movement via enforceable data transfer or email policies are required. Without such controls, you run the risk of failing an audit. Not to mention the fact that without enforceable policies and effective information security controls you face higher risk of data loss or exfiltration.
Enhance odds of preventing data theft by insiders
It's hard enough to be constantly on the lookout for the insider threat when you know what you're looking for. It becomes that much more difficult when you don't have a solid idea as to where your data is going, how it's getting there, when it's coming and going, and why. Tracking user data flow in and out of your network through measures such as user authentication will greatly enhance your chances of detecting potential data thieves in your environment.
Provide peace of mind to senior leadership
With great power comes great responsibility. When it comes to providing maximum information security for an organisation, those with responsibility have to report to senior leadership and the board of directors. Tracking and understanding data movement between your organisation and external clients or partners is key when it comes to explaining your information security strategy. It's much easier to describe how you're protecting the confidentiality, integrity and availability of your data when you can provide details such as where it's going, how it is getting there, and who's sending and receiving it.
How well you track the movement of your data may make or break your information security practice. You need to be able to discern who needs the data, where it needs to go, how it will get there, and what measures you are taking to protect it. If you already have data flow under control in your organisation, you have a great foundation in place to provide next-level information security. If not, it should definitely be a priority on the to-do list.
Sponsored post. Copyright © 2016 Jamie Graves, co- founder and CEO of ZoneFox, an Edinburgh-based cyber security company.