Data Lifecycle Management: How to reduce risk

Part 2
The Data Lifecycle Management (DLM) goes through 5 steps: creation, usage, transport, storage and destruction. Most companies have parts of this lifecycle under control, but that means there are lots of areas for gaps in the control measures that could let a threat affect the data. The multiple part blog, (I am not sure how many parts it will take), will walk through the steps of the data lifecycle and what a company can do to implement a good process for all the data management challenges.

In the first part of this series, we covered what it means to say you have or want a data lifecycle management process.  So why do we need something different from what we are already doing around DLM?

Why does traditional security not work for DLM?

Users have risky behavior. They will always have risk behavior and we rely on mostly technology controls to keep them in a secure box.  Solutions aimed at the external threats coming in, not the regulation and governance of internal communications going out. Problems we see are typically:

  • Unauthorized application use: 70% of IT say the use of unauthorized programs result in as many as half of data loss incidents.
  • Misuse of corporate computers: 44% of employees share work devices with others without supervision.
  • Unauthorized access: 39% of IT said they have dealt with an employee accessing unauthorized parts of a company’s network or facility.
  • Remote worker security: 46% of employees transfer files between work and personal computers.
  • Misuse of passwords: 18% of employees share passwords with co-workers.

The reasons typical technology controls will not work in the full DLM process are:

  • Products are not geared to protect a full life cycle of a customer records
  • Most solutions and processes are outward facing, based on perimeter security
  • Encryption can affect data management
  • Real-time intrusion detection and remediation is rare
  • Context and intent of messages was not analyzed properly
  • Functional areas in organizations create different policies, monitoring requirements, enforcement priorities and reporting
  • New technologies can avoid security measures
  • Technologies look at the network, the operating system or the application not the data across all environments
  • Not mapped properly to regulations

What risks does customer data loss pose for organizations?

If we know that security is not working, what are the risks we face? A very recent example of how this can have a practical affect is with the Massachusetts Privacy Law 201 CMR 17.00. Loss of data can have a great financial impact with this law.  Key things we need to consider include:

  • Penalties: Not complying with regulations can cause civil and financial penalties
  • Confidence: Loss of customer confidence because of a customer data breach can lose customers
  • Reputation: Damage to reputation will lose customer and damage relationships
  • Competitive Advantage: Information and customers can move to competitors
  • Costs: Ponemon Institute’s 2008 annual study, average $6.6 million per breach.
  • Valuation: Decreased stock prices could result

I will continue this process in the next post…

Gary Bahadur
http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity
Address: 200 Se 1st St #601 Miami FL 33131

*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test

Reblog this post [with Zemanta]