Enterprise data protection requires a holistic program that encompasses people, process and technology. Too often the emphasis is placed
- Implement a data classification program that focuses on customer, financial and intellectual property information with designated owners of the information. Data protection categories should include confidential, internal use and public, and it is important to put the appropriate controls in place to protect this information. For example, public data should be reviewed to ensure that sensitive information such as future product plans are not released outside the company.
- Develop an enterprise-wide data architecture and manage the flow of critical information throughout the organization -- you will be surprised what you find. Credit card information is an example of data that you need to manage closely and ensure that data protection controls are in place. The good news here is that Payment Card Industry (PCI) Security Standards are very well documented and spell out what an organization needs to do to ensure data protection of this type of information.
- Encrypt critical information, such as credit card numbers, throughout your environment. If you are handling credit card information, you will need to encrypt this information in order to comply with PCI Security Standards. Cyber thieves can easily sell this information on the black market and will look for credit card information if they are able to break into your systems.
- Use caution with new technology, including cloud computing or virtualization, as security protection mechanisms such as authentication and data protection are often immature. Two-factor authentication is recommended when accessing these systems and confidential personally identifiable information should always be encrypted. You should also confirm these capabilities before venturing into the cloud.
- Protect endpoint devices such as personal digital assistants, laptops, memory sticks and cell phones that are used to store critical information. You should put enterprise data protection programs in place to address loss and theft. These devices are essential today and are often used to store customer, future product and financial information. The small form factor makes them very likely to be lost or stolen. You need to be proactive in this area and encrypt data, require use of passwords and leverage the ability to remotely disable these devices, if available.
- Implement enterprise data protection policies such as strong passwords, encryption, two-factor authentication and remote data deletion for endpoint devices.
- Update your software development lifecycle (SDLC) process with key checkpoints, such as security architecture reviews, and conduct code reviews to identify common coding errors such as buffer overflows. It is much easier to address software security issues earlier in the SDLC process and architectural reviews can eliminate many of these issues before any coding has occurred. Use of code checking programs, similar to spell checking, are very helpful to identify common coding issues such as buffer overflows. Finally, binary code analysis tools are available to test the actual running of the software before it is deployed.
Security threats are here to stay, and holistic programs are essential to protect the critical data assets of your organization. It is important to develop a roadmap of incremental improvements to your enterprise data protection policy with regular updates for new security threats.
Mark Egan is managing partner of the information security practice at The StrataFusion Group Inc., a management consulting firm in the San Francisco Bay Area. Egan was previously CIO at Symantec Corp. and is the author of The Executive Guide to Information Security. He can be reached at firstname.lastname@example.org.
Let us know what you think about the story; email: Karen Guglielmo, Executive Editor
This was first published in February 2009