The key to cyber security management is to protect your data. The first step to protect your data is to ‘know’ your data – where, rather where all, is the data, where is it originating, flowing, residing, getting touched, tampered, deleted and such. Identify your data, by mapping the data flow from its origination, the departments / functions using such data, including external sources such as vendors, potentially having access to your data.
As part of identification, the data needs to be categorized (personally identifiable information, personal health information etc following regulatory guidelines of IT Act of 2008, HIPAA or GLB), classified (restricted, internal etc). This classification and categorization is a crucial part of your data risk management, controls can be designed and safeguards put in place only if the data is properly classified and identified. The next important factor is to consider ‘access’ to data, including roles, authorization, media of access (within the network, mobile, cloud).
Indeed, most organizations fail to put in place an effective data security and cyber resilience program because they are unaware of their data and its life-cycle. Here’s how to go about it :
- List down your business functions and departments, say HR, Finance, Core Banking, Collections
- Identify the units or sub departmental functions, say recruitment, loan processing,
- Document the high level process map for each unit
- Create data flow diagrams, identifying detailed parameters such as (a) the nature of data, following the organizational data classification policy (b) origin and termination of each type of data (c) touchpoints and access levels
- Perform a data leakage risk assessment across the above life cycle, following the organization risk assessment methodology
- Articulate risk mitigation strategy and controls
- Implement controls
- Install a governance and monitoring framework to ensure ongoing oversight and effectiveness
Of course, in performing an exercise as above, the underlying assumption is that policies, controls, risk management methodologies and base-lining are defined and established.
I would also like to draw reference here to the “DSCI Security Framework” by Data Security Council of India.