Aujas US

An IDG Ventures Company

Data Protection and Controls – Does Format Really Matter?

Identity and Access RiskNo one can argue that the most valuable asset for any enterprise, regardless of industry (whether military, finance, healthcare) is its Data. Whether that data includes an investment strategy/portfolio, personal identity, healthcare history or national security, it must be safeguarded and controlled.

We’re all familiar with the data lifecycle and related security controls, including storage transfer encryption and effective destruction. But do we also consider the format of the data? Data lives in many forms outside of the regular electronic email, Internet, PC, server or mainframe types that we normally work with. Unfortunately, some of our biggest vulnerabilities live in many other forms.

Printed paper is not the least of those. Scribbled notes, copied material, casual conversations on an elevator, voicemails or even a fellow passenger’s laptop (with the curious snooper watching over) are other forms of sensitive data. The main issue here is that most of us may not view these as “data types”. The truth is they can cause the same amount of harm as a DVD, USB or PC packed with information, and can just as easily land you on the front page. Let’s take a look at an unfortunate use-case to bring this all into context.

Henry S., a database administrator, was working over the weekend to get a presentation finished for his board of directors. His area of focus was his firm’s strategy on the proprietary development of a database-software that would revolutionize the storage and sharing of information with clients. Henry’s developments were ahead of all others in the enterprise and possibly the industry. What wasn’t being thought about was how valuable the information being prepared could be to competitors or thieves for profit.

It was late Sunday night and Henry was just happy finalizing and saving everything. Now he just had to print it. At about 11:30 that evening he found himself printing 20 color copies of his “master presentation” at the neighborhood copier. He felt the data he was bringing with him was safe since he brought it on an encrypted USB drive. At one point Henry’s copying streak went awry – after about 10 copies the machine began spitting out green paint. Henry wasn’t panicking – he knew there was plenty of time and his current set of copies were safe. After getting assistance and finishing the job on another machine, he found himself in the middle of a chaotic frenzy of paper crazily thrown all around his area. He was able to get things cleaned up, but what he wasn’t aware of was the 5 copies he’d left at the malfunctioning printer. Though a good multi-tasker, Henry was exhausted, yet practically livid with the thought of next day’s presentation and the effects it would have on his career and department. All he could think about was getting the deck right and being well prepared for the audience.

He got home with all the paperwork in his backpack and passed out. The next day at the presentation all went well, the crowd loved it and Henry was on top of the world. There’d been a slight mishap though, since there weren’t enough hard copies to go around for everyone at the meet. That was weird – he was sure he’d made enough. Everything had gone well, except for those 5 mysteriously missing copies of the presentation. What then seemed to be a small loss, within the next few days landed Henry and his firm on the front page of the paper.  The headline read “Leading Financial Firm’s Innovative Software Idea up for Grabs at Local Print Shop” – not quite the fabulous outcome he’d hoped for. Turns out that whoever got a hold of the lost copies managed to re-engineer the software and get it to market. To make things worse, the data-loss incident was widely publicized; the fall-out including Henry’s suspension and investigation, a full 10 point drop in his firm’s stock price and a long-term negative reputational impact for his firm.

Data in any format is an extremely critical asset and liability when not controlled or secured properly. The effect of negligence over that asset can be detrimental to a career, an innovative idea and possibly an entire franchise. Proper due diligence and controls for the entire lifecycle of the data; be it either encryption while in storage or transit for electronic material, or locks/safes for storage and shredding for destruction of hardcopy material.

Had Henry only given a bit of thought to these things as a top priority, reputations and careers may have been saved (and likely excelled astoundingly). Instead everyone had to run for cover, hope to not get hit by the shattering fallout, and hope to keep their shirts on their backs.

Need help with your company’s data protection programs? Contact Karl Kispert, Aujas VP of Sales, at karl.kispert@aujas.com.

March 8, 2011 Posted by | Data protection, IT security | , , , , | Leave a comment

Data Governance – What We Need to Think About

These are some risk areas that you might want to think about when discussing Data Governance with your team: 

1. Disparate sources of data across the organization’s applications, producing incomplete and incorrect production data used in key decision making processes for capital investment. (Accuracy)

2. Trading ledger for risk management review is typically delayed because of multiple data feeds, the availability of which is impeded by network speed due to file size in two custom applications. (Availability)

3. Inability to solve data quality issues in the sales division because data is spread across multiple systems and owners, resulting in a blame game. (Agility)  

4. Customer service representatives are not presented a single view of a customer account, and have to use multiple programs to achieve unified profile presentation, requiring more time to solve issues, and increased call center costs. (Access)

A Data Governance Methodology That Works

Building Blocks for Success

Analyze

* Perform data governance readiness assessment

* Define guiding principles

* Identify decision making bodies

Design

* Determine focus of data governance program (security/privacy, data quality, architecture, etc.)

* Design data governance program (standards, policies, strategy)

* Determine cross functional teams and data stewards

* Define decision areas and decision rights

Transform

* Conduct employee training and awareness

* Enact data governance program

* Deploy data governance mechanisms and tools

Sustain

* Monitor and adjust key performance metrics

* Ensure accountability and ownership through periodic review

Need help with your company’s data governance programs? Contact Karl Kispert, Aujas VP of Sales, at karl.kispert@aujas.com.

March 8, 2011 Posted by | Data governance, IT security | , , , | Leave a comment