Translate

Thinking Beyond Compliance: Data Asset Security for Your Business

By Waleed Haddad and Jennifer Hudgins | Access-Interactive | 1/24/2018
 

Just because you are compliant does not mean you are secure. This critical message is not just for the Information Security community, but for all players in the larger business community. Information Security is a balancing act that requires full time attention, resources, and continuous progression. There are number of governing bodies such as GLBA and HIPAA that barely scratch the surface of necessary technical controls required to ensure more secure environments.

Often, organizations are misled to believe that meeting compliance frees them from liability in the event of a breach. There are scores of organizations who feel that once an audit is complete, that the mission has been accomplished, and that they are done with compliance and security until next year. That is a misconception that has been costing organization substantial financial losses. Security requires a constant daily interaction between management of a business and its assets. Not only do companies require a constant analysis of assets themselves, but also the measures put in place to shield them.

Author Stephen R. Covey urges readers to distinguish between what is merely urgent and what is important when he said we should “put first things first.” In the context of company data assets, it is most important to put highest value assets first. Security is a top-down process. This requires evaluation of each asset on several key criteria to protect your business:

  • Criticality – Most importantly you must clearly recognize what data losses would stop your business from functioning altogether. Neither compliance nor security matter much if your business closes. Exercise great care here. Many companies do not consider or appreciate the criticality of certain data entities, processes, and other assets that could cost them the company if compromised.
  • Valuation – How much, in pure monetary terms, would it cost your company if you lost a particular data asset? One good reason to determine the value of an asset is that many companies spend far more than an asset is worth protecting that asset. This often happens when assets fall within the scope of an upcoming regulatory audit and thus become artificially highly valued simply by default. It may be better to save your money and take the risk.
  • Confidentiality - What would be the loss if that data asset were exposed to others and was no longer proprietary to your company? For example, how much would Coca-Cola suffer if their secret recipe were disclosed? Their product could be commoditized instantly, eliminating that key element that makes Coca-Cola special. Their business would, at the very least, radically change.
  • Availability – Often data assets are exposed because there is a perception that they need to be readily available and often to wide a circle of potential users. More scrutiny is needed to determine just how available a given data asset needs to be. Often the cost of securing certain data assets can be reduced simply by restricting access, thereby reducing the need for access security measures.
  • Integrity – There are three basic components to data integrity:
    •  The first is that the data is trustworthy. In a secure environment data is only modified properly by appropriately authorized people.
    •  Second is to evaluate how important it is that, in the event the data is corrupted, that it be restored to a trustworthy state with minimal loss.
    •  Third is how important is it that the corrupting party be identified? As an example, say a nurse becomes unhappy with the hospital that employs her. Using her access, she modifies a patient’s allergy information. Subsequently the hospital administers a medication that this patient is allergic to and, the hospital is exposed to litigation if the patient has a bad allergic reaction. Simple exposure can result in the end of your business.

The regulatory landscape of Information Security can be daunting for many businesses, and some struggle with becoming or maintaining compliance, but acknowledging that security doesn’t end with compliance alone is an important step for any business. Business leaders inside and out of Information Security can be comforted that they are in a large community that understands their concerns for compliance and security.

What can a business do to become compliant, or perhaps even more importantly, secure? Most regulatory agencies offer resources and certification, and these resources can be utilized by in house teams or contracted out to vendor SMEs, but regardless of method, instituting a continuous process of compliance and asset evaluation can ultimately save a business from fines, business interruptions, and extinction.

Jennifer Hudgins is an Account Executive at Access-Interactive. Hudgins has worked for the last three years in the southeast Michigan tech community where she has focused on connections between teams, organizations, and communities through groups such as Automation Alley, Tech 248, the Livonia Chamber of Commerce, Motor City Connect, and Ann Arbor Spark among others. At Access-Interactive Hudgins has focused on broadening the company’s reach and manages its social media presence. She has also worked to bring in Access-Interactive partners to co-host client events at Automation Alley with a focus on Information Security.

Waleed Haddad is Access-Interactive’s Security & Compliance Director. Access-Interactive is an Information Technology business consulting firm in southeast Michigan since 1985. Haddad has over 14 years’ experience in the Information Security industry and in his current role he is responsible for security outreach and managing the governance and compliance strategies of Access-Interactive’s clients. Access-Interactive works directly with clients to develop, modify and maintain governance strategy against various frameworks such as; PCI, SSAE 18, GLBA, HIPAA, FISMA, NIST, ISO 27002, and HiTRUST.

Filed under: Cybersecurity

Categories: Innovation and Technology (57)

Related Blog Posts:

 

Foundation Members