You can’t protect what you can’t see!
You can’t protect what you can’t see!
You can’t protect what you can’t see!
Anybody seeing a theme here? Establishing a process to inventory where your data lives (on-premises storage, mail platforms, endpoints, mobile devices, cloud storage, cloud infrastructure, blah, blah, blah) is the first step in building a data management framework.
The second step is to establish labels for your data to understand what data you should protect and to what level you need to protect it. Labels can be as simple as “Sensitive,” “Confidential,” and “Public.” You can go even deeper by leveraging some COTS (commercial off-the-shelf) products that will go inside of each file, screenshot, image, etc., to pick out Social Security Numbers (SSN), credit card numbers, and other Personally Identifiable Information (PII).
An organization’s loss of control over protected or sensitive data is a serious and often reportable business impact. While some data is compromised or lost because of theft or espionage, the vast majority is lost as a result of poorly understood data management rules and user error.
The biggest challenge I’ve seen is the chaos created after a breach and data hits the dark web. Organizations scurry to identify what was inside those files to determine how to report it and to whom. Now that they know what files (filename.doc) were exfiltrated, they then must find all of the file locations and versions. Feel free to peek at your email inbox, sent items, and deleted items (along with all your archived storage files) and sort by attachments.
You can’t protect what you can’t see so establish and maintain a data inventory.
Here’s the CIS definition of this Control/Safeguard. If you want more detail, DM me.
CIS Control 3 – Data Protection
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
Implementation Group 1
CIS Safeguard 3.2 - Establish and Maintain a Data Inventory
Establish and maintain a data inventory, based on the enterprise’s data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data.