Pardon Me. Would You Have Any (Grey Poupon) Data?

Pardon Me. Would You Have Any (Grey Poupon) Data?

By Steve Gold
Posted in Security
On May 23, 2023

If you get the joke behind the title, you’re either as old as I am or spend hours on the Internet searching for 80’s commercials. Either way, good on ya!

In 2006, Clive Humby, a British mathematician and data science entrepreneur, coined the phrase “Data is the new oil.” Humby meant that data, like oil, isn't useful in its raw state. It needs to be refined, processed, and turned into something useful; its value lies in its potential. Many others have come up with different interpretations and you’re about to get mine now.

I believe the phrase “Data is the new oil” wields a social effect. It communicates data’s power and lucrativeness in the digital age. This is proven by the continual increase in breaches caused by ransomware solely to gain access to data.

During a ransomware event, data is either exfiltrated, encrypted, or in most cases, both. The systems that store/access the data are also typically disabled. Paying the ransom “should”:

  1. Enable all the systems and decrypt the data
  2. Prevent the exfiltrated data from hitting the dark web or being sold to other malicious groups
  3. Prevent you from being attacked again

However, as we know, “should” rarely happens.

This leads us back to the last two Controls. You can’t protect what you can’t see. If you don’t know what data you have, where your data lives, what’s in your data, and who’s accessing your data, you can’t protect it. This Control and these next few Safeguards are going to address how you can protect your data.

It is imperative for organizations to develop a data management process that includes a data management framework, data classification guidelines, and requirements for protection, handling, retention, and disposal of data. We’ll dive into the most important components over the next few posts.

Here’s the CIS definition of this Control/Safeguard. If you want more detail, DM me.

CIS Control 3 – Data Protection

Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.

Implementation Group 1

CIS Safeguard 3.1 - Establish and Maintain a Data Management Process

Establish and maintain a data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

Steve Gold

Steve Gold

Steve Gold is Gotham’s Cybersecurity Practice Director. During his more than 20-year career, Steve led teams responsible for developing and implementing technology solutions at some of the industry’s most recognized companies, including Dell and VMware. His expertise includes Cloud Computing, Channel Development, Territory Management, and Government Sales. For the past decade, Steve focused on helping State, Local, and Educational organizations secure their data and worked to assist them in implementing technology solutions that address their major business challenges.