In today’s marketplace, almost every employee is now a content contributor. Although beneficial to the collective of information available, this influx brings about new risk. Legal systems worldwide are clamping down and demanding greater compliance – particularly on IT systems – making it essential for organizations to implement compliance and risk management protocols. So how do we balance the benefit of the free flow of information with the risk of inappropriate access and/or disclosure? What are the consequences of not doing so?
For most organizations, this is both a subjective and objective decision. In order to implement a risk management strategy, you first must understand what risk means to your particular organization. There are many methods of assessing risk – ranging from informal to much more prescriptive and mathematical.
I have heard some companies even describe their calculations as follows: “If something bad happens, we need to address the following questions: Will my CEO go to jail? Will the company suffer crippling fines, penalties, or potential legal liabilities? Will the cost of a preventative solution outweigh the costs of what the company would pay in the worst case scenario? This approach lends itself to a lot of speculation. Implementing a more mathematical approach provides a company with a more repeatable approach. Analysis of this risk requires a balance of standards, exposure, and what it means to your business.
The National Institute of Standards and Technology has developed a risk management framework and methodology for applying a more programmatic approach. In essence, it helps an organization understand how to prioritize the protection of data. Identify the “crown jewels” – the kinds of data that need to be protected and from whom they need to be protected.
- What are the systems you use within your organization with partners, vendors, and customers?
- Which of these systems will be holding protected data?
- How will you prevent sensitive data from being stored in the wrong place?
- How will data be stored and flow through these systems?
Many companies worry about “dark data” or data that exists across their enterprise systems (file shares, SharePoint, social systems, and other enterprise collaboration systems and networks). Understanding what and where this data is and properly classifying it will allow you to set the appropriate levels of protection in place. For example, many companies apply their security protocols in broad terms – using the same security procedures for everything. But do you need to put the same security protocols around protecting pictures of your company picnic as you do towards protecting your customer’s credit card information?
There are four simple steps that organizations can take to implement a risk management strategy that identifies policies and controls reflecting real life data protection and risk management:
1. Assess: Understand what kind of sensitive data the company holds and how the systems it uses will collect and protect that data.
2. Validate: Prove that the data that may put the organization “at risk” is in the proper systems
3. Control: Protect sensitive information with controls for security, geography, retention, and classification – reducing risk across the enterprise.
4. Report: Provide executive reports on Key Performance Indicators (KPIs) or Key Control Indicators (KCIs) to highlight areas in the organization that need to be addressed to reduce risk, or report on progress made throughout the lifecycle.
Without a doubt, we are living in a data driven society with globalizing economies, data transfer, and ubiquitous access to everything from anywhere. At the same time, we have seen an influx of compliance and data security related stories flood news outlets. The reality is that companies are in business to make money – it is the job of compliance professionals (privacy officers, attorneys, or security officers) to help them do so, while making sure they are protecting their sensitive information at the same time.