One of many security incidents in the media, travelagency Cheaptickets was hacked and almost 1 million customer records were exposed. Production environment was securely tested, but the test environment was also accessible from the internet and apparently less secure. Data Risk Management should therefore focus on the DATA, like the new version of the international security standard ISO27001:2013 prescribes.
Scoping
Company data is growing exponentially and after 10-20 years of data storage a huge pile of data: Big Data. By scoping we can reduce size and complexity. Your scope should focus on large structured datasources related to Mission Crircal Applications. Then you follow the DATA, like you follow the money. Your “data crown jewels” have an interface and/or are copied to other departments, business partners and locations. Localize these important data assets and records a physical address and/or IP-address.
“Don’t pay a quarter to protect a dime”
Data Risk Management is to help the management to become aware of the current data risks. A heatmap of all important data sources should help to decide to spend money most effectively on the most risky data sources.
The Bottom Line
DRM will evolve as organizations continually look to balance protection of business data and costs. Understand your exposure and risk appetite and have a plan of action to mitigate your potential liability. Data Risk Management is an art and not a science. “
About the author: Gerco Kanbier is managing director of Trust in People – the information protection company in The Netherlands. More information at www.trustinpeople.com.