Trust But Verify. What to do about sensitive data.
This is the second article in our series on data access best practices. In the first one we looked at the reasons why data access can be challenging for organizations and highlighted some of the key principles that are good to have in mind when setting up this process. In this one we will show you how to protect your sensitive data.
The topic of sensitive data is, well, a sensitive one. And for good reason. Companies have a lot of it and some needs to be kept secret or shared with as few people as possible. It’s not just company related information like potential mergers or acquisitions, clinical trials or new products and solutions. But also, customer information, such as financial data, or employee details.
Moreover, a lot of it is usually subject to industry regulations as well: HIPAA, GDPR, PCI, GLBA and so on.
Data can help companies develop better services and products or gain a more in depth understanding of the market. But at the same time, it can become a liability if not properly protected.
How to handle sensitive data
The main thing you need to do is have a streamlined data access process. This means that when someone who doesn’t have clearance tries to access it, they get a message explaining why. And the steps they need to take, if they want to view it.
In order to implement such a process, you have to identify the data owners, designate them as reviewers and give them the autonomy they need to make decisions with regard to who can access it.
“All models are wrong, but some are useful” goes the apocryphal saying. Wrong because there is no way to take into account everything that might happen. But useful because it can provide us with insights and assist the decision-making process.
As with other types of risk, the risks associated with data access can be modelled. You can look at what types of risk you might face, assign various degrees of importance and look for ways to mitigate them. After this process, document it thoroughly and share it with key decision makers who are going to be involved.
And last but not least audit everything: data, permissions, and accesses. For most of us, especially those who have worked in large corporations, the very mention of the term audit conjures up feelings of dread.
However, a data audit can help you improve not only the security of your data process but also its accuracy. Analytics play a key role in business decisions, so it is important for everyone to have confidence in the data they have. A properly done permissions audit can help uncover overly broad or overly restrictive permissions. And auditing actual data accesses may not only fulfill compliance obligations, but may also help uncover opportunities for data ecosystem optimization. To take a small example, an audit may uncover that the same few rows or columns are always accessed in an otherwise expensive table, enabling a likely cost-saving optimization.
Risk modelling for data access
Here are some guidelines to help you get started with a risk model for data access.
The first thing you need to have in mind is that not all data access requests are created equal. Some are riskier than others. You can define that risk based on:
- How sensitive the data is: Are you storing Social Security Numbers, Credit Card information, health data, data about protected categories?
- Who has access to it: a data scientist who is new to the project and might not be aware of all the guidelines or sales people querying client financial information are, for example, two potentially risky situations in terms of data access.
Based on this you can work on creating a set of rules for auto-grants so that you do not have to spend time manually checking each request. And after a while, if the volume is high enough, you could even go a step further and use Machine Learning to automate rule development.
How to handle improper access
You can not prepare for everything, which means that mistakes will happen. Most of the times they are unintentional, usually related to a bug. One of the programs you work with has an update and the security measures you had in place no longer work. Or support might be discontinued for one of the software solutions you use.
In cases like this it is important that these bugs are reported and fixed. And in order for this to happen you need to promote the type of corporate culture that encourages people to talk about potential issues, even when it is their mistake. Otherwise, they will not get reported.
And very rarely you will also have situations where people actually access data for malicious reasons. So, you need to have procedures set in place both from an InfoSec point of view as well as from an HR point of view. What diagnostics will be run? How will the employee be handled? Who has to talk to him? These are some of the questions you need to think about.
This is something that you can include in your data access risk model.
How to encourage data sharing
As we have talked about in our first article there are plenty of reasons not to share data within your company. But the benefits far outweigh the costs. Except, that it is very hard for employees to see these benefits, let alone be impacted by them. So, you need to have incentives for people who share their data.
For example, you can include this in the yearly assessments that you do. Or you can offer various rewards to those who share and curate the data. The important thing is that people understand that data sharing is encouraged throughout the organization.
Coming up in the third part of our article series, are the software solutions you can use to facilitate data access withing your company.
Originally published at https://scie.nz.