In-Depth
7 Steps for Dealing with the People Component of Data Security
We outline seven steps that help you address the people aspect of data security.
By Abir Thakurta, CISSP, Senior Director of Pre-Sales and Professional Services, nuBridges, Inc.
Businesses depend on data to run. Therefore, protecting data is not just about locking it down; it’s also about how to provide access to sensitive data while protecting it at the same time.. Because of this delicate balance, one of the most challenging aspects of implementing a data security program is dealing with the people who work with confidential data. Under a new data security program , some people will gain new responsibilities for protecting the data while others will no longer have visibility to it. Either way, there’s likely to be more than a few ruffled feathers to smooth. To help ensure a positive transition to enterprise-wide data security, it is imperative to first deal with the people and process components of data privacy, without which a data protection program is likely to fail.
Data Privacy and Data Security
Let’s differentiate between data privacy and data security.
Data privacy is the relationship between the collection and dissemination of data, people, technology, the public expectation of privacy, and the legal issues surrounding them. Improper or non-existent disclosure control can be the root cause of privacy issues.
Data security is the means of ensuring that data is kept safe from corruption and that access to it is suitably controlled. Thus, data security helps to ensure data privacy.
Many organizations implement a data security program to comply with the Payment Card Industry’s Data Security Standard (PCI DSS), where the dataset in question is credit cards. Data security also helps in protecting personal data that falls under privacy laws. Data security is often referred to as “an encryption project” or “a tokenization project” within many organizations; however, there is much more to data security than applying remediation technology or techniques.
Dealing with People Who Deal with Data
Dealing with the people component of data security is critical to any data security program. People are emotional and there is no technology that can deal with human emotions or behavior. Taking away the ability to work with data under a security program is akin to taking privileges away from an employee. Such an action taken without proper education can cause the program to stumble, especially if people deem accessing the data to be important for the business. Such restrictions could actually cause employees to use workarounds that increase the risk of a data breach or data leakage from the organization. A classic example would be an employee accessing the sensitive data and revealing it to others inside or outside the organization by e-mailing it or simply writing it on a piece of paper. Additionally, using techniques such as social engineering to get the information from workers is increasingly becoming a path of least resistance for attackers.
Therefore, it is imperative to address the people component of your data security program early to prevent unauthorized access, use, misuse, disclosure, destruction, modification, or disruption. As with any initiative, executive sponsorship is critical. The data security message must come from the top. Engaging the CIO or CFO early in the project is wise, but only after all of the process and technology challenges have been identified. Here is a quick overview of a proven approach:
Step 1: Identify critical business processes that your program impacts.
Identify the sensitive data footprint within your organization. This includes the business processes impacted as a part of data remediation such as the payment, order-to-cash, or procure-to-pay process. Examining the most critical processes will usually reveal which people will be impacted. It will also reveal the process owners, who are essential to the design, implementation, and roll-out of the program.
Step 2: Identify aspects of the business process that do not require sensitive data.
Working with process owners and other members of the cross-functional team, identify aspects of the process that can be handled with encrypted or surrogate data. Empirical evidence based on past experience suggests that 60 to70 percent of activities related to many management, operational, and supporting processes do not require sensitive data. This step will also reveal the people within the process who work with sensitive data. Typically, the output of this step should be a process flow diagram with identified stakeholders.
Step 3: Add data security to your security policy.
Adding a data security component to the security policy helps formalize the program. Include a data classification program that has been designed to support the “need to know” principle. This also allows for users to be educated on different data types -- sensitive, restricted, public, confidential, etc. -- within your organization.
Step 4: Add an acceptable-data-use policy to your organization’s acceptable-use policy.
This will ensure that privileged users are bound by governing rules and sanctions placed on the management and processing of sensitive data. This also creates a policy that can be mandated and audited. In the event of a policy violation, the organization can appropriately withdraw access to sensitive data.
Step 5: Identify people who have access to sensitive data.
Working with the process deliverable, identify people who have access to sensitive data. Creating a stakeholder accountability matrix will help define who is responsible for handling sensitive data and who could work just as effectively with an encrypted or a surrogate value. Pay more attention to people who will not have access to sensitive data when you implement your data security program.
Step 6: Develop a category of users called “Privileged User.”
Obtaining a “privileged user” credential should require meeting a set of criteria, including how employees can be granted such credentials and under what circumstances they can be withdrawn. Applying the principle of least privilege to users accessing sensitive data should help create a defense-in-depth strategy that can help counter threats. Everyone who works with sensitive data and who is not a privileged user is now a “business user.”
Step 7: Educate and train.
Raising awareness of privacy issues within your organization is an important step in executing a successful data protection program. Explain to stakeholders why reducing risk is important to your business. Awareness training educates privileged and business users about the appropriate use, protection, and security of sensitive data within the organization. It also helps people understand their individual responsibilities for ensuring confidentiality, integrity, and the availability of data assets. Training should enhance user awareness, increase security, achieve compliance, and improve productivity for your business. Introduce the data security program using internal communications and promotions and consider hiring a professional trainer. New employee security awareness training programs and periodic refresher courses can also be administered online using third-party professional services.
The Bottom Line
Although technologies can provide mechanisms such as encryption and tokenization to protect data, the real challenge lies in ensuring that human behavior towards data security is appropriately controlled. This can only happen when the data security program combines data privacy with appropriate levels of employee awareness training and ongoing education throughout the organization.
Abir Thakurta, CISSP, is senior director of pre-sales and professional services for data protection software vendor nuBridges, Inc. where he is responsible for delivering data security solutions and managing customer engagements. He can be reached at athakurta@nubridges.com.