Ticker

6/recent/ticker-posts

Data Inventory - A Prelude to Securing Sensitive Data

byPrivacy Auditor October 15, 2022

 

In a previous blog, “Privacy Management Begins with Data Discovery”, I indicated that it is difficult, if not impossible for an organization to effectively ensure data security and privacy if the organization does not know the type of data it has, including where it lives and how it needs to be protected.

To effectively protect customer, employee, and corporate information the following must be known:

  1. What data exists across the enterprise
  2. Where the data resides exactly
  3. The purpose of the data and its risk to the organization if it is compromised
  4. The compliance regulations governing the data
  5. Who is allowed to access and use the data

How do we use the knowledge above to operationalize a security strategy to protect customer, employee, and corporate information?

The following diagram taken from the IBM Cybersecurity Analyst certification course provided a high-level overview of a strategy that one could implement.


© 2019 IBM Corporation

See the resources listed below for specific guidance on securing the repository (database) housing the information and systems supporting these databases.

The Center for Information Security – The Center produces CIS Benchmarks which are frameworks for calibrating a range of IT services and products to ensure the highest standards of cybersecurity. They're developed through a collaborative process with input from experts within the cybersecurity community.

See web link: https://www.cisecurity.org/

Common Vulnerabilities and Exposures - CVE, short for Common Vulnerabilities and Exposures, is a list of publicly disclosed computer security flaws.

See web link: https://www.cve.org/

See web link: https://cve.mitre.org/

Security Technical Implementation Guides (STIGs) - The Security Technical Implementation Guides (STIGs) are the configuration standards created by created by the Defense Information Systems Agency (DISA) for Department of Defense systems. The STIGs contain technical guidance to lock down information, systems, and software, which might otherwise be vulnerable to a malicious computer attack by limiting account access to a system. 

See web link: https://public.cyber.mil/stigs/










Tags
Privacy Auditor

Posted by Privacy Auditor

I am solution-oriented IT professional with 20 + years of integrated auditing, IT security knowledge and skills that are used to successfully conduct value added IS/IT audits, data privacy and IT security reviews in a multi-university environment. My professional certifications include: • Certified Information Systems Auditor (CISA) • Certified Internal Auditor (CIA) • Certified Computing Professional (CCP) • Certification in Risk Management Assurance (CRMA) • Certified Information Privacy Manager (CIPM) • Certified Data Privacy Solutions Engineer (CDPSE) I created this blog to serve as a platform to explore approaches to managing and auditing Data Privacy Programs.

Post a Comment

0 Comments