Chief information security officers (CISOs) are quickly adapting to the changing requirements associated with regulations like Europe’s General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA), with states like Texas, Maine, and Nevada following close behind with their own rules. Creating an effective data protection program is a priority for national and global enterprises.
Trying to keep up with individual state rules or treat clients according to the data regulatory compliance for their location can be a messy approach, so enterprises must adopt a new way of thinking about data protection. That change begins with a cultural shift that focuses not on being the owners of any particular set of data, but, instead, on being the custodians of data and determining how best to protect it.
Further complicating plans for protecting data is the sudden removal to remote work because of COVID-19, and the more complex security plane that geographically-dispersed remote teams have introduced.
Any solid data protection program will have the following three elements included:
Data Mapping: CISOs must begin by involving both members of the IT department and line-of-business managers in an extensive data mapping exercise. Knowing how data moves across your organization will help you determine what protections need to be in place to hold to what can be thought of as a sort of lowest-common-denominator type of thinking for data security.
Embracing Least Privilege: One effective way to ensure that data is protected as it moves across the organization is with a “least privilege” approach. This looks at data and roles, erring on the side of less access to data and systems rather than more. It is important that this step be addressed in partnership between security teams and line-of-business managers. In order to get buy-in for a least privilege approach, it helps if it isn’t simply mandated by the security team.
Encryption: CISOs often get pushback on encryption technology because it can be expensive and there are some challenges in determining how the data must be encrypted or how key management is to be handled. Many of the regulations don’t spell this part of their compliance out, and it is left to the enterprise to determine the best path. Encryption, along with tokenization and anonymization, can ensure that if malicious actors gain access to the system, the data they mine will be useless to them.
If an enterprise determines that using a third-party provider is a good solution to their security concerns around regulatory compliance issues, it is important that they don’t consider this a hands-off solution. It’s also necessary for CISOs to stay involved with other cloud solution providers and determine whether security policies align well with their enterprise data protection program.Is your organization considering a comprehensive approach to your data protection program? ITBroker.com can help. From helping you create the right approach and developing buy-in to ensuring each set of data is mapped and protected, we can help you meet your compliance requirements. Contact us to learn more.