3 steps to assess and protect your most sensitive data
Few companies can afford to protect all data equally. A risk assessment exercise helps you identify your most sensitive information and keep it safe.
In summary:
| • | Legally regulated data, confidential business information, and intellectual property require extra protection. |
| • | Experienced partners can help you assess the vulnerability of your sensitive data to theft or disclosure. |
| • | Technologies such as data leak prevention systems and rights management software help safeguard sensitive data. |
A typical organization's data store ranges from trivial (like the cafeteria lunch menu) to strategic (like the blueprints for your latest product). Yet when it comes to security, most small and midsize companies view all their information in the same way. It's a dangerous mistake, warns Richard Steinnon, a principal consultant at the security research and advisory firm IT-Harvest in Birmingham, Michigan. "You fall into the trap of trying to protect all your information [equally]," he says. As a result, routine information ends up getting more protection than it needs while truly sensitive data doesn't get enough. Take a more targeted and effective approach to data protection by performing these three basic steps.
1. Identify your most critical information assets
Though there are few set rules governing what data matters most, the following categories serve as good starting points:
| • | Regulated data: Information that you're legally obligated to safeguard should receive your highest attention. For example, regulations such as the U.S. Electronic Communications Privacy Act and the European Union's Data Protection Directive require organizations to shield personal information about their customers and employees. So do industry-specific laws in the U.S. such as the financial services industry's Graham-Leach-Bliley Act and the health care industry's Health Insurance Portability and Accountability Act. Meanwhile, directives such as the Sarbanes-Oxley Act compel public companies to defend their financial records from internal or external tampering. In addition, if you accept credit cards you must abide by the Payment Card Industry Data Security Standard, an international set of requirements for the safe handling of account numbers and transaction data. Created by major credit card companies, the PCI DSS isn't legally binding, but businesses that violate it risk losing their credit card privileges. |
| • | Confidential business information: Next in importance is information about your company's strategic initiatives and fiscal health. This could include anything from your latest revenue figures to details of a forthcoming merger. Disclosing such data prematurely could affect your reputation or competitive standing, generate unwanted publicity, and even expose you to legal action. |
| • | Proprietary information: This encompasses intellectual property, such as product designs and other trade secrets. It should also include your customers' and partners' intellectual property, if you store any on your servers. |
2. Perform a vulnerability assessment
Once you know which data is most important, make sure it's fully protected. You can perform a comprehensive vulnerability assessment on your own using the Microsoft Security Assessment Tool—a free download designed to help small and midsize businesses evaluate their security readiness.
However, unless you have a security expert on staff, hiring a Microsoft partner that specializes in security to evaluate your defenses is a smart idea. Security experts have sophisticated testing tools at their disposal and know which business processes are most likely to harbor hidden risks. "They'll have a pretty good sense of where your gaps are," observes Khalid Kark, a senior analyst and security expert at Forrester Research in Cambridge, Massachusetts. They can also benchmark your security preparedness against similar companies in your industry.
Be sure to perform a business impact analysis, too. Such studies help you predict the financial implications of a data breach so you can set security spending levels appropriately. After all, there's no point in investing US$1 million to protect data that would only cost you US$750,000 if leaked.
3. Implement the right technologies and policies
Now you're ready to strengthen your defenses. First, establish information classification policies. These should clearly define what qualifies as confidential data and provide simple instructions for identifying and handling such information. Next, seal any cracks in your security perimeter with the help of technologies such as these:
| • | Data leak prevention (DLP) systems help keep sensitive data from slipping through network exit points, including your Web site and e-mail system. Such systems scan outgoing traffic for packets containing information that your company defines as protected. When they find a match, they can block the transmission, alert an IT employee, or perform other actions you specify. DLP products can also keep confidential data from leaving your infrastructure via commonly overlooked routes, such as USB memory sticks. "People are oblivious to that problem," notes Paul Wilson, a senior consultant at Waterstons Ltd., an IT consultancy and Microsoft Gold Certified Partner in Durham, England. |
| • | Rights management technologies, such as the Active Directory Rights Management Services feature in Microsoft Windows Server 2008, help you control who can view, edit, print, and forward sensitive documents. Unlike DLP products, rights management technologies embed themselves directly within documents, so they continue to protect data even after it has left your network. |
| • | Encryption technologies should rely on protocols such as Secure Sockets Layer (SSL) when sensitive data is in transit from one system or person to another, Steinnon says. He also suggests using technologies based on the Advanced Encryption Standard (AES) when data resides on a server. That way, even if cyberthieves manage to steal an entire customer database, the information inside will remain safe. Windows BitLocker Drive Encryption is an AES-enabled hard drive encryption technology from Microsoft that's available in Windows Server 2008 and the Enterprise and Ultimate versions of Windows Vista. |
| • | Access control applications, such as Microsoft Identity Lifecycle Manager 2007 Feature Pack 1, an add-on for Microsoft Windows Server, protect files and databases on your network by comparing the security clearance level of the employee trying to access information to the relevant information's sensitivity, as defined by the IT department. If the employee lacks appropriate permissions, the system prevents him from viewing or editing the information. In addition, some access control systems automatically log name, date, and time details whenever an authorized employee views a sensitive file or database. That can help you track down the source of internal information leaks. |
Information assets and security threats are constantly evolving, so plan on repeating these three steps every six to 12 months. The struggle to keep sensitive data safe never ends, so systematic vigilance is ultimately your best defense.
 | Rich Freeman is a Seattle, Washington-based freelance writer specializing in business and technology. He has more than 14 years of strategic marketing and communications experience in the IT industry. |
