Key Steps for Building an Effective Data Protection Program: From Analysing Business Needs to Ongoing Protection

Key Steps for Building an Effective Data Protection Program: From Analysing Business Needs to Ongoing Protection

In today's world, data is often referred to as the new oil, given its immense value to organisations. Companies have access to vast amounts of data, from customer information to intellectual property and strategic plans.  Over the last decade cyber criminals have targeted organisations repeatedly related to multiple breaches. Some organisations like Uber have faced multiple breaches and even government organisations are not spared as we observed in the Snowden case where confidential data of US  govt was leaked online. Protecting this data has become essential, and having an effective data protection program is crucial to achieving this requirement. 

In my role as a CISO for the last five years I have found data protection as the most complex initiative yet most closely related to business enablement. This can be related to protecting customer data to prevent customer frauds or protecting intellectual property from competitors. In this article, I will discuss the key steps in building a data protection program.

Analysing Business Drivers

The first step in building a data protection program is analysing the business needs. What is the driver for the program? There could be several drivers, such as customer complaints of scam calls, data leakage to competitors, or regulatory or legal requirements like GDPR. This is important as it helps understand the areas to focus and also what is the coverage of your program. For example, protecting customer data may require looking right from the time you collect data, take consent, store internally in applications and databases, share with third parties and finally how long is the data retained and what rights do customers have over their data based on regulatory requirements like GDPR. Compared to this protecting IP data would be more internal focused and a much narrower scope. 

Identifying Data to be Protected

Once the drivers for the data protection program are known, the next step is to identify the data that needs protection. This includes customer personal data, company confidential data, employee personal data, and company intellectual property (IP) such as designs and formulations. The data needs to be categorised by both criticality ( how important is the data) and sensitivity ( what level of protection the data requires). To identify the data you would need to conduct interviews with key stakeholders and build data flows. 

Building Data Flows

After identifying the data to be protected, the next step is to understand how data flows in the company. This involves identifying which applications host the data, which partners the data is being shared with, whether employees have the data on their devices like laptops and desktops, and whether data is accessible to third parties working on the company payroll. This activity will help identify current gaps and determine the necessary security controls and also architectural suggestions to simplify data flow and access.  A sample data flow diagram for an e-com business is shared below


Protecting the Data

Once the data flows are identified, it's time to implement controls to protect the data. This could include minimising data collection, restricting access to downloading bulk data, blocking USB on endpoints, implementing two-factor authentication (2FA) on emails and all critical applications, putting critical applications behind a VPN solution that is not directly accessible from the internet, and restricting bulk data downloads of critical data.

Other measures could include eliminating sharing of user IDs and passwords for applications by creating individual user IDs for all critical applications, restricting keeping customer data on end-user devices, implementing data leak prevention solutions for email and endpoints, and raising end-user awareness on risks of data sharing and leakage.

Restricting access to email only on corporate devices, assessing controls at vendors or third parties if data is being shared externally, and assessing controls on contractors and interns are other essential measures that need to be implemented to protect the data. 

Laying down strong guidelines for partners coupled with NDAs and strong data protection addendum clauses in legal agreements helps ensure that vendors also ensure strong data protection measures. This has to be coupled with regular audits and reviews to enforce the guidelines. A sample set of security guidelines are included in Annexure 1 

Key data protection controls are shared in mind map in figure below 


Detecting Data Leakage

While several measures may be taken to protect data, the data may still leak due to malicious insiders or technical controls being bypassed by savvy hackers. Data loss prevention solutions for cloud, email, and endpoints are essential in detecting data leakage. Data Leak prevention solutions like Netskope, Zcaler for cloud and email and Forcepoint or CoSoSys for endpoints are effective in detecting and preventing data leakage. It is essential to do a proper Proof of Concept ( POC) before deploying any solution. 

 Implementation of DLP solutions need to be coupled with effective monitoring and investigation procedures to ensure that source of data leakage is identified and suitable remedial measures taken. Security teams should partner with Human Resources to build a  consequent management process. This is essential to take necessary action against errant employees and raise awareness of proper data handling and usage. 

Key Actions for Ongoing Protection

Finally, it's important to take key actions for ongoing protection, such as knowing if any additional data is being collected, conducting periodic access, reviews reviewing efficacy of controls, and identifying any new processes being set up. For this building a proper plan and measuring progress periodically is necessary to ensure success. A sample data protection plan with key objectives and suggested measures is given below


Key Objectives

Level

Data Protection measures

Timelines

Identifying Critical Data, Owners & flow

Medium

1. Customer Data Flow mapping

2. Data Identification and Mapping for Company Data

2. Third Party Inventory and Risk Assessments

3. Asset Discovery and Inventory

4. Cloud, Application and Database security testing

5. Access Reviews and Reconciliations

6 -12 Months

Protecting Critical Data from Hacking and inadvertent leakages

High

1. Data Leak Prevention Solution for Office suite

2. DLP tool for endpoints Access Control

3.Web Application Firewall

5. Access Control - SSO/2FA on EMail and critical applications

6. Comprehensive End User Awareness

7. Mobile Device Management solution

8. Data encryption of all critical data

6-12 Months

Detecting Attacks and Breaches

Medium

1. Data Leak Prevention Solution for Office suite

2. DLP tool for endpoints

3. Web Application Firewall

4..Security Operation Centre

5. Cloud access protection through CASB

6- 12 months

Respond and Recover Capability

Low

1. Regular Backups including offline backups

2. Disaster recovery Plan

3. DR Drills

6 months


Conclusion

In conclusion, building a data protection program is a critical step for any organisation. It involves analysing business needs, identifying the data to be protected, building data flows, implementing controls to protect the data, detecting data leakage, and taking key actions for ongoing protection. With the right approach, organisations can protect their data from internal and external threats and build a secure and sustainable future. As a security leader I have realised that having a proactive approach to data protection ensures a strong cyber security posture and builds a strong reputation among customers and also maintains competitive advantage over customers. Do comment if you have any thoughts or queries on this article. 


Comments

Post a Comment

Popular posts from this blog

API Security - A risk based approach for CISOs

       APIs or Application Programming Interfaces are the building blocks of modern applications. As the usage of APIs  and API traffic increases it is likely to be the major attack vector for hackers. APIs are utilised for a variety of purposes such as - share data with partners, customers, and other third parties. As per Akamai, 83 % of internet traffic is driven by APis. While APIs are a powerful enabler of digital transformation, they also present new security challenges. In fact, Gartner predicts that in 2023, API abuses will be the most frequent attack vector. To substantiate that prediction, OWASP has come out with a separate OWASP Top 10 for APIs in 2019. Also multiple organisations such as Coinbase and IRCTC have been affected by API security vulnerabilities in their applications.  To tackle this emerging attack vector, CISOs should understand the key risks associated with APIs. These include: Data Breaches or Data Leakages -  Risk of data le...
Read more

2024 Year Review and thoughts

  My review of 2024.  The year was a mixed bag with a overall positive outlook and a few hiccups. My ratings on key parameters  Health - Average  Family - Good  Professional - Good  Career - Good  Finances - Average  Health -  My health has been a mixed bag with several notable improvements and some setbacks. Exercise - I was able to regularly attend Gym and do strength training.  Due to improved leg strength I was able to run a 10 k run in Dec in a time of 67 mins . I was 40th out of 120 runners in the Veteran category which I am satisfied with keeping in mind the several issues I had been having at the start of the year.  Gut Health : My stomach and gut issues continued which led me to a take a nutritionist led meal plan. This has helped but I still continue to have gas and loose motions intermittently  and outside food does not suit me at all. The worry is that my weight has reduced from 68 Kg to 63 Kg in las...
Read more