Updated: Jan 11
With cyber-crime on the rise and states enacting data privacy legislature, take some time to review how your organization is handling personal information (PI).
By: Stephen Graham @ AnonTech
Hardly a day goes by anymore without another report of ransomware attacks holding companies hostage or new data breaches exposing the records of thousands of individuals. The fact is, cyber attacks are on the rise and the criminals are getting more sophisticated. As a result, multiple states have passed or are in the process of introducing new data privacy regulations to try and force companies to take responsibility to ensure resident's personal information is kept secure and managed properly.
How prepared is your business for a data-privacy-centric future? Below are a handful of steps to get you started. Where are you on your journey to full compliance & preparedness?
Consult a Data Protection Strategist
First and foremost, bring in an expert to evaluate your needs. There are many Data Protection consultants out there who can come in, do a full privacy assessment of your business, and provide strategic & prioritized guidance for improving your situation.
Your Data Protection Strategist will also help you define a set of governance policies to dictate how & why personal information can be used by various groups within the organization. These policies form the foundational groundwork for building a privacy framework within your business.
If you don't have a Data Protection Strategist yet, we recommend our partners over at DPS Advisors.
Scan Your Code
If you haven't yet, make sure any proprietary code you have has been scanned by something like SonarQube. These scanners have become quite sophisticated and will point out any number of security vulnerabilities in your software. Make any identified issues a priority with your engineering team. Better yet, make resolving high-priority issues a pre-requisite to any software releases.
Test for Security
There are many companies out there will perform penetration (PEN) testing, ethical hacks, and any number of other methods for testing the security of your IT infrastructure. Once again, make the resolution of any identified issues a high priority for your IT & engineering teams.
If you don't have a relationship with one of these companies, we recommend our friends over at BrainTrace.
Know What You Have
Once your code & IT infrastructure are secured, it's time to fully inventory the personal information being used throughout your organization. Data silos tend to pop up all over the place, so bring in some automated tools to help. Companies like BigID or IBM Security Guardium Analyzer offer sophisticated mapping & inventorying tools to find and classify personal information wherever it may be located within your organization.
Bring in the Tech
Now that you have your governance policies in place and have a full personal information data map in hand, it's time to bring in technology to automate your Governance, Risk, & Compliance (GRC) and Personal Information Management (PIM) needs. Tools like IBM OpenPages with Watson can help automate your GRC & legal workflows. Of course, we recommending bringing in our own ViziVault to manage the security & compliance of personal information in an automated, rule-based fashion. Start by leaving the data in place and simply report the PI that that is being used for full awareness, auditing, and actionability.
Migrate the Data
With full awareness in place, to get to the next level, it's time to get that PI out of your application databases and achieve full PI-as-a-Service. Take the legal responsibilities away from your IT & engineering teams and empower the right people within the organization to track & ensure proper regulatory compliance. Our own ViziVault is specifically designed to do this.
Don't try to migrate everything all at once. As long as you have your systems setup to report personal information usage, you can migrate your systems one-at-a-time based on risk & priority. Some legacy or off-the-shelf products may never get migrated, but at least you have a full picture of where & how PI is being used throughout the organization and can make informed decisions based on actionable business risks.
The data privacy regulatory landscape is changing on an almost daily basis. New rules, regulations, and interpretations are constantly being introduced and it can be very challenging to stay current. The reason we took a rules-based approach to compliance in ViziVault is so that the rules can be modified or added to as the laws & regulations change. Have your Data Protection Specialist periodically come in, re-evaluate your status, and help you stay current with any policies & automated rules you have in place.