Building a Data Management Plan

Originally published by BARR Advisory.

Written by Christine Falk.

Building and operating a data management plan can be time consuming and overwhelming. You don’t have to go it alone. BARR Advisory asked Dariek Howard, manager, Attest Services, to share his thoughts and recommendations for building an effective data management plan. Here are his top tips to help you through the process:

1. Understand what data you have and where that data resides. Without this information, it’s impossible to understand what safeguards need to be in place and where your priorities—and immediate resources—should be focused. Start by compiling an inventory of the data in your environment. Then, using internal classification schemes, assign classification levels to that data based on its sensitivity.

2. Implement security controls in order of priority. Let’s face it, there are never enough resources available to classify everything as ‘highly confidential’ and implement the strongest technical safeguards all at once. Prioritize implementing security controls like encryption and access management for data deemed the most critical to your organization and its mission first.

In order to have a well-defined data management life cycle, it’s also important to set retention periods on assets in accordance with your internal classification standards and statutory or regulatory requirements. A secure means of disposing the data should be implemented once those retention thresholds have been exceeded.

3. Leverage the assets that process, store, or otherwise support the data within your environment. Here are some of the most critical points to consider:

• People security: Employees are often responsible for directly managing data on a day-to-day basis. Implement periodic training programs to reinforce their understanding of data management, its importance, and steps that can be taken to mitigate risks.
• Email security: Enforce email security controls to restrict the types of data entering and leaving your organization. This could include, but is not strictly limited to, using email encryption technologies, blocking specified file types—like .exe—and implementing a sandbox environment to scan inbound emails with attachments.
• Web security: Implement web content filters to block access to known malicious websites and other webpages, like P2P sites, where data loss could occur.
• Media security: Consider restricting the use of removable media to only those who require it, and create an internal approval process for determining who has access.
• Endpoint security: Install antivirus software and implement full disk encryption on endpoints—i.e., servers and workstations—that store or process sensitive data. Additionally, consider removing local administrative permissions from end users.

4. Understand your organization’s unique risks. Completing a risk assessment is crucial to understanding your organization’s current security posture and where your primary risks are. Systems that store or process data should undergo regular risk assessments to determine the likelihood and potential impact of a breach, the aggregate strength of mitigating controls in place, and the environment’s overall residual risk rating. When residual risk ratings exceed internal risk tolerance thresholds defined in risk management procedures, additional security measures should be implemented to protect the organization’s most critical data and reduce residual risk ratings to an acceptable level.

A risk assessment can also be a useful resource in gaining buy-in from the executive level on additional resources, like people and tools, that may be needed to better protect the organization’s data and the people it represents.