Locating Your Assets
The first and most important step in protecting business data is to understand what you're protecting and where its located. To use an analogy, you can have the largest army in the world, but if you don't know what to defend, what's the point in having an army? Many companies make the mistake of defining security controls before they've identified their assets. Business data that needs to be protected comes in many forms, from credit card numbers to names and addresses, its all important data that needs protection. Defining a security control is important, but the business needs to understand what data its going to protect first.
So what business data needs to be protected? Depending on the business, the data that needs protection will be different. The basic types of data to look for are personally identifiable information (PII), and sensitive personal information (SPI).
Personally identifiable information (PII) consists of:
- Full names
- Driver's license numbers
- Face, fingerprints, handwriting
- Identification number (e.g. social security number)
- Vehicle Registration Plate Number
Basically any information that can identify an individual.
PII becomes Sensitive personal information (SPI) once any of the above combines with any of the information below:
- Social security numbers or Taxpayer ID numbers
- Credit or debit card numbers
- Financial/salary information
- Health records
- Student data records
There is some overlap here and there of data between PII and SPI, but the idea is the same. Any information that can be used to identify an individual will need to be protected. Even before the internet was born, this type of information was used for criminals to perform identity theft.
There will have to be many interviews with support teams at all levels (operating system, database, application) to understand the types of information that are being stored. The servers, databases, and even Excel workbooks that contain this data must be identified and tagged. This is an excruciating process but its better to get it done and get it done right than to let this data grow without control and without oversight.
Also, the business must not overlook the physical location of where the data will be stored. Hacking isn't always just performed via online methods. Social engineers can devise plans to use attack vectors such as pretexting to find their way into data through the physical world.