Basic Techniques to Protect Business Data

The first and most important step in protecting business data is to understand what you're protecting and where its located. To use an analogy, you can have the largest army in the world, but if you don't know what to defend, what's the point in having an army? Many companies make the mistake of defining security controls before they've identified their assets. Business data that needs to be protected comes in many forms, from credit card numbers to names and addresses, its all important data that needs protection. Defining a security control is important, but the business needs to understand what data its going to protect first.

So what business data needs to be protected? Depending on the business, the data that needs protection will be different. The basic types of data to look for are personally identifiable information (PII), and sensitive personal information (SPI).

Personally identifiable information (PII) consists of:

• Full names
• Driver's license numbers
• Face, fingerprints, handwriting
• Identification number (e.g. social security number)
• Vehicle Registration Plate Number

Basically any information that can identify an individual.

PII becomes Sensitive personal information (SPI) once any of the above combines with any of the information below:

• Social security numbers or Taxpayer ID numbers
• Credit or debit card numbers
• Financial/salary information
• Health records
• Student data records

There is some overlap here and there of data between PII and SPI, but the idea is the same. Any information that can be used to identify an individual will need to be protected. Even before the internet was born, this type of information was used for criminals to perform identity theft.

There will have to be many interviews with support teams at all levels (operating system, database, application) to understand the types of information that are being stored. The servers, databases, and even Excel workbooks that contain this data must be identified and tagged. This is an excruciating process but its better to get it done and get it done right than to let this data grow without control and without oversight.

Also, the business must not overlook the physical location of where the data will be stored. Hacking isn't always just performed via online methods. Social engineers can devise plans to use attack vectors such as pretexting to find their way into data through the physical world.

The second step in protecting business data is to map out where the data travels. Once storage locations have been identified, the

business needs to understand how it traverses through the network. One important item is to understand when and where data leaves the company's internal network and leaves to an external network. There are certain data security standards companies must meet when it comes to transmission of data. For instance, the Payment Card Industry Data Security Standards have wording that required external transmission of cardholder data to be encrypted while internal does not. Therefore its important to note when the transmission of data stops being internal and becomes external, and vice versa.

This is another round of interviews with support teams at all levels. Its another time consuming process but it needs to be performed. Hackers may have a hard time access stored data records but if the business doesn't understand the flow of its own data, it may miss out on protecting the transmission of data. Hackers can resort to listening in on transmissions to pick up data that the business needs to protect.

The business needs to broaden the focus for protecting data from just stored data to transmitted data.

Read on to page 2 to define and enforce security controls to protect business data...