Written by Tsvetanka Stoyanova
Data is very important to every company, organization and government. In our age of computers, data has become as precious as gold. Data wields power, but data misuse can create havoc. Data is difficult to protect. It seems like every month a new media report describes the hacking of data and no one is immune.
The protection around data can appear as solid as steel, but over confidence in your data’s protection is a fool’s path. You can never be 100% sure when your information will be accessed illegitimately.
Take a look at those media reports again and notice that it is not just the small and medium sized companies that are being hacked, but everyone from government agencies to members of the Fortune 500.
Why It Is Important to Have Internal Regulations for Data Access? It is obvious that internal regulations for data access are important. Data misuse is too common to be neglected and it is not the hackers who are to blame, but the lack of a solid security program is also at fault. Data is valuable and if you have data you should take the steps to keep it protected. Data should not only be protected from exterior intruders, but from the interior as well.
Unfortunately, many cases of data theft are inside jobs. Some sources say that 80% of threats come from insiders and 65% of internal threats remained undiscovered! This is scary at best! While you can't suspect that all your employees are criminals, it is mandatory that you have a program in place to monitor internal breaches. In some cases employees are unaware that the information they are gathering is off limits, but in more than half of those cases the employee is unaware of it. It is important to communicate company policies on accessing data to those who have access or a means to easily intrude.
No company wants to make the headlines or become known for internal data theft, insider trading, or leaks of sensitive information. That's why you need to have internal regulations for data access. Most important, make sure that they are followed without exceptions.
Internal Regulations for Data Access
Protecting data involves many steps and some of them are described in the following Data Protection Basics article. However, since internal regulations are an extensive subject we'll deal mainly with them here. The rules to define adequate internal regulations for data access are the basis for your data protection efforts.
The main purpose of any internal regulations program for data access is to prevent intentional and unintentional data misuse by your employees. This can be a difficult task. Let us review some steps that you should consider.
- Check all applicable regulations and industry requirements for changes and updates. Keeping an eye out for changes is not enough. You should have a good understanding of what each regulation is asking of you. As an example in Europe, many professionals are utilizing the EU Data Protection Directive. This is a good start; however when looking closer at the Directive it only provides general guidance, but not detailed steps. Detailed steps are provided by individual country regulations.
- Make your employees aware of the risks of unauthorized data access. 99% of data center staff is aware that data is gold and won't misuse it unintentionally. The remaining percentage is what you need to be aware of. While in most cases data theft is intentional, there are cases of leakage, when an employee has been fooled by a third party and as obvious as it may seem, you need to make sure that this never happens. I recall a case, when a software developer, who had just started his first full-time job with a company, was tricked by a “friend” to show the source code of one of the products the company was developing. The thief rebranded the stolen source code and launched it as his own product and began competing with the company he robbed.
- The minimum privileges rule. In above example, the theft may not have happened if the developer did not have access rights to the source code. It is important to give access sparingly. An employee should only have access to data he or she needs in order to be able to perform his or her daily duties. A process such as this may slow development, but this is tolerable in comparison to losing the information.
- Classify your data so that you are aware of what is sensitive. There are degrees of sensitivity that need to be classified. Financial and health records should be at the highest tier. Data classification could be an enormous task but once completed updating is all that remains.
- Define primary and secondary access users. It is good practice to assign primary access and then secondary access in the event something happens to the person who has the first tier access.
- Physical access. Ensure that your facility has the proper physical security levels. This includes a secure facility with card access entry points, identification badges and security code access to the building.
- Access to machines and applications. Physical access includes access to premises and machines but very often one doesn't have to have physical access in order to get hold of sensitive data. You also need to define rules for access to machines and the applications on them. Also, think about backups and virtual machines – don't forget to cover them as well. In some cases access restrictions are limited to some period of time only (for time-sensitive data, which after the critical period has expired becomes publicly available), while in others they are for the entire life cycle of the data.
- Be sure to have a policy in place for ex-employees. Remove access requirements and change codes immediately to avoid theft. Be wary of employees who voice negative statements about the company or those who are disgruntled for any reason.
- Keep an eye out. As I have mentioned, some sources say that as much as 65% of internal thefts go unnoticed. Keep an eye out for possible violations and investigate them right away.
- Know who you should contact in the event that you find or see a data breach.
- Create standard operating procedures (SOPs). The National Institute of Standards and Technology (NIST) have published guidelines for bolstering the response capabilities of enterprises.
- If hacked, preserve all evidence and have a process in place to do that includes maintaining availability of equipment.