Managing your organization’s data security and compliance today may seem overwhelming: the volume of data continues to grow, the attacks are becoming more sophisticated, and the regulatory requirements are more numerous and stringent. However, smart information management does not have to be complicated or cost-prohibitive – it starts with common-sense practices and tools your organization may already own. The following three principles will help set your organization up for success and keep important data safe and compliant.
1. Plan for it. From the start.
Although it is tempting to think of security and compliance as something that can be solved after the fact with the right product, the reality is that you have to plan for it. Technology is only part of the picture, and it won’t protect your data if your processes and people don’t support it. In fact, new privacy regulations like the California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR) have no specific technical requirements at all, but rather focus on the data handling practices.
While your staff are likely not intentionally malicious or negligent, a process designed without security and compliance in mind can inadvertently create vulnerabilities and increase risk for your organization. Employees often assume the IT department has data security handled, and if the process allows it, they may sidestep recommended practices for the sake of productivity.
So, before you purchase and deploy a new solution or completely redesign an existing business process, take a step back and consider all the associated security and compliance requirements. Often, it’s best to work with a consultant in your industry, but here are a few sample questions to consider:
• Is PII (Personally Identifiable Information) or confidential data part of this process?
• Which users and systems will need access to it, and what will they do with it?
• What are the regulatory or internal requirements for protecting it?
• How long do I have to/am I required to keep it?
• How does it need to be protected in all of its states – while in use, at rest and transit?
• How much of data handling can I automate? Can I completely remove human touch?
2. Think beyond your (fire)walls.
No organization operates in a vacuum. You may feel good about the data security and compliance practices inside your own organization, but what happens when your data, or that of your customers, needs to go outside your firewalls? At some point, partners, customers, contractors, auditors, regulators – all may need to touch your data from their devices and network locations. Also don’t forget about all those cloud service providers and apps that are actively storing large quantities of your data in their own or third-party data centers.
This is known as third-party risk, and it is something to also consider and plan for. Several recent breaches of data from major organizations occurred not at their own facilities, but those of their business partners. Consider those companies that may be providing business process outsourcing (BPO) for your organization – maybe helping you with accounting, recruitment, calling campaigns, printing ID cards, and numerous other services.
When it comes to sharing data with business partners, consider what and how you share. Share the least amount of data necessary to get the job done and take steps to protect the data in the process with tools like secure sharing, encryption and redaction. And don’t forget to make sure this data is securely destroyed after they use it.
Thinking of third-party risk, you also should not forget about your technology providers, especially those that are cloud-based. How secure are their applications and data centers? Do they comply with the regulations and standards your organization has to comply with? How can they support your security and compliance requirements?
New regulations like the GDPR make it your organization’s responsibility to pick partners and technology providers who can help you ensure compliance. So, don’t be afraid to ask them questions about their own security processes and features, and ensure that they meet your needs.Data security and compliance are not all about technology. Still, technology is an absolutely necessary part of the solution – the sheer volume of data and the regulatory requirements make it impossible to manage it manually.Click To Tweet
3. Get tech to help.
Earlier, we said that data security and compliance are not all about technology. Still, technology is an absolutely necessary part of the solution – the sheer volume of data and the regulatory requirements make it impossible to manage it manually.
Luckily, you may already own many of the tools you need to reduce risk and improve data security and compliance. But be sure to also consider the age of your technology – many older systems and applications were not designed with the modern risks and regulatory requirements in mind. Legacy systems can not only reduce productivity but also introduce vulnerabilities into your organization and create hard-to-manage and hard-to-protect information silos. If your legacy systems can’t be updated, they may need to be replaced with a more modern technology.
Here are some of the technologies to consider to improve data security:
• Content management. A robust content services platform (CSP) can not only provide a secure repository to store your content, but also offers other important features like version control, data classification, electronic signatures, redaction, and much more, helping you set granular control over who has access to what data.
There are also some deployment decisions to make with your content services platform. If not implemented already, consider deploying data encryption to add an extra layer of protection to your data, making it unusable to attackers in case of a breach. Also, consider a redundant deployment configuration to support business continuity and disaster recovery programs, and to reduce the crippling impact of natural disasters and cyberattacks like ransomware and DDoS (Distributed Denial of Service).
• Retention management automates the process of assigning retention periods and performing retention tasks like automatic deletion or archival, which can reduce exposure in case of
• Enterprise search can help you monitor for unauthorized data across numerous systems and applications like file shares, email attachments and cloud storage, to reduce the associated security and compliance risks to your organization.
• Secure collaboration tools can provide your employees and partners with the file sharing and collaboration features they need while keeping your information secure.
• Process automation tools like workflow automation, robotic process automation and system integration automate the flow of information, reducing human touch to improve speed and accuracy and reduce risk of exposure.
• Case management tools standardize data handling processes and provide visibility and accountability.
• Policy distribution workflows automatically distribute and track acknowledgement of security and compliance policies and can help prove due diligence during litigation or audits.
• Reporting and logging features of your information management tools can help you trace incidents and validate user activity and changes to system configuration, repositories, user groups and permissions
And when it comes to regulatory compliance, the following technologies can also lend a hand:
• Automated retention and disposition policy management helps fulfill specific retention requirements of numerous new regulations.
• Records request processing automated workflows can help your organization not be overwhelmed with individual data requests now rightfully guaranteed under many new regulations.
• Enterprise search can help locate and remove PII improperly stored or shared on systems across the organization.
• Customer communications management can simplify the process of building and distributing required incident and policy notifications.
• Reporting capabilities are critical for proving compliance, which is also a requirement of many new regulations.
As you can see, taking a proactive approach to information security and compliance can start with technology your organization likely already owns. Just make sure to plan ahead and pick the right partners.
Dennis Chepurnov, CISSP, PMC-III, MBA, MA, is an enterprise technology evangelist with over 15 years of experience in helping organizations improve business processes through better information management. In his current role as Marketing Principal at Hyland Software, Dennis helps customers elevate their transformation initiatives with industry-leading information technologies.