This will be the final entry in our current CISO Survival series. And we’re taking a step back. We’ve talked about the role of the CISO in protecting an organization’s sensitive data. We’ve also discussed how a CISO can lead the charge to identify where data resides and how to best assess the associated risks.
However, we have (somewhat) put the cart before the horse. A key step in any data risk assessment is initially defining what information your organization will classify as “sensitive.”
In its broadest context, sensitive information is defined as data that should be protected against intentional or unintentional disclosure outside of legitimate business processes. Protection of such data may be required for compliance or regulatory reasons. Or it may be driven by the need to safeguard the personal privacy of customers, employees or partners. Or it could be in the interest of protecting proprietary information.
Some examples of sensitive data and the scope of protection required are:
An effective first step to an organization’s data risk analysis strategy is to first define the types of data you are dealing with. Do you support direct deposit capabilities for your employees? Do you maintain individual health information in any systems? Do you manage credit card information?
You have to then prioritize that data into buckets defined by the level of risk and liability associated with the exposure and/or loss of that data. A typical risk and liability bucket breakdown might look like this:
Typically, the most sensitive classification – this bucket will include:
A step below Confidential in terms of risk and liability, but reasonable efforts should still be taken to secure data in this bucket.
These are guidelines to assist an organization in efforts to define what constitutes sensitive data in their business environment. Every company is different, so be sure to fully understand the nature of the information flowing in and out and being stored before focusing on how to classify it.
Please contact us to learn how Appsian can help in assessing the risk associated with your ERP data. This exercise is especially critical for legacy ERP systems, where years of use can lead to a myriad of data being stored.