Do You Even Know What and Where It Is?
Not too long ago, I was involved in the war room activities surrounding the breach of a major travel company. A breach that not only led to the exposure of sensitive information, but also to the use of that information to subvert the international travel infrastructure (yes, I’m being cagey with details here.)
A war room, in this instance, is an immediate incident response step and is typically a dedicated conference room full of ‘smart’ people that is setup to lead identification and remediation activities around a suspected or confirmed security breach.
Once the firefighting was done and the immediate threat remediated, the team moved into forensics mode, where the questions moved from ‘what happened?’ to ‘how did this happen?’.
In the course of that activity, the CISO of the company was brought in. In addition to questions around security policies and response capabilities, two key questions were asked:
“Where do we have exposure to the hacking of data we categorize as sensitive to our customers, employees or partners?”
“What controls are in place to secure that data?”
In essence, his answers were:
“If you’re asking for an inventory of where sensitive data exists, I’d have to partner with the application teams to determine that.”
“As far as controls, we have a pretty strong network perimeter. But, again, I would have to partner with the application teams to ascertain what controls are in place at that level.”
That CISO is no longer employed by that travel company.
Let’s talk about the role of the Chief Information Security Officer (CISO)
Presumably it is a position that leads the charge to ensure that the organization is adequately protecting all data that is proprietary and/or necessary to conduct business operations. That casts a pretty wide net.
But that net, in addition to proprietary business intellectual property, clearly includes customer, partner and employee data. The compromise of any of these can lead to major impacts to business operations.
A phishing attack yields the credentials of an application-level, high privileged user? Well, that application is essentially ‘owned’ by the bad guy. What kind of damage can they now do?
Even the compromise of lower level users can lead to a bad guy being able to escalate privileges and/or leap frog across other applications in the enterprise.
Aside from the potential for business disruption, the exposure and malicious use of sensitive data can lead to major financial losses and regulatory penalties for any organization.
Data awareness is a critical component of today’s CISO responsibilities. Knowing where your sensitive data lives is key. Knowing the mechanisms of how it’s accessed and managed is just as key.
In the current compliance environment, data privacy is a hot button that is shaping many of the new regulations around the digital economy. Whether it be GDPR, the California Consumer Privacy Act or the multitude of other mandates on how companies will be required to support data privacy, the anticipated responsibilities of the CISO are evolving well beyond having a handle on your network protection controls.
Application awareness is becoming a necessity. Understanding what applications are housing sensitive data; whether it be a legacy ERP system or a cutting-edge cloud application, will be an inventory a CISO will be expected to maintain.
Contact us to see how Appsian can help inventory and address your sensitive data exposure in ERP applications.