Preventing critical data loss

By Dr. Jim Kennedy, NCE, MRP, MBCI

I am continually amazed by the number of corporations that do not have an inventory of their computing assets and specifically their critical data or information assets. They do not have a clue as to which servers or databases the information that is of the utmost importance to their organization resides on.

This lack of data inventory keeps these firms from properly protecting their information and data. It does not seem to matter whether that information is legally protected personal healthcare information of patients, credit card information of current or past customers, or critical intellectual property which could give a competitive advantage; all seem equally unprotected. This continues to be the norm for many corporations from all of the industry segments (healthcare, financial, manufacturing, pharmaceutical, and etc.) despite all of the regulations and best practices that seem to constantly be discussed in the media and presented in industry and trade symposiums.

In many organizations I have found thousands of unstructured data stores or files and e-mails not stored in databases. Often times this data represents as much as 75 percent to 85 percent of a company's online data. Typically it is scattered across networks and often invisible. This type of information consists of everything from multiple copies of the same data to critical e-mail threads existing in flat archive files that relate to confidential or proprietary information, legal contracts, or personal or financial information about former patients, students or employees.

Every time a security breach occurs, and they seem to occur with ever increasing frequency, that breach seems to involve critical or private information. That data which has been lost or stolen generally comes from either a stolen or misplaced laptop or some corporate system without proper security protection. Why? The reason seems to boil down to two basic reasons:

1) A lack of understanding of type and location of data stored on company resources and
2) A lack of policies and procedures adequately governing and protecting that data.

If you as a business continuity manager, a corporate contingency planner, information security director, CIO, or business unit manager deem the data and information that your organization is responsible for or uses as important and/or critical you need step back and take a few basic steps to protect it.

Information discovery and classification
The first step on the road to properly protecting data begins with the process of information discovery and data classification. After all, how can an organization properly protect, move, delete or save different types of data if it doesn't know exactly what type of data it's dealing with in the first place?
Developing a physical inventory of servers, computers, and then the data assets that are stored on them is the most important first step for any organization. As highlighted above, I have been called in on many occasions to help an organization to develop an information protection program and find that they do not know where all their critical data are. In fact many do not have current asset inventories of computing equipment.

Once the information has been identified and you know where it resides it is necessary to develop a system to properly classify that data. In general four basic classifications work for many companies, that is: public; internal use only; proprietary; and confidential.

Public - information in the public domain, annual reports, press statements and etc. which have been approved for public use. Security at this level is minimal.

Internal Use Only - information not approved for general circulation outside the organization, its loss would be an inconvenience to the organization or management, however disclosure is unlikely to result in financial loss or serious damage to credibility (examples: internal memos, minutes of meetings, internal project reports and etc.). Security at this level is controlled but normal.

Proprietary - information of a proprietary nature; procedures, specialized processes, project plans, designs and specifications that define the way in which the organization operates. Such information is normally for internal use only by authorized personnel. Security at this level is high.

Confidential - information that if made public or even shared around the organization could seriously hinder the organization's operations or violate government regulations or laws. Such information would include accounting information; business plans; sensitive customer, student or patient information; attorney and accountants etc.; patient's medical records and similar highly sensitive data. This information should not be copied or removed from the organization's operational control without specific senior management or governmental authority. Security at this level must be very high.

Now that the data has been classified, proper protection based on its classification can be implemented. Along with the classification, data retention guidelines need to be established for each level of data. These guidelines should be reviewed and adjusted by the data owners along with details of who should have privileges to create, change, review, modify, or delete the data.

The second step that the organization should take, now that it knows where its data is and how it is classified, is the development of plans to protect the data.

Protecting the data
Virus protection –across the organization there should be a virus protection strategy for all computing devices – servers, laptops, and desktop devices. The virus protection software should be maintained and virus signatures updated as frequently as the manufacturer of the anti-virus software recommends.

Security policy – there should be a security policy which has been communicated by the senior management (to show the importance to the organization) and translated into internal processes and procedures (access control, network management, firewall administration, intrusion detection, Internet and e-mail use, and etc.) and awareness training throughout the organization. A security plan should be developed that properly protects all of the data whether at rest (in storage) or on the move (all points where the data is transmitted to or received from). ISO 17799:2005 offers a good set of security controls for information security and can be a tool to aid organizations in developing programs and to address regulatory compliance.

Laptops should be controlled by some type of policy to either encrypt critical data stored on them or to ensure that critical data is NEVER stored on them.
All security policies, processes and procedures should be periodically assessed to ensure that they are being followed and continue to be adequate for the mission of the organization. Most of the security breaches I have investigated have all come from good sound security processes that were not being followed.

Patch management plan – a plan to ensure that all recommended computing and/or software manufacturers’ recommended security patches be installed into the organization’s computers in a timely fashion. I have often witnessed corporations who have suffered hundreds of thousands of dollars in losses from security breaches for which a patch had been out for several months.

Data storage and recovery plan – a plan for the proper storage of all information for the period of time that it needs to be maintained (data retention based on classification of data) for. This can be in the form of off site replication, archiving of files off site and etcetera. The plan should also include data restoration tests to ensure that data is being properly saved and can be restored when and if necessary.

Disaster recovery plan – a plan for the resumption and restoration of an organization’s operations following an incident where data or other critical operational elements of an organization are adversely affected. The plan should be tested regularly (once a year at least) to make sure that it is still fit for purpose.

In summary
All of the things that I have described above are pretty obvious. Some take time others take time and money. Some will require expertise outside of what you have in your organization.

Many are often overlooked in the everyday hectic business activities that consume every manager’s day. However, there will come a time in every organization’s history when its management’s effectiveness will be measured by, and its survival will be determined by how well the obvious things were taken care of.

Don’t be the next firm driven into bankruptcy by complacency.

The author
Dr. Jim Kennedy is the Business Continuity Services Practice Lead and a Consulting Member of Technical Staff for Alcatel-Lucent. Dr. Kennedy has over 25 years experience in the business continuity and disaster recovery fields and holds numerous Master level certifications in network engineering, information security and business continuity. He has developed more than 30 recovery plans, planned or participated in more than 100 business continuity and disaster recovery tests, helped to coordinate three actual recovery operations, authored many technical articles on business continuity and disaster recovery and is a co-author for two books, the ‘Blackbook of Corporate Security’ and ‘Disaster Recovery Planning: An Introduction’ and author of the e-Book entitled: ‘Business Continuity & Disaster Recovery – Conquering the Catastrophic.’ jtkennedy@alcatel-lucent.com

•Date: 9th March 2007• Region: US/World •Type: Article •Topic: IT continuity
Rate this article or make a comment - click here