Image via Wikipedia
Information Owners -- those responsible for the viability and survivability of an information asset -- need to accountable to their role. It is not enough to expet IT as custodians to understand their role in protecting the asset without an Information Owners involvement.
I am working on a data discovery and information asset profiling project for a client. Essentially this client has agreed that they a). need to know where their critical assets are b). whether or not they are protected throughout the business life of the information and c). what compliance requirements must be met to stay in-line with regulations and contracts.
Your business has these same issues. If your market is in the health care space you may have protected health information (PHI) and be expected to meet HIPAA requirements. If you transact business using payment cards -- Visa, MasterCard, Amex and so on -- the Payment Card Industry (PCI) expects you to meet their Data Security Standard. If you conduct business in most states you need to be compliant with data protection and notification laws that differ state to state.
Many businesses do an "ok" job of understanding what compliance requirements must be met but do a terrible job knowing where that protected data lies or flows within their business.
Which brings me to this client. They are a services firm that through its normal business routine gathers, processes and stores a termendous amount of personally identifiable information. They have a diligent and caring information technology department. They have executive support for securing their information. And like most firms the protected information in their business freely flows outside of protective boundaries creating a risk of exposure.
We were asked to do a data discovery to help find that exposed information and make recommendations for properly protecting it for both security and compliance purposes.
The CERT Survivable Enterprise Management group at the Software Engineering Institute at Carnegie Mellon in Pittsburgh developed the Information Asset Profiling (IAP) process as a model.
Some key components of the model:
Information owners are those responsible for the viability and survivability of an information asset. For all businesses that means that sales is responsible for account information, call center management responsible for the information in the customer relationship management toolset, engineering responsible for the "secret sauces" in the company product and so on.
Information custodians are those responsbile for protecting the information asset. In most firms this means the information technology staff. In most firm this is the group also given implied responsibility for viability and survivability. Yet, IT doesn't have the necessary tools to value information and protect it outside of its existence in computer systems within the company.
Containers are a concept within the model that refers to the form factor that is used to store the information. A file folder. A filing cabinet. A BlackBerry. A laptop. A server. The computer network. All these represent containers.
In our experience which has been validated as this project continues organization's are concerned with protecting the computer assets but are unaware when data flows into containers that are then themselves exposed such as printed documents, file folders, faxes and the like.
The end result of this project is that our client will truly know where their critical data is, how the containers it resides in are exposed, and what can be done to lesson the risk of losses or compliance violations.
Do you know where your data is?
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=ed5c69e1-5ade-4949-800d-6f70a2af435d)
Comments