Think once, think twice, think data!

Security

16.03.2021
David Mantock, Chief Information Security Officer

It has always been about data! Security specialists from across the globe even when they were making their first shaky steps to becoming seasoned professionals have learned the C-I-A triad just like children learn their ABC’s. The confidentiality, integrity and availability of data is the foundation of good business, so a holistic and integrated approach to the protection of said data is of vital importance. If data is the new air, I want to freely breath it in and suck it up with no danger to my health or sanity. I am fortunate enough to reside in Switzerland and on occasion have had the opportunity to walk in the mountains and one soon discovers that all air is not the same the higher you go the more precious it becomes. If we return our thoughts to data, we can easily deduct that the context or “altitude” plays a great role in the relevancy of our precious data. I am not one for discrimination, but all data is not the same. Why are you reading this blog? Is it because you have an urge for a “hot air” fix, or do you want to be informed and instructed?

It has always been about data!

Information: knowledge gained through study, communication, research, instruction, etc.; factual data: //  dictionary.com

So, we need a means of distinguishing this data, and a good place to start is with an information classification policy. Why did I just switch from talking about data to talking about information? This is a subtle shift, but our first step in a clean data governance approach. Information simply put is factual data or more importantly data that is useful. Once we have decided what type of data interests us, we need further categories to which we associate a risk. Appropriately allocated risks enable effective controls to maintain our C-I-A triad.  A good information classification policy will instruct how the data is handle based on its level of importance to the enterprise. For any data that is a special category such as PII an impact analysis is a necessity. In summary we can conclude the following:

  • Useful data is information, and this type of data is worth protecting.
  • Information needs to be classified so that it can be effectively protected.
  • Special types of data need an even more thorough analysis.
  • The context always demands consideration.
Think once, think twice, think data!

Now armed with these basic precepts the challenge is to implement this in your organization. Nevertheless, at the same time acknowledging that the modern processing of this information is demanding at best and confusing at worst. The speed of transaction and the volume of processing does not make the task any easier. But forewarned is forearmed and if we remember that this is a marathon and not a sprint, there is a pot of gold at the end of the rainbow. Now due to the laws of motion, we know that starting is often the most difficult thing to do, but once we have momentum it is easier to keep going. Handling data is very similar in this regard, so how to make a start? In an age where we have turned the analysis of data into an art form – my advice is to follow the KISS (Keep it Super Simple!) principle. You want to be able to answer the question: what is happening with my data, outside my perimeter, and inside my perimeter? But for the sake of thoroughness, rinse and repeat after me “think once think, twice think data!”

back to panels