Don't Lose Track of Your Valuable Data
Bankers involved in any level of project management know that lessons learned and gap management is both essential to continued process improvement for large or small projects. How many avoidable situations have we faced so far with the mishandling of valuable data? The quick answer is “too many” due to the lack of ongoing controls over project data.
The challenge that many Information Security Officers face is that “Big Data” is daunting for end users. As part of a project, business units request slices of client data, may be even an entire portfolio, to be extracted into a database or a spreadsheet. The problem then emerges that the data now becomes much more portable internally and also externally to the enterprise.
A structured approach to enduring data loss prevention is fundamental in making certain that proper data tracking is included in a bank’s project plans. Overlooking this critical step will increase risk and become an ongoing gap if it is not properly addressed.
While most can quickly “check off” the technology controls used to protect our data: full disk and file-level encryption, restricting use of USB and network storage, monitoring authority, plus data-loss prevention tools on the network and workstation. Everything that will prevent the unmitigated movement of valuable client data is in place. All of these technology-based controls, along with employees’ good behaviors, make for a sound platform to handle client data obtained for the project. However, what happens when the project is over? Is there a project task to “retire or return”? Is this extracted data from the end users?
A structured approach to enduring data loss prevention is fundamental in making certain that proper data tracking is included in a bank’s project plans
If the answer is “no,” there is more inherent risk with the project that may be in direct conflict with the bank’s overall risk appetite. In addition, other questions related to project data should be:
• Who within the enterprise is tasked with documenting ongoing data requests?
• Is there an efficient process to communicate within a project status exactly which data files have been requested and then produced?
• Are subsequent owners of the data clearly identified in that same status reporting?
• Are data hygiene tasks outlined within the project plan for end users?
• Is there an expectation that the extracted data for the project is for temporary use and not permanent storage?
• Is data hygiene included in a post-project wrap-up? Are project team members held accountable?
Affirmative answers to these questions will indicate the existence of a structure and a foundation to properly transition or return all project data from the end user. This will significantly reduce or eliminate the risk of any portable data becoming accessible to unauthorized use and falling into the wrong hands.
The key tenet to understanding the trigger point for which project related data becomes “stale” and duplicity increases risk. While a library card method of check-in/check-out might be challenging in a large-scale project, having an accurate inventory of the data used, giving it a defined shelf life and specific method to handle its return or destruction significantly decreases our risk.
Throughout my career in information security, I have heard of many challenges due to unauthorized access of spreadsheets and databases. In one circumstance, a laptop was stolen which contained client data from a conversion that occurred more than two years earlier. Information security becomes much more difficult when data that should be expunged is left to be collected by criminals. With a little discovery, criminals may find a treasure trove of data just waiting to be put up for sale on the Dark Web.
Update Your Project Plan
If there is a categorical set of tasks on the project plan to make certain that all data extracted is retired or returned, then an appropriate level of risk related to data is maintained. The goal for these project tasks is to protect data and bring it in from the wild so that it is properly stored or expunged. Project level data tracking is not just about data; it is about the process roadmap and the behavior of the employee holding the data. Cybercriminals are opportunistic and will take advantage of any vulnerability, whether it is technology weakness or employee recklessness. If there is not an effective strategy to mitigate this risk, the problem will increase over time.
Strategy always has a starting place. Once the Information Security Officer has outlined the specific project tasks for safeguarding your valuable data, conversation is needed with project owners, project leaders, and project managers about the importance of protecting data. It is critical to have data handled properly at the end of a project. A successful effort in handling project data needs buy-in from all levels of project participation. This may require a training effort for the project team to help the next few projects progress in securely handling data.
Lastly, it is important to know that the Information Security Officer is a resource to the overall organization and the project management team when it comes to protecting data. Their objective is to give guidance and direction for their team members in the form of structured project tasks and also the monitoring to confirm that those tasks have been completed. The Information Security Officer should likewise be invited to participate in the project management process and also be a trusted advisor for data transformation, portability, and version control. They are supposed to know the laws and regulatory requirements governing data, and as such, they will be a great value to the overall success in the risk oversight of project management.
One more thing, don’t forget the cloud. It will be very beneficial to keep track of sensitive data on cloud storage providers. Be sure to assess the risk these purveyors of data storage will have on your projects!