Data at Rest: Missing the Mark

Where are we?

We are all familiar with the concept of classifying data as public or private or strategic. (In certain industries we further break out information as nonpublic personal, or NPI.) For most of the business world, these classifications reside in policy and are subject to broad control strokes.

Amid the complexity of regulations governing financial institutions, health care providers, and defense-department organizations, there are specific instructions to ensure confidentiality and security over NPI, and to disclose when such information is breached or lost.

In 2012, PWC released a survey stating that only 34% of regulated institutions knew what types of data they were holding and where all of their data resided on their networks. In other words, two thirds of regulated industries were unable to comply with standards and legislation that has been in place for a decade. This is disastrous. The 2012 Verizon Data Breach Investigations Report revealed that it takes almost seven months for organizations to realize data has been lost or a breach has occurred. The Chronology of Data Breaches maintained by the Privacy Rights Clearinghouse documents 3,964 reported breaches across industries since 2005, for a total of more than 616 million records.

In plain English, while we have long been required to ensure the confidentiality of NPI, two thirds of us are unaware of our own data. We are not aware of its loss in a timely manner. And most often we need an outside party to communicate to us that we have lost information in the past.

Why are we here?

With the evergreen oversight of information security, risk management, audit and examination cycles, it would seem illogical to remain in such an uncomfortable place. Our professional responsibility is to protect the private information of our customers (internal and external). Yet we are woefully behind. To be blunt, we are unsuccessful.

I believe that the roots of this trouble are the very advances that technology has provided, the mainstreaming of “access anywhere across devices.” There are simply too many repositories to store and sync information. With enterprises demanding quick scalability and end users demanding ease of access and storage, untrusted devices and repositories are everywhere.

Adding to this problem is the focus of our control efforts. We tend not to look at information, rather we look around it. We focus on data-in-motion. Our attention is focused on policy, risk assessments, audit-examination clearance and control structures around the data. Meanwhile, we are woefully unable to protect the data itself.

What must we do?

Information security professionals, especially those that hold designations such as the CISA, CISSP and CITP, should take a step back from the traditional audit and risk-assessment frameworks that focus on the existence of controls around data-in-motion. COBIT 5 can be used to conduct risk assessments in alignment with stakeholder requirements and enterprise goals. In particular, COBIT 5: Enabling Information addresses aspects including quality goals for information in all its states, including data at rest.

We should retarget efforts to include specific activities that identify the information assets at rest. Only when we start with the assets can we satisfy the objective to ensure their security. Only when we start with the assets can we effectively and efficiently establish a proper control environment.

Paul Hugenberg III, CISA, CRISC, CPA, CITP, CISSP
CVP–Chief Information Security Officer
First Place Bank, a subsidiary of Talmer Bancorp

[Source: ISACA]