Kerry A. Anderson, CISA, CISM, CRISC, CGEIT, CISSP, ISSMP, ISSAP, CSSLP, CFE
As an information security professional, I get asked why there are so many breaches of sensitive information, with more than half a billion records breached in the last few years. My experience in the management of electronic information makes me suspect that one major reason for the frequency of breaches is the amount of sensitive information available.
Organizations collect vast stores of sensitive information, especially personal information. Once inside the IT infrastructure, they may not have a disposal mechanism to ensure that these data do not remain beyond their usefulness or official retention date.
New technologies—such as cloud-based services and mobile devices—move sensitive information outside the traditional security perimeters and associated controls. This increases the risks of over-retention and data leakage.
While compliance with regulations has been successful at creating programs to require protection for specific types of sensitive data—especially personal information—there remain large chunks of sensitive information at risk to security breaches, because it does not fit within a defined compliance category. Many breaches present the common scenario of an enterprise that achieved compliance with regulatory requirements and then suffered a later data security breach.
One possible starting place to address data breaches could be the strengthening of the synergistic affiliation between the information security and records information management (RIM) functions of the organization to address information assurance under a common umbrella. One significant delivery would be the identification of data stores throughout the organization and under management with external parties. This effort would include the flagging of all data stores containing personal information and their associated risk levels. The outcome of this effort would provide the organization with a global view of its data and the risks associated with its management. This would allow the development of common controls to diminish the potential for unauthorized release of sensitive information. This approach could offer better overall protection of sensitive data with the potential for reduction in the cost of managing specific compliance with regulatory requirements. One key risk-reduction strategy may involve the disposal of sensitive/personal information with an expired retention date and no other legal obligations for continued preservation.
Read Kerry Anderson’s recent Journal article:
“A Case for a Partnership Between Information Security and Records Information Management,” ISACA Journal, volume 2, 2012