As we reflect on recent regulatory changes and trends, we notice a heavy focus on privacy and cybersecurity across the globe. The European Union has recently passed the General Data Protection Regulation (GDPR) and the Payment Services Directive 2. Taking it a step further, in July 2018, the EU proposed a new Cybersecurity Act (9350/18) mandating cybersecurity certification for critical infrastructure industries.
States in the US are following suit; recently, California signed into law a GDPR-like privacy law. This is predicted to continue across US states in response to the many data breaches we have witnessed across the globe.
As consumers, we are excited to have laws and regulations designed to protect our privacy. Businesses, on the other hand, are scrambling to ensure compliance with these stringent requirements. It is my strong belief that we should focus our risk mitigation and control implementations around what’s important – the data!
Business professionals and IT practitioners agree that data are a valuable commodity for enterprises in many ways. The notion of using data to help monitor and manage risk tolerances in audit and assurance activities often is overlooked. Data should be considered and analyzed as the enterprise selects, plans and deploys controls, and should also be part of enterprise evaluation of the performance of those controls.
This recently was highlighted by ISACA, which has put forth new guidance in partnership with SecurityScorecard titled Continuous Assurance Using Data Threat Modeling. In collaboration with industry experts, practitioners and ISACA subject matter experts, the guidance provides an excellent overview on how to adapt threat modeling to data in transit and data at rest as a strategy to put forth a more holistic, comprehensive and continuous model for understanding data risk and for analyzing potential risk in the supply chain.
New threats to data might occur suddenly or over time, so a formal mechanism should be established to account for data threats in a structured, systematic way. By looking at data this way and following a formalized methodology, enterprises can establish a model and baseline for monitoring data risk over time and maintaining risk within acceptable parameters. Keep your controls environment up-to-date and protect the data and other valuable enterprise assets needed for competitive advantage.
Data threat modeling can be a difficult landscape to navigate. Organizations must first elevate its priority among the enterprise and then follow a systematic process to decompose their applications into their various parts so that each can be analyzed from an attacker’s point of view. Once we discover threats and evaluate risks to applications, we can focus on the data that is used, stored or transmitted by the enterprise or when trusted to the supply chain. This provides the foundation needed to build out an effective control environment for applications, operating systems, network components, etc.
These risk mitigation methodologies are becoming more critical in our effort to protect what’s important, prevent data loss and ensure ongoing compliance with laws and regulations. Having a complete data inventory and visibility into potential threats throughout the data’s lifecycle creates a baseline for continuous assurance that we need to make critical risk decisions.