Data Security Controls: What You Need to Know

by Michelle Krasniak

Why Data Security Controls?

Why do people continuously search online for information about “data security controls”?  The answer is obvious- data is everything. Data is an organization’s most valuable asset and a company must do everything in its power to ensure it is protecting sensitive information from being stolen, altered, disrupted, or destroyed. The consequences of a cyber event could significantly impact a company’s brand, reputation, and most importantly, bottom line. The COVID-19 outbreak has intensified the cyber security threat landscape not only in the United States, but globally as well.

Data security requires extensive effort in order to be effective, including implementing different types of security controls. Unfortunately, the complexity of the data security process multiplies when organizations outsource business functions to third parties. In these cases, not only does an organization have to protect its data, but it must ensure that all of its third parties are protecting its data with the same vigor and tenacity. 

How does an organization protect data?

To protect its data, an organization must implement security controls. The best practice is to implement controls at every layer of a potential threat or possible breakdown in the security of the data. Security experts refer to this concept as a “defense in depth” approach. 

A defense in depth approach typically starts with the identification and understanding of what makes up the organization’s data. In other words, what exactly is the data being stored?  Does it contain Personally Identifiable Information (PII) such as Social Security numbers, driver’s license numbers, or bank account numbers? Does the data contain Protected Health Information (PHI) for example, patient names, addresses, and treatment dates? Does the data contain intellectual property, trades secrets, or data that must specifically adhere to certain regulations? These are all questions organizations should be asking themselves on a regular basis.

To utilize defense in depth, organizations should begin by implementing data management standards. Classification controls are necessary to identify data types, i.e. sensitive and non-sensitive data. Organizations must identify these data types and owners across all data stores, for example, desktops, servers, databases, removeable media, mobile devices, and cloud applications. At the same time, an organization must label the data with descriptors to improve its search and discovery capabilities.

After an organization classifies its data, the next layer of security requires an understanding of the adequate security controls necessary per classification. For example, does the data need to be encrypted, or is it preferable to continuously monitor and audit who is viewing or processing the data (or both)? Encryption controls are necessary for sensitive data whether or not the data is stored on a device or backup medium, is traveling across a network, or is being processed. Data discovery programs are necessary to identify and mitigate sensitive information in unauthorized locations. Organizations can use data masking and obfuscation techniques to protect sensitive data in use.

From an auditing standpoint,  it is important to know what is happening with the data because these actions are the first signs of vulnerabilities. For example, have there been attempts to move sensitive data out of approved locations over the internet or via email? Organizations must ensure that the data is continually available and resilient, hence the need for database activity monitoring. Layers of data security controls continue to build, with one of the ultimate layers- Access Controls.   

How does an organization address data security controls at its third parties?

Just as an organization needs to manage and implement its own data security, it must also understand the stability and health of a third party’s data security controls. This understanding has to occur before the start of the business relationship. An organization should begin this task by researching the potential third party’s background to understand if that organization has recently had a security breach that may impact the products or services it delivers.

One ideal method to further this research is to perform cybersecurity risk assessments on third parties to understand their potential risk. An organization can also use these assessments to identify whether or not their third parties will remain operational in the event of a problem such as a cyberattack, or in the current global environment, a world-wide pandemic. Third party cybersecurity risk assessments are the linchpin to any third party data security program and should be performed throughout the duration of the business relationship.

The Solution

CyberGRX performs third party risk assessments to inform customers if their third parties are adequately protecting data. The CyberGRX risk assessment dedicates an entire family of controls to understand the maturity, coverage, and effectiveness of data protection from data management to the actual protection methodology. CyberGRX evaluates each third party’s data controls in a comprehensive, reliable, and consistent manner. We enable our customers to have confidence ­– or lack thereof – across their entire third party ecosystem’s data security controls. 

Do you want to learn more about how third party risk assessments empower you to make informed, strategic decisions about vendor relationships? Click here to get a demo.

Jennifer DeLorenzo

Director of Solution Architecture