Data storage and access policies: Here's what you need to think about

Protecting data at rest, in transit, and during processing is key to your organisation's smooth running. Here are some points to consider.
Written by Danny Palmer, Senior Writer

Video: Equifax data breach debacle prompts Senate crackdown

Hacking, data breaches, malware, ransomware and more; for organisations all sizes, it can sometimes seem like there's a cybersecurity threat lurking around every corner -- especially considering the importance of data in businesses today.

Whether you're a global corporation or a small business, best practices are available to ensure that those responsible for handling, storing, transferring, and using data are doing everything possible to keep it safe.

Organisations need to ensure they have taken the time to develop good policies on data storage to make it as secure and resilient as possible, at every level.

"It starts with understanding your data. Not just where it lives, but also classifying that data," Julie Cullivan, CIO at network security firm ForeScout, told ZDNet.

"Focus on understanding your most critical services and data, making sure you really understand where it lives and that you have the right controls and policies around that as a priority. Companies which try to address everything as if it's all created equally suddenly end up in this situation where you've protected nothing," Cullivan said.

Download now:Data classification policy(Tech Pro Research)

Data can have different levels of sensitivity, but organisations also need to consider their strategies for data in different situations. Data can be at rest, physically stored in a data warehouse, on a local area network, or even on a single device like a smartphone or a flash drive. Then there's data in use, actively being processed, and finally there's data in transit, flowing from one place to the other over the internet or within a LAN.

When thinking about all of these data states, organisations need to determine the potential risks of each one, and then decide what action needs to be taken to protect all of that data.

"It sounds really basic, but it's about understanding what you have or what you come into contact with," Emma Wright, commercial technology partner at law firm Kemp Little, told ZDNet. "Because your information security policy shouldn't be one-size-fits-all -- it should be a multi-layer approach which takes into account both physical and cybersecurity measures applying to the data."

For example, it isn't necessarily essential to encrypt all forms of data -- although encryption should certainly be applied to credit card information, personal details, and other sensitive data -- but a good policy is to take stock and examine how data is stored.

In some instances, sensitive data can be anonymised -- but even then, you should be asking yourself if there's any reason why encryption shouldn't be used. "Your starting position around personal data should be 'why is it not encrypted?'," said Wright.

Access controls

A data storage policy isn't just about encrypting information and hoping for the best, because not every individual in an organisation needs access to all of the data the company holds. That's why access controls around who can access and use data -- and for how long -- need to form part of good data storage policy.

"Most organisations that have identity and access management policies start with a standard image -- every employee has access to these systems and this data. Then you start just narrowing it down to role-based access, depending on the risk and the data, and the applications they have access to," Rashmi Knowles, EMEA field CTO for RSA Security, told ZDNet.

The idea is that only users who are required to handle sensitive information have access to it, reducing the risk of it being mishandled by other users. This isn't a one-time job: organisations should be regularly reassessing who needs access to what data and what they need it for, especially if sensitive information is involved.

"If you have privileged users who have access to sensitive data and it's critical to the business, typically you'd revisit that every three months to check that access is still relevant to that role. Then from a compliance perspective, you'll have visibility of that fact," said Knowles.

Data in the supply chain

Even if you set out good policies around data control, based around knowing what you have, with encryption and access control within the boundaries of your organisation, the nature of modern business means it's highly unlikely that all of your data will be contained within your walls.

If your organisation has suppliers or contractors, they will inevitably end up handling your data in some way, so they will also need to ensure that their policy is up to scratch -- perhaps even more so, considering how the supply chain is viewed by many hackers as a soft underbelly for attacks. It could be up to you to help them achieve the necessary compliance.

"Companies are engaging with suppliers and they're not seeing their information security as something which needs to be extended down the chain," said Wright.

"They think the information security stops within their systems, when in fact if you can access a system, or you're sending your information to someone else's system, you've got to apply the same level of controls from the third party," she added.

GDPR is looming

It's understandable that all of this may sound somewhat intimating, but there are government-issued guides such as the Networks and Information Systems (NIS) directive, which contains detailed step-by-step guides on implementing strategies around data security policy.

While having a good data storage policy is good practice in any case, there's a looming deadline that organisations with policies that aren't up to scratch will need to pay attention to: the introduction of the General Data Protection Regulation (GDPR) into law across the European Union on 25 May.

It might sound Europe-centric, but this legislation will apply to any organisation in the world that does business in EU countries.

See also: EU General Data Protection Regulation (GDPR) compliance checklist

While some are fearful of GDPR, given the potential for huge fines if organisations are found to have suffered a data breach while being non-compliant, it could be viewed as an opportunity. Organisations can revisit what data they have and assess what it is, why it has been collected, what consent they have for processing it -- and, if there's no good reason to keep it, delete it.

"Policy and process is the biggest burden in GDPR, but it's a good opportunity for organisations to start from scratch and ask 'what data do we collect?'," said Knowles.

"It gives them an opportunity to start from scratch and get their house in order so they have really good visibility of where they are, where their third parties are, how their data is protected and what that data lifecycle is, all the way from when it is collected to it being deleted."


Editorial standards