News & Commentary

01:30 PM
Deena Coffman, IDT911 Consulting
Deena Coffman, IDT911 Consulting

Best Practices For Data Risk Assessment and Planning

What’s essential, what can wait, and what’s myth

Evaluating and managing your bank’s data risk doesn’t have to be an overwhelming endeavor. The list of things to do can look impossible if you don’t filter out those items you really need to tackle now and what can be addressed later, when time and other resources allow. There are also some falsehoods floating around out there that may cause more concern than they should.

What’s essential

Before that mountain of must-do’s threatens to topple onto you, focus first on those tasks that will truly help to ensure your data is reasonably secure from the majority of breach scenarios. One way to get into the right mindset is to remember that your data is an asset, and you need to treat it that way. Once you’re looking at data from that perspective, the initial step becomes clear: inventory your data. It’s the only way to know for sure what you have, where it exists, how it comes to you, who touches it, how it can be replicated and removed, and how it is ultimately disposed. In short, a comprehensive data inventory will tell you precisely where risk factors exist.

Now that you know what data you have, it’s time to separate the most important from the unimportant. This separation accomplishes two critical things: one, it gives you a smaller subset of data (the important, essential stuff) to focus on as you implement your security measures, and two, it provides a demarcation so that if an attackers get into your system, they won’t have access to ALL of your information. The important data will be under additional layers of protection and away from the hackers’ hands.

Take that important data you identified and start protecting it. Encryption is a good place to start. It’s inexpensive (often free), it’s easy, and it provides real security should other parts of your security program fail. Reduce the ways a hacker can get into system by staying up-to-date with security patches. Require all network users to employ strong passwords, and back them up with robust authentication protocols on the back end. And pull everything together by conducting regular security audits, augmented by periodic penetration testing by an outside firm. These efforts will identify potential weak spots and let you know rather than just think that your plan is effective.

What can wait

Remember that less-than-important information you separated out earlier? That’s what can wait. Don’t protect unimportant e-mail messages with the same rigor you use for financial data. Focus first on the most important and work your way to the least important, stopping when you reach the information set that doesn’t need to be protected.

What’s myth

While it would be great to plan for every scenario, it’s a myth that you should actually devote your resources to doing that (or that you even can!). The plan you put in place to protect your assets should be specifically designed to focus on protecting your information in your environment against the attacks you are most likely to face. Yes, some fundamentals exist, such as having anti-virus in place and training employees, but a carefully crafted plan will help your security dollars to go farthest by focusing on what is most important to your business. Don’t get sidetracked by risks that aren’t likely to affect your organization.

[Related Content: Keeping Security Within Reach ]

A sensible data risk program puts more than one layer of protection around the most important information. To help ferret out what’s essential and what can wait, think of it this way: A bank doesn’t keep all of its money in a pile in the lobby. To get to the “stash,” you have to go through the front door, then past the teller, past another locked door, maybe through another locked door, and finally the vault door. And, not all of the valuables in a bank are kept in a single vault. Your important data should be protected in a similar way.

Deena Coffman is CEO of IDT911 Consulting

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.