Almost daily we hear about a new data breach. This has made businesses and individuals nervous. This of course makes sense if we want to deal with this problem on an emotional level. The data that has been exposed may be personal, sensitive and valuable, and in some cases, may cause great harm. However, the best way to be safe in any environment is to maintain situational awareness. The US Coast Guard Team Coordination Training Guide defines situational awareness in a way that is helpful:
“Situational Awareness is the ability to identify, process, and comprehend the critical elements of information about what is happening to the team with regards to the mission. More simply, it’s knowing what is going on around you.” (Coast Guard)
Simply put, we need to know what is going on around us. Whether you are a Pilot, Surgeon, Security Specialist, Chief Security Officer or Chief Privacy Officer, you must have situational awareness. You must know all the “known knowns and the known unknowns.” (Graham). This kind of perspective has been very difficult if not impossible to achieve and maintain, because today’s Data Protection Professional has been working mainly through the lens of a physical data security model and this is no longer sufficient.
As we continue porting our manual or legacy systems so that they are connected to the outer world, and as we become more global in our approach, it is obvious that we need broaden the understanding we have of our systems beyond the brick and mortar of our buildings (and our networks) to gain true Situational Awareness.
BeyData Librarian is the precursor to any meaningful data protection. While this may seem a strong statement, it is one that we think fits. As an example, we’ve heard from more than one prospective client, that the web based application where they store data in a private cloud was secure because they use AES encryption, so they had no security concerns. I know that many of our readers are smiling. There are many threat vectors in this situation where encryption is not a factor and data may not be secure. This is where BeyData Librarian comes into play.
Here are some, but not all, of the basic considerations you should evaluate to gain Situational Awareness of your data: Identify the Systems that you are using, the data within those systems, access points to and from those systems (for data in and data out), who within and outside of your organization has access to those systems, Data flows and locations of data, and then also consider a wide range of regulatory issues including Data Sovereignty, Consent, Third Party Access to (and use of) data, and Disposition of the data. These factors, along with others that may be specific to your business or industry, can be used to help you automate the process of understanding Risk to your business, customers, or individual data subjects if there is a breach, and then finally you should identify the likelihood of a breach. This process should be ongoing and reassessed with any changes in conditions and on a regular basis.
This by itself is not enough, because depending on your organization you may need to increase staff to properly assess your systems without the human error risk that comes from being short staffed or overworked.
BeyData Librarian handles these requirements by providing a solution that allows you to perform assessments for every new system that uses, collects, backs-up or archives data wherever it be. BeyData Librarian also allows you to calculate risk based on common models like those from the National Institute of Standards and Technology (“NIST”) and the Centre for Information Policy Leadership (“CIPL”) or any custom risk model you may have implemented.
Depending on an organizations risk tolerance the system will monitor and alert for risk levels that exceed what are acceptable. From a Security or Privacy Data Protection Officers perspective they now have an inventory of all their systems with associated risk levels. Putting a process in place that requires an assessment of any new system before it goes into production, provides insight into your system and data; collection, use and destruction, throughout the entire data lifecycle and simply put, situational awareness.
When you have the situational awareness, you are ready to implement a system of security and data protection controls that match your organizations security, legal, and statutory requirements that allows you to handle the known unknowns and the unknown unknowns!
Graham, W. R., Wikipedia (2017, July 10). There are known knowns. Retrieved July 19, 2017, from https://en.wikipedia.org/wiki/There_are_known_knowns
Coast Guard, U. (n.d.). Team Coordination Training Student Guide (8/98). Retrieved July 19, 2017, from https://www.uscg.mil/auxiliary/training/tct/chap5.pdf
Figure 1 – Known unknowns – The term was also commonly used inside NASA. Rumsfeld himself cited NASA administrator William Graham in his memoir; he wrote that he had first heard “a variant of the phrase” from Graham when they served together on the Commission to Assess the Ballistic Missile Threat to the United States during the late 1990’s