Data breach: how information governance reduces risk

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/data-breach-how-information-governance-72726/

With all the data breach activity over the past several years, any
organization or individual that hasn’t been affected in some way almost
feels left out. According to the Department of Health and Human Services,
120 million people have been compromised in more than 1,100 separate
breaches at organizations handling PHI (protected health information) since
2009. That number is almost a third of the U.S. population! Now is the time
for organizations to take action! The data breach problem is very real and
is going to get worse before it gets better.

Most organizations’ immediate reaction to such activity is to invest in
some new type of data security technology or purchase a higher level of
cyber insurance coverage. However, they should also be equally concerned
with ensuring proper governance of their information. More often than not,
the information compromised during such an activity shouldn’t have been
stored there in the first place and having an information governance
program in place can reduce such risks.

For instance, an information governance program will address the following
items:

1. Identify which stakeholders in the organization have access to sensitive
information (PHI)
2. Document the storage locations (repositories, servers, applications
,etc.) where sensitive information is stored
3. Explain how long sensitive information is stored in both public and
local environments
4. Outline data storage requirements and guidelines for third-party vendor
compliance
5. Dispose of ROT (redundant, outdated, trivial) data to reduce discovery
costs

No doubt, it’s crystal clear that information governance can reduce an
organization’s risk in connection with a data breach. Of course, there are
many other items that would fall under the information governance umbrella,
but these surely provide a starting point. As with any endeavor, getting
started is usually the hardest part.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!