BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Data governance and protection

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 15 Jan 2016 09:09:42 -0700
http://www.nhbr.com/January-22-2016/Data-governance-and-protection/

With heightened public awareness of data breaches, ransomware and identity
theft, organizations should be aggressively re-examining their incident
response and business continuity plans in order to protect their customers’
important information. As organizations go through this exercise, data
governance and protection, otherwise known as backup and recovery, have
important roles to play.

Business data growth rates have rapidly increased, and hackers are on the
prowl for ways to infiltrate less secure data and fill their pockets. This
landscape has created the need for businesses — large and small — to have a
data governance plan or an organized framework that addresses strategy,
objectives, and policies when it comes to managing corporate data.

Basically, businesses today need to know where their data is, identify
which locations contain sensitive or private data, and limit access to that
data. Once a policy is in place, deciding how to protect and store that
data is the next step.

One way to think about this is to consider what your company would do if
there were a natural disaster. What would be the benefit of a data
governance plan? To answer that question, consider the below questions
first:

 • How long would it take to recover your systems?

 • Have you tested your recovery plan to verify how long it takes?

It’s the scary truth but, according to the Insurance Information Institute,
when businesses are affected by a natural or human-caused disaster almost
40 percent never reopen. Similarly, once a business gets tied to a data
breach or personal information theft, people are less likely to do business
with you.

Whether you are preparing for a data breach or organizing a file and
systems recovery plan for your company, there are specific items to keep
top of mind. For example, businesses should be familiar with the terms:
“recovery point objective” and “recovery time objective.”

 • Recovery point objective (RPO): How much current data can you afford to
lose? For many organizations, this is 24 hours. Most businesses have a
daily backup ensuring that only one day’s worth of work would be lost.
Other organizations may require an RPO of hours, minutes or even seconds.

 • Recovery time objective (RTO): How long can you afford to go without
access to your data? Again, for many organizations this can be 24-to 48
hours – longer in the case of a total loss of their offices. Again, other
organizations may require an RTO of hours or minutes even in the case of a
total loss of their offices.

Losing data and not knowing how long before it is returned, if it is to be
recovered at all, is never a comfortable place to be and one that you can
prevent with proper planning.

The data protection pyramid is a good place to start when creating a data
protection plan because it’s designed to help organizations make decisions
about how applications and data are protected to optimize cost and recovery
times. Starting at the bottom and moving to the top, the four stages of the
pyramid are:

 • Fault tolerance: Reduces the likelihood of data loss due to a hardware
failure. All applications and hardware should be on fault tolerant systems.

 • File recovery: The recovery of lost or corrupted files over a minimum of
the past 30 days is essential for all critical data.

 • Replication: Allows you to achieve disaster recovery time objectives of
24 hours or less at a remote site by creating replicas of your virtual
environment and its corresponding data.

 • Archiving: Maintains the long-term retention of files subject to
regulatory compliance and e-discovery requirements. Having a data
governance policy for document archiving is the most important step.

Businesses should conduct a similar exercise to map their data and
applications to appropriate levels of protection (keep in mind that it
might take more than one solution to fit the needs and budget of the
business). For example, companies could justify the replication and rapid
recovery of one or two critical applications, yet leave the remainder of
systems protected by a less costly solution with higher RPO and RTO.

It’s also important that all data and applications be protected by
fault-tolerant systems that are backed up at the file level.

Data protection planning can be confusing and complex, so the ability to
understand all options, including the underlying costs, when transitioning
to a replication solution is important. Understanding the past, present and
future of a data protection plan can make long-term decisions more
efficient.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.
Previous By Date Next
Previous By Thread Next

Current thread: