BreachExchange mailing list archives
Data governance and protection
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 15 Jan 2016 09:09:42 -0700
http://www.nhbr.com/January-22-2016/Data-governance-and-protection/ With heightened public awareness of data breaches, ransomware and identity theft, organizations should be aggressively re-examining their incident response and business continuity plans in order to protect their customers’ important information. As organizations go through this exercise, data governance and protection, otherwise known as backup and recovery, have important roles to play. Business data growth rates have rapidly increased, and hackers are on the prowl for ways to infiltrate less secure data and fill their pockets. This landscape has created the need for businesses — large and small — to have a data governance plan or an organized framework that addresses strategy, objectives, and policies when it comes to managing corporate data. Basically, businesses today need to know where their data is, identify which locations contain sensitive or private data, and limit access to that data. Once a policy is in place, deciding how to protect and store that data is the next step. One way to think about this is to consider what your company would do if there were a natural disaster. What would be the benefit of a data governance plan? To answer that question, consider the below questions first: • How long would it take to recover your systems? • Have you tested your recovery plan to verify how long it takes? It’s the scary truth but, according to the Insurance Information Institute, when businesses are affected by a natural or human-caused disaster almost 40 percent never reopen. Similarly, once a business gets tied to a data breach or personal information theft, people are less likely to do business with you. Whether you are preparing for a data breach or organizing a file and systems recovery plan for your company, there are specific items to keep top of mind. For example, businesses should be familiar with the terms: “recovery point objective” and “recovery time objective.” • Recovery point objective (RPO): How much current data can you afford to lose? For many organizations, this is 24 hours. Most businesses have a daily backup ensuring that only one day’s worth of work would be lost. Other organizations may require an RPO of hours, minutes or even seconds. • Recovery time objective (RTO): How long can you afford to go without access to your data? Again, for many organizations this can be 24-to 48 hours – longer in the case of a total loss of their offices. Again, other organizations may require an RTO of hours or minutes even in the case of a total loss of their offices. Losing data and not knowing how long before it is returned, if it is to be recovered at all, is never a comfortable place to be and one that you can prevent with proper planning. The data protection pyramid is a good place to start when creating a data protection plan because it’s designed to help organizations make decisions about how applications and data are protected to optimize cost and recovery times. Starting at the bottom and moving to the top, the four stages of the pyramid are: • Fault tolerance: Reduces the likelihood of data loss due to a hardware failure. All applications and hardware should be on fault tolerant systems. • File recovery: The recovery of lost or corrupted files over a minimum of the past 30 days is essential for all critical data. • Replication: Allows you to achieve disaster recovery time objectives of 24 hours or less at a remote site by creating replicas of your virtual environment and its corresponding data. • Archiving: Maintains the long-term retention of files subject to regulatory compliance and e-discovery requirements. Having a data governance policy for document archiving is the most important step. Businesses should conduct a similar exercise to map their data and applications to appropriate levels of protection (keep in mind that it might take more than one solution to fit the needs and budget of the business). For example, companies could justify the replication and rapid recovery of one or two critical applications, yet leave the remainder of systems protected by a less costly solution with higher RPO and RTO. It’s also important that all data and applications be protected by fault-tolerant systems that are backed up at the file level. Data protection planning can be confusing and complex, so the ability to understand all options, including the underlying costs, when transitioning to a replication solution is important. Understanding the past, present and future of a data protection plan can make long-term decisions more efficient.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which vendors to trust. Contact us today for a demo.
Current thread:
- Data governance and protection Audrey McNeil (Jan 15)