Author - Roddy Bergeron

Is your business data compliant?

Data Compliant
Governments around the world are tightening up laws governing how businesses gather, store, and secure user data. This is increasingly challenging as data is now a commodity not constrained by national borders. Is your data compliant?

There is also a vast amount of data being produced, meaning the sheer volume involved can overwhelm businesses, especially SMBs with limited resources. The challenge is for enterprises to implement a data strategy that will provide maximum flexibility to cope with current and future data governance measures, while ensuring the integrity of the data they hold.

Global users, global data

For many businesses this means you also need to consider the protection of customer data from a global perspective. It also means re-evaluating your processes, procedures and the way you handle your customers information. New governance structures, like Australia’s Notifiable Data Breaches scheme, or the European Union’s recently introduced General Data Protection Regulation (GDPR) are a sign of things to come. You may even need to get legal advice to ensure you comply and implement the necessary changes.

GDPR: the game changer?

The GDPR is the EU’s new data protection and privacy law. It regulates how businesses and organizations store and manage the personally identifiable information (PII) or data they collect. It imposes strict new rules on organizations that control and process such data, specifically around the systems, processes and procedures involved.

Importantly, the GDPR applies to any organization that handles an EU citize’s data, regardless of their location, and the penalties are severe – up to €20 million or 4% of annual turnover, whichever is greater.

You need to be able to show how you comply with the GDPR’s requirements, and it applies to even seemingly innocuous uses of data, like retaining the email addresses of users who reside in the EU.

But the benefit of making sure your business is GDPR compliant is that you’ll then be well placed with regard to other privacy laws and regulations – and you can use that to your benefit. Your reputation will only be improved by demonstrating your compliance, and it should lead to greater customer and partner trust.

What is personally identifiable information?

The definition of what exactly is personally identifiable information varies by jurisdiction, but broadly encompasses information or an opinion about an identified individual. This could include a customer’s name, age, date of birth, address, telephone number, employment details, credit status and medical records. It could also be a record of their opinions, political or religious affiliations, or criminal record.

Such data should always be held as securely as possible, even if not subject to privacy laws like the GDPR, as a matter of good practice.

Privacy is good business

Businesses are increasingly legally obligated to ensure data compliance measures are part of their everyday data processing activities. If you are not sure of your status, a good starting point is to record the current state of your data collection systems and processes, and check if they meet local requirements.

Your ongoing operations should also support the management of data protection procedures and control, with an eye on current and future privacy requirements. And if you don’t have the expertise to do this, get some help. Third party providers can undertake an assessment to help manage the personal data you hold or manage and advise how best to control and process it.

Future-proof your now business by making sure you are responsive to both current and future data governance measures, and that you have full control of all your data. The GDPR is the latest data regulation with extensive global reach, but it’s unlikely to be the last.

 

Baked-in security is best: How to keep your mobile infrastructure safe

mobile infrastructure
Security is critical for any IT infrastructure, but government organizations must be sensitive to the delicate nature of the data they hold and process. In the age of the desktop, security was simpler because centralized control was easier.

Now, in the mobile age, things are more complex. Government-issued laptops, tablets and other devices are being deployed in the field, and many workers use their personal devices – mainly smartphones but also, in some cases, tablets, watches, laptops and more – for work purposes.

This presents a more fragmented security environment, making governance a critical issue. Data must be kept secure regardless of device or location. This means ensuring your network’s perimeter extends to wherever data might be, whether in the office or with the employee in the field.

 In transit or at rest: the data protection imperative

As the network perimeter spreads beyond the walls of the office, information must be kept private and secure, both in transit and at rest. Fortunately, significant steps have been made in this direction in recent years. Commonly used operating systems, like Windows and Mac OS, have strong security measures built-in, and most hardware and software, from smartphones to servers to cloud servers, similarly includes security measures like encryption, multi-factor authentication, sandboxes and more. Integrators and other service providers are also becoming more adept at ensuring your hardware and software work together to protect your data when it’s being stored, moved or processed.

Mobile device management for the win

Mobile device management (MDM) has evolved significantly. Originally it was a relatively blunt instrument that gave administrators functions like managing passwords, remotely disabling lost devices and managing apps. Now their capabilities have become much more sophisticated, including features like fine-grained access control, detailed device authentication and authorization, separation of work and personal apps and data, and much more.

 Bake it in

Security must be built in to your governance and procurement guidelines, rather than ‘bolted on’ as an added extra, if your data is to be kept secure and accessible. There are two broad reasons why this is necessary:

  • Strategic:Building in security from the beginning marks security as a core concern rather than one that’s addressed only because a regulation forces management’s hand.

 

  • Tactical:Security that is built in is less likely to offer vulnerabilities in the ‘seams’ that exist between the security infrastructure, operating system, apps and other components.

When looking your department’s platforms, it’s vital to check whether everything – mobile devices, static hardware, third-party services and data stores – is built around MDM policies that maximize control and protection. When vetting solutions from integrators or system providers, be sure to question them closely about whether their security integration is based on low-level, ground-up technology.

Technology to protect sensitive government (and citizen) information has improved vastly, but no system can ever be water-tight. This means that now more than ever, as the date we generate, collect and manipulate expands at an exponential rate, IT teams must ensure that security is baked into systems from the outset.

 

Managing third- and fourth- party security risks

security risks
Modern business is increasingly connected, both locally and globally, while IT environments are becoming more diverse, thanks to the proliferation of cloud services, startups and other disruptions. This calls for a rethink of how information and intellectual property is secured from potential attackers and security risks.

As physical and digital supply chains become more important, so too does it become more important to have prudent strategies for dealing with your supply chain’s security and compliance measures. This includes third parties (your suppliers) and fourth parties (your suppliers’ suppliers). The days of only needing to worry about the traditional ‘four walls’ security perimeter are long gone.

On-premises, hosted, and cloud-based applications all house information about your organization. And nowadays application programming interfaces (APIs) that allow third parties access to some or all of this information are commonplace. Ignoring this ecosystem’s security requirements is asking for trouble, and CIOs must keep a close eye on their entire supply chain.

Defending the perimeter

You can’t put a firewall around your entire supply chain, and some security experts have gone so far as to say the notion of a security ‘perimeter’ is no longer helpful. There’s some truth in this, however it’s equally true that directly protecting your organization’s information, physical systems, and other assets from known and emerging threats is still crucial.

The trends that complicate this more traditional approach are those that extend or blur the line separating ‘inside’ from ‘outside’, including:

  • BYO devices and apps
  • social networks
  • cloud infrastructure and apps
  • platform-as-a-Service
  • selective sourcing agreements
  • APIs for automated data transfer

Your security architecture must these into account, integrating them into its framework and extending protections where necessary – isolation is not an option.

Securing the supply chain

Thanks to the advent of hosted services and applications, supplier security has become a concern for all businesses. There are several practical steps you can take to limit their risk when entering the cloud:

  • Do your homework:always investigate a new supplier’s security and compliance measures, with a focus on the technology and processes they have in place to protect your data.
  • Capture your data:backup all data you provide to your suppliers, even if it is just an archive; you don’t want to lose data because a supplier suffered an attack.
  • Build in your own security:investigate your own options (like encryption) for securing data that is used in a supplier environment.
  • Understand your data’s value:is the data in question simply too valuable to allow a supplier direct access to it?

Keep your friends close – and your business partners closer

Like supplier security, partner security centres on a risk profile to determine who is given access to what type of data. Keep a close eye on what you allow third parties to access and, in the case of APIs, review how you can revoke access in the event of a problem.

Today’s diverse partner and supplier IT architecture makes security more challenging than ever, but by adapting your security model to extend beyond the traditional perimeter, you’ll be doing your bit to keep your data safe and secure.