fbpx

Achieving Data Protection Through Frameworks and Standards

(7 minute read) Guest Blog

What is data protection?

Data protection is a generic term that brings together all the measures, activities, policies, technology, and other resources used by organizations to protect their data.


What types of data need protection?

Recently, data has been increasingly used to mean personal information of an individual. But there are so many other types of data that an entity would need to protect:

  • Specialized know-how
  • Corporate information such as intellectual property, financials, contracts with clients and vendors, communications with important third parties such as government or clients
  • Technical information

What data features to protect?

The universal triad used to guide information security policies is confidentiality, integrity and availability.

Data should remain confidential – only authorized individuals and parties should see or access the protected data.

Data should have integrity – the data should be accurate (information is correct and up to date), consistent (the same user account profile information across different applications) and trustworthy (e.g, changed only by reliable methods).

Data should be available – the data should be accessible and available at any time is needed.

Why should you protect your data?

The consequences of data breaches include direct financial loss, reputational damage, potential loss of clients and regulatory investigations and fines.

 

At the end of Q3 2019, the total number of breaches was up 33.3% and the total number of records exposed was up 112% from Q3 2018.

 

How do you protect against data breaches?

In business, doing things in a structured and organized way tends to increase efficiency and save money. Frameworks or standards are used to organize the multitude of different activities, technologies, configurations, and operations that are needed to protect the information assets and is one of the easiest ways to implement adequate and efficient measures.

Standards and frameworks are built by experts using best practice guidelines in information security and privacy compliance. They provide lists of measures, activities, operations, actions (usually called controls) which are grouped into categories for ease of reference and implementation. Examples include NIST, CIS Critical Security Controls, SOC2, PCI DSS, OECD Privacy Principles, ISO 27701 and ISO 27001.

They can be used by any entity, regardless of size, ranging from a small contractor to a large organization employing many contractors. The immediate benefit is that the controls are already listed, and the organization needs only apply the relevant ones.

The words framework and standards are used interchangeably. Some standards provide the possibility to obtain a certification (ISO) or an independent’s auditor report to show compliance with the framework/standard (SOC2).

An example of how a standard/framework can help in practice

The following scenario is built on a mix of IT practices encountered in real situations and corresponding issues. ISO 27001 is used to exemplify how a framework/standard can help avoid these issues.

Scenario

Widgets Inc is a small manufacturer of widgets with around 50 employees. It uses a number of applications on Amazon Web Services (AWS) as well as on its own hardware in the basement of their office. It employs 2 full time IT staff. There are no formal IT policies and controls in place.

Issues

Issue 1: During a regular virus scan, IT noted that one of the in-house servers became infected. The IT staff took the server offline and immediately wiped it clean. The server contained a number of temp folders used by business users to store necessary business documents. The IT staff did not report the incident to management.

Issue 2: The e-commerce platform is used by the finance staff who decided to share one account as it is easier to operate. The platform offers multi-factor authentication, but the staff also decided not to enable it.

ISO 27001 solution

Issue 1: ISO requires procedures to guide the organization’s response to security incidents. Management reporting of all incidents is included as well as post-event analysis to determine what went wrong and fix issues.

The business users would have been spared the frustration of looking for missing documents; management could have discussed training opportunities for the IT staff on incidents handling and resolve the issue of inappropriate storing spaces.

Issue 2: Implementing the ISO controls would require setting up a process for access rights reviews to be performed periodically. Additional controls require secure log-on procedures and protection of applications in line with the sensitivity of the information processed.

An access rights review would have noted only one account being used by a team of finance users and would have raised questions around the use of a single account. The information classification controls would have identified the data on the e-commerce platform as sensitive and would have dictated heightened authentication measures, such as multi-factor authentication.

How do you implement a standard or framework?

Management buy-in

In any organization of any size, management buy-in is vital to any project undertaken by the organization.

The first step is for management to commit themselves to implementing a standard or framework within the organization.

Choose the standard or framework

This is an important decision and the business needs, client base, objectives, and future growth should be carefully considered.

Stay tuned for an upcoming article on choosing a standard or framework on the ComplyWorks blog.

Write the project plan

Implementation of a standard or framework for information security and/or privacy compliance should be approached as a project involving organization resources from all levels.

  • Set up project roles and responsibilities;
  • Set up the scope of the project, budget, and expected timelines;
  • Determine resources - in-house staff or outside help;
  • Find guidance and templates to support the implementation;
  • Monitor project progress on a periodic basis and control budget and execution; and
  • Keep the communication lines with management open at all times.

How can ComplyWorks support you?

ComplyWorks CMS solution can help effectively implement and maintain data protection controls in a secure way. Here’s how:

  • Centralized platform designed to ensure employees formally sign-off on training, or orientations, etc.
  • Orientation capabilities can include the creation of quizzes to confirm comprehension of modules
  • Ability to customize assignments and user permissions for different employee types, for example, into departments or management levels
  • Dynamic reporting and monitoring dashboard that alerts for non-compliance and the ability to track employees sign-off on training and view course progress
  • Storage capabilities to house the latest documents, policies, and procedures and the ability to require sign-off on new updates
  • Our Single Sign-on capability allows users to use their company login to sign in to ComplyWorks and other applications. It authenticates the user to ensure they have the required permissions – simplifying operations and increasing security

Find out more about ComplyWorks and what we do by watching our video or requesting a free demo to get started.

Laura Brown

Privacy Consultant, YYC Privacy


Laura Brown is a guest blogger for ComplyWorks. Laura has many years of experience in data protection both as an auditor and consultant to small, medium and enterprise companies. Her work includes projects such as SOC 2 audits, privacy compliance assessments and implementation of both Canadian and EU legislation, cyber security assessments (NIST and OSFI), ISO standards implementations and IT operational and vendor compliance assessments.

Accreditations: BA, LPC (UK), IAPP – CIPM & CIPP/E (European privacy legislation certification), Artificial Intelligence: Implications for Business Strategy Program MIT Sloan, MIT CSAIL.

FAQs

What is data protection?

Data protection is a generic term that brings together all the measures, activities, policies, technology, and other resources used by organizations to protect their data.

What types of data need protection?

Recently, data has been increasingly used to mean personal information of an individual. But there are so many other types of data that an entity would need to protect:


  • Specialized know-how
  • Corporate information such as intellectual property, financials, contracts with clients and vendors, communications with important third parties such as government or clients
  • Technical information

What data features to protect?

The universal triad used to guide information security policies is confidentiality, integrity and availability.

Data should remain confidential – only authorized individuals and parties should see or access the protected data.
Data should have integrity – the data should be accurate (information is correct and up to date), consistent (the same user account profile information across different applications) and trustworthy (e.g, changed only by reliable methods).
Data should be available – the data should be accessible and available at any time is needed.

How do you protect against data breaches

Frameworks or standards are used to organize the multitude of different activities, technologies, configurations, and operations that are needed to protect the information assets and is one of the easiest ways to implement adequate and efficient measures. Examples include NIST, CIS Critical Security Controls, SOC2, PCI DSS, OECD Privacy Principles, ISO 27701 and ISO 27001.