In the article “Study: Global information security improves, but still imperfect“, Angela Moscaritolo points us at a report recently released by PriceWaterhouseCoopers, “Safeguarding the new currency of business.” The report is the findings of the 2008 Global State of Information Security Study®. Her article points out some salient issues found in the report, but I would like to focus on one particular issue.
On page 12 of the report, we find the following:
Many companies, however – if not most – do not know exactly where important data is located.
Other findings in the report indicate that we are doing better in implimenting technical controls and our compliance efforts also appear to be improving. But here is the rub, what value are better technical controls and a clean compliance report if you don’t know where your sensitive data is?
Okay, we don’t know where our data is. We need to find it. How do we do that?
Ask 10 information security professional that question and you will get 12 answers, all of them starting with “it depends.” If we can’t get a definitive answer from these folks, who can we get one from? How about the people who use that data each and every day?
Again, there are plenty of ways you could go about gathering that information from your user populace, many of which would be adequate. But if we want better than adequate, I think Michael Santarcangelo gives us a great model for producing excellent results in his book Into the Breach.
You should get his book and read it as I have said before, but in short, engage your users in small groups and ask them how they do their jobs, in detail. This will drive out where your data is. You may think your data is that big honking database, but what if a lot of it is in spreadsheets stored on a file server that you know nothing about?
This is a very simplified treatment of a great process that Michael details in his book. So, again, go get it. Read it. Twice. You will not regret it.