A few months ago I visited a Chinese Restaurant for lunch. I was with a client and although I don't normally eat at Chinese Buffets, that was his pick, so we ate there. Critical information? No, except for one aspect of the visit – we were seated behind a group of employees from a local company who spent the hour talking about their "P drive".
I'm not sure what prompted the discussion but after sitting behind them for about thirty minutes, I can tell you their company leaves a lot to be desired as far as data governance is concerned. I'll provide a few more details about the mystery company. They are a fairly large and well-known company in Jacksonville. The Jacksonville office is their headquarters. They have offices up and down the east coast but also in other southern states. They are not in a regulated business but they do business with regulated companies. How do I know all of this? The answer is far easier than you could imagine. The company employees were wearing logo'ed shirts. Combine the loose lips with poor data governance and it could be a recipe for disaster if anyone sitting around the employees were hackers. I can assure you I did not have to go to a lot of effort to hear the conversation. The client that was with me does use that company's services and was horrified.
From the conversation, I gathered that the company's P drive is a dumping ground for anything that an employee wants to share with another employee. NTFS permissions (what secures the file and directory security) were inconsistent and anyone could create a directory off the P drive. Keep in mind; this was idle conversation between a bunch of guys at lunch. It's entirely possible that what was represented was not completely correct – but the gist of the conversation was that they had, at different times, stumbled across data that should have been considered private employee information and/or corporate intellectual property.
What's wrong with this picture?
A lot of companies choose to use specific network drive letters to help end users remember common repositories. For example, "P" for this mystery company stands for Public. Other common drive letters used are the "H" for Home directories, "U" for User directories and as already stated "P" for Public directories. Generally however, that is the end of the rules for data. Without a documented data governance plan however, a company can end up with data being stored in shares, directories and email mailboxes that were never intended for such use.
Problems created:
- Sensitive employee data can be exposed,
- Corporate strategies or plans can be delivered to the wrong individuals,
- Intellectual Property such as trademarked material can be viewed,
- Customer data can be exposed,
- eDiscovery and litigation efforts can be exponentially prolonged,
- It would be difficult to create a true business continuity plan without a full system recovery,
- It would be difficult to document application workflows,
- It would be impossible to secure all of the critical data
How do you go about creating a successful data governance plan?
- Define what data can be housed by your corporation,
- While this may seem like a curious statement, unstructured corporate file servers are ripe for employees to use as storage repositories for music and pictures
- While this may seem like a curious statement, unstructured corporate file servers are ripe for employees to use as storage repositories for music and pictures
- Define who will own the data,
- What will be the record of source?
- Who can access the data?
- Create a review process to confirm the access accuracy
- Create a review process to confirm the access accuracy
- Can the data be copied or shared?
- If so, who makes that decision?
- What manner will be used to copy or share the data?
- If so, who makes that decision?
- The data owners or their designated person should become data governance advocates in order to insure adherence
- What will be the record of source?
- Define the lifecycle of the data,
- Confirm the legal requirements for data retention
- Confirm the legal requirements for data retention
- Define the data backup schedule and methodology
- Confirm that this makes sense for recovery needs
- Confirm that this makes sense for recovery needs
- Define who makes the governance decisions regarding data access
- This should NOT be the technology department. The technology department will create the shares and grant the permissions the business requires but should have no part in the decision making process.
- This should NOT be the technology department. The technology department will create the shares and grant the permissions the business requires but should have no part in the decision making process.
- Educate end users on the criticality of maintaining the data structure once created.
What ELSE should be done in the "mystery environment"?
- Educate end users on information security to include social engineering concerns
- Include business leaders and technologists in all discussions regarding data governance
- Data governance HAS to be a top-down initiative
- Data governance HAS to be a top-down initiative
- It probably wouldn't hurt to talk to employees about avoiding bringing up specific information about their environment while in public (that's what water coolers are for)
No comments:
Post a Comment