This is part of Solutions Review’s Premium Content Series, a collection of contributed columns written by industry experts in maturing software categories. In this submission, Pure Storage CTO Andy Stone offers 10 key data compliance strategies and best practices to stay out of the hands of ransomware evildoers.
Effectively securing and managing your data is critical for preventing cyber-attacks – but that’s not the only benefit. There’s another costly implication of data mismanagement: data compliance infractions and the resulting fines levied by data protection authorities.
What is data compliance? Why has it become so complicated?
Compliance is a broad discipline – but ultimately it seeks to govern how organizations store, access, and use customer data. The end goal is to protect individuals’ personal information and ensure their data isn’t exploited or mishandled. While this is all good, it’s often nuanced, constantly evolving, and tricky for organizations to interpret.
For example, compliance doesn’t just regulate how data is used—it regulates how it’s stored and deleted. For example, if a ransomware attack occurs, it’s often common for the affected organization to address compliance fines. That’s because keeping too much data for too long is one of the biggest compliance missteps companies can make. GDPR (General Data Protection Regulation) calls this an individual’s “right to be forgotten,” and it essentially means a company can’t hang on to their data when it’s no longer needed for processing.
Additionally, the pervasiveness of technology in today’s modern world has created a complicated relationship with personal data. And as technology evolves, so does how data is used and how it must be protected. As digital transformation continues, compliance will play more of an integral role in everything.
Here’s a short list of some best practices to help your company achieve compliance and stay out of the hands of ransomware evildoers.
Data Compliance Strategies
Create a Compliance Framework
A security or incident response framework explains how to detect, respond to, and recover from incidents. In a similar way, a compliance framework offers a structure for addressing all compliance regulations that relate to an organization, like how to evaluate internal compliance and privacy controls. A framework also helps identify the data, such as personal or sensitive data, that requires more stringent security protocols.
Define Policies Regarding What Data is Collected and Why
This step is part of creating a framework. There are many reasons to document the what and the why of data collection. Regulators may require that such policies are spelled out; if the data comes from consumers, there may be even more stringent requirements for detailing collection policies (see #4 below).
Create Privacy Policies
Be very clear with your customers about what data is being collected, what you’re using it for, and how it is being stored and for how long. Also, be clear with customers about how they can request access to their personal data or request to “be forgotten” and have their data removed from your systems.
Step Up the Commitment to Disclosures
Share, post, and maintain publicly available privacy policies.
Stay on Top of the Latest Government Regulations That Impact Compliance
A “privacy by design” operating model can help you keep up with and adjust to constantly changing regulations. It means that you’re building privacy into the design and operation of IT systems, infrastructure, and business practices—instead of trying to bolt it on after the fact.
Solidify Data Retention and Removal Policies
This step is critical. Retention schedules dictate how long data is stored on a system before being purged, and schedules can vary by industry. In fact, 451 Research’s 2021 Voice of the Enterprise reveals that 31 percent of respondents aren’t always following their data deletion and retention policies—or haven’t implemented retention policies at all. The mark of a compliant, mature, and secure business is one that develops solid data retention and removal policies that are continually reviewed.
Choose a Data Encryption Protocol
Establish what kind of data encryption to employ and where—on-premises, in the cloud, etc. The decisions may vary depending on where data resides as data encryption can occur at one of many points – at the application, in flight, and at rest (i.e. on the storage system).
Talk to the CISO About Network Controls
Since compliance is closely related to security, bring your CISO into conversations about network appliance configuration, least privilege access control, event logging, and multifactor authentication.
Anonymize Sensitive Data
When required, data should be anonymized to remove personally identifiable information with masking, tokenization, hashing, or anonymization. A compliance officer can ensure your organization is following retention and deletion policies and not backing up sensitive data previously slated for deletion for compliance reasons.
Document How You’ll Notify Parties Affected By a Breach
Under GDPR, such notifications are mandatory—and you definitely want the notification process to go off without a hitch. Decide who’s responsible for getting the word out, how you’re resolving the issue, and what you’re doing to prevent breaches from happening again.
Leveraging data comes with immense opportunity, but it also comes with responsibility. If your business is a believer in the “data is the new oil” piece of wisdom, then you also need to embrace compliance—because, without it, the data may not be yours for much longer.
- Data Compliance Strategies: 10 Best Practices to Consider - September 13, 2022