I always figured that you would need to know what you have in order to protect it. However, I have seen far too many companies implement “best practices,” standards, or compliance programs without first understanding what they have to protect.
Asset inventory systems are bundled into many security systems or other management tools, but these systems track only hardware. IT systems management software tracks operating systems and software, but neither of these systems addresses the security need. The loss of a laptop or smartphone is a loss of a few hundred dollars. The loss of customer records, business strategies, software code or proprietary formulas, however, far exceeds the cost of the hardware. Thus, it is the data that information security needs to protect, and while the data does reside on top of hardware and software, the key to protecting data resides in first understanding the data.
Data can be described by the five W’s. Who, what, where, when and why.
Who created the data?
Presumably, someone created the data for a reason. This person, the data owner, has the initial responsibility for storing the data in an appropriate location and for granting access to the data, so it is important to know who these people are.
What information does the data contain?
Classify the data so that you can understand if it should be protected from loss or disclosure and how much effort should be expended in defending it.
Where is the data located?
The location of the data determines the level of organizational control that can be enacted over the data. An organization would have little control over data on a social network, but they may have a great deal of control over data in an Enterprise Resource Planning (ERP) tool.
When was the data created?
Other good questions include when was it accessed and when was it archived? This standard metadata, consisting of items such as creation, access and archive date, creator, file size, and type, is important because it can show how important the data is to the company. Less frequently used data is generally considered less important. It is also important to know when the data was last archived or backed up since this determines whether the data can be recovered if it is lost, stolen or corrupted.
Why does the data exist?
This is one of the most important questions because data that is not needed should be deleted. There is no reason to protect data that provides no value. This data is only a liability for the loss of the data could impact the organization. Even if the loss is inconsequential, storing, indexing and managing data takes time and money, so organizations would be well served to remove nonessential data.
Why waste time and money implementing security that does not address the data itself? This, all too common approach often results in some data being under protected or not protected at all while other data is overprotected. Furthermore, since the organization does not know of some data, a breach of that data is more likely to go unnoticed. Understand the five W’s and create security controls, policies and procedures to govern how the data is used, stored, shared and deleted.