“Keep it secret, keep it safe”
While most you, I hope, recognize this line from Peter Jackson’s Lord of the Rings, The Fellowship of the Ring, as Gandalf’s charge to Frodo regarding the One Ring, I submit this line represents the primary goal of information security in today’s age of information.
The ocean of the blogosphere and twitter-verse is awash with wave after wave of the opportunities available to organization’s able to capitalize on their digital assets by harnessing the power of analytics engines, fed by robust business networking solutions. Check these blogs out for some wonderful examples.
2016 Data Breaches set records
But these waters are not always safe. Googling ‘2016 data breaches’ yields more than 5.6 million results in less than ½ a second. Bloomberg contributor Olga Kharif writes 2016 “was a record year for data breaches.” From the DNC, to LinkedIn; from the IRS to SnapChat; from Wendy’s to Yahoo; it’s clear that pirates sail the waters of the Information Age. And the pirates may be getting bigger and bolder. On Mar 22, the WSJ reported “Federal prosecutors are building cases that would accuse North Korea of directing one of the biggest bank robberies of modern times, the theft of $81 million from Bangladesh’s account at the Federal Reserve Bank of New York last year.”
So how can today’s digital organization successfully navigate these waters? How can CIO’s, CISOs, and other C-level executives be comfortable their own harbors won’t crumble under the next attack? As more and more data inside the enterprise originates outside the enterprise, what about the defenses of those external harbors in one’s digital ocean? More urgently as more and more business data applications move to cloud based solutions, what questions do I need to ask to be comfortable my data is kept both secret and safe?
Questions to “keep it secret, and keep it safe”
When evaluating current or prospective solution providers here are the basics questions you need to ask your provider, if not your own internal team, about how your data is secured.
- Will you show me you’ve thought about this before?
This question goes to the Information security policies, certifications and audits in place. Is there a framework of policies and procedures which include all the necessary controls in an organization’s Information Risk Management processes? Are these processes certified against ISO 27001 or NIST etc. Do you undergo regular external audits? Can you provide copies of your SSAE-16 SOC1, SOC2, and/or SOC3 reports?
- Where is it?
This question speaks both to network typology and architecture as well as to the physical and environmental controls of the locations where your data is stored and processed. What firewalls are in place? Is there a DMZ? Are proxies used to move data from the DMZ into the processing applications? If stored is the data encrypted?
- How does it get there?
This question speaks the controls surrounding data transmission. Are secure protocols used? Is the actual data being sent also encrypted or digitally signed?
- Who can see it?
This question speaks to access control. The goal is the only the right people can see the right information at the right time for the right reasons. Here is where you want to ask if multifactor authentication is used? Is there Data Leakage Protection in place?
- How do you know?
What monitoring – automated and manual is in place? Are access points secured by Unified Threat Management tools? What about Intrusion Prevention? What’s the process when an incident is detected, or even suspected?
- How do you keep up?
The only constant in the information age is change. From the amount of the data being created – IDC estimates the digital universe is growing at 40% per year – to the ever increasing and changing nature of cyber threats. How does the organization stay current? What is the policy and process for applying patches? What level of technical debt is in place (what version of the hardware and software components are in place)
This is by no means an exhaustive list of questions, but these are some of the essential ones to ask. And good answers to serve to keep the pirates at bay.