Three Things Are Certain: Death, Taxes, and Audits
Auditors ask “Do you know where your (fill in the blank) data is?” The fill-in might be a company’s HIPAA-regulated (PHI) data, payment card (PCI) data or personally identifiable (PII) data. Whatever regulated data type it is, if a company can’t identify all instances of where that ‘data’ is, what files/databases/datasets it exists in, who has access, where it’s backed up, where it’s transmitted and where it’s copied to…then, Houston, you have a problem. As with Apollo 13, your crew can return safely from the audit orbit. However, immediate action needs to be taken to regain control.
Using the RACI model, which is a responsibility assignment matrix for stakeholders to understand who is Responsible, Accountable, Consulted and Informed, companies are accountable for protecting the sensitive data they collect, process, transmit, and store. Accountable is defined as the person or entity who is the final authority. There is only one person/entity accountable. In other words, the buck stops there. Other companies they do business with, such as Information Technology service providers like Ensono, may be responsible for some aspects of protection, but the company who collects the data is ultimately accountable for ensuring the protection of the sensitive data on their systems.
Many companies are well into the identification and protection of their sensitive data; many were forced to do so because of the regulations requiring it. They may have used software tools that have discovery capabilities to find instances of things like SSN’s or credit card numbers. Once found, the data must be controlled so it can be tracked at all times during its lifecycle. Security tools such as security access controls, data loss prevention, monitoring tools, intrusion detection/prevention, as well as the security professionals a company needs to support these are worth every bit of power they produce to push them to a safe audit landing. Just ask the companies who have paid tens of millions of dollars in breach-related costs not to mention the loss of a companies’ reputation which can take years to rebuild consumers’ confidence.