1 year ago



grc INSIDE THE DATA MAZE GRC - GOVERNANCE, RISK AND COMPLIANCE - IS VITALLY IMPORTANT, ESPECIALLY AS MORE AND MORE LEGISLATION IS INTRODUCED THAT COULD HAVE GRAVE CONSEQUENCES FOR ANY ENTERPRISE THAT FLOUTS ITS RULES What are the key steps that any business needs to take to counteract the growing risks they are exposed to, in order to avoid being in breach of legislation? What pitfalls should they be aware of that can surface along the way? And how do you balance all of these 'musts', so they align in such a way as to bring greatest benefit to the business? These have all become questions any responsible enterprise is having to grapple with in an age of increasing scrutiny of organisation's corporate behaviour. There is a school of thought that points to only protecting your critical or sensitive data, as this data will compromise the business if lost, comments Colin Tankard, managing director, Digital Pathways. However, most businesses do not really know what is sensitive, or even critical, and often don't know where it is in the network either. VULNERABLE INFORMATION "A classic example of this is the curriculum vitae (CV) which, by definition, is personal and contains sensitive information that needs to be protected, especially under the new GDPR regulations. CVs are shared around an organisation and are not confined to human resources (HR), which means copies may well be on PCs, servers and storage devices, making the locating of them very difficult," he cautions. 18 computing security July/August 2017 @CSMagAndAwards

grc "The first step should be to protect all data and the baseline for this is to encrypt it, and apply access controls -ie, only allow authorised people to see the content. For anyone else, data will appear either blocked or presented in an encrypted format: garbled. This is very important for, say, system administrators, who need to be able to handle the data, but should not be able to read the content." After that, monitor the users and network to ensure any data handled is done so correctly, Tankard advises "If a user does try to do something with data that is in breach of the company policy, then the action is stopped, the error flagged up to the user and, possibly, their line manager notified, as it may indicate a more sinister long-term plan of the user. With network traffic, we need to monitor unusual events that may indicate a Trojan operating within the network." Deploying data security need not be complicated, he says, nor a 'speed bump' to doing business, but it does need to be planned and taken step by step. "It should be a key part of the business strategy for protecting its IP, reputation and revenue, and needs to constantly evolve with the business." SWITCHED-ON THINKING Arrow Value Recovery says it is seeing a sea-change in client behaviour, with compliance gaining higher prominence in switched-on organisations' buying criteria when seeking a sustainable IT asset disposal provider. "In the arena of IT asset disposal, compliance can generally be split into two distinct areas: waste disposal and data protection," says James Burkimsher, business development manager - Arrow Value Recovery. "Most organisations have an awareness of WEEE regulations and, historically, their focus has been on avoiding the images we've all seen in the media, in news reports of children recovering precious materials from IT rubbish dumps in developing countries." With the EU General Data Protection regulations just around the corner, organisations are now having to focus on an entirely new set of compliance challenges to ensure they meet the requirements set out for data protection. "If these compliance challenges are not taken seriously, then organisations expose themselves to a huge amount of risk in the form of financial penalties and brand damage. In order to address these risks effectively, they need to understand the challenges they bring, how they relate to their business and their strategic approach to address these," he adds. CLEAR POLICIES The increased risk that organisations are facing means compliance issues are now driving corporate governance strategy and behaviour. The key is to ensure that they have clear policies in place that are being driven through their organisation on areas such as sustainability, data protection and waste compliance. Compliance is now more than just a tick in the box on a form. "We do still find that some organisations choose their IT asset disposal provider based purely on the lowest cost or those who offer the most for their old equipment, without fully understanding the risks they are taking on by ignoring compliance requirements," states Burkimsher. "The potential penalties incurred of up to 20 million euro or 4% of global turnover through sourcing a low-cost solution that doesn't comply with the new data protection regulations mean this is a high-risk approach. Any shortterm savings they believe that they are making could be dwarfed by fines and assessments, if a breach of compliance regulations is identified." Colin Tankard, Digital Pathways: deploying data security need not be a 'speed bump' to doing business. James Burkimsher, Arrow Value Recovery: organisations are having to focus on a new set of compliance challenges. @CSMagAndAwards July/August 2017 computing security 19