Sensitive Asset & Data Privacy Review
In our increasingly digitized society, many have adopted the mantra ‘Data is the new Oil.’ Like any valuable commodity that can be transported & monetized, data and physical assets have to be adequately and cost-effectively protected commensurate with their value. Business decisions are made in the context of any vulnerability of an asset with consideration for the appropriate methods and controls required to secure the data or physical space.
Digital transformation initiatives have long sought to eliminate paper trails, phone calls, or human interactions in an effort to increase the speed and accuracy of transactions as part of a more significant effort to lower the cost of goods sold (COGS). The extension of the digital supply chain has achieved many of these efficiencies and cost-cutting goals, but it also introduced a wide range of new and potentially disruptive risks. Most of these new risks are caused by two often contradictory tasks: the need to share information and the need to protect it.
eCommerce and its supporting supply chain require the movement of tangibles (e.g., natural resources, sub-assemblies, supplies, raw materials, software, source code, AI models, and other finished products). However, such transitive activity frequently is preceded by the movement of transaction information (e.g., buy/sell request, contract negotiations, documents, orders, payments). Increasingly information is even being exchanged with customers after the sale to ensure satisfaction, monitor performance (e.g., IoT devices), and soliciting feedback via social media and other channels to improve future products. This deluge of data is both a blessing and a curse for organizations as they attempt to separate the signal from the noise to improve operations, increase the quality of their products and raise client satisfaction while also being accountable for maintaining privacy commitments.
Aside from trade secrets and other unique intellectual property, the rise of digital financial transactions was often the first set of sensitive business data that warranted extra protection to maintain the confidentiality, integrity, and availability (CIA) between merchants and their financial partners. In the 1920s, an early prototype of what would become the German Enigma rotor-based encryption machine was providing secure monetary transactions across public communications networks before the device was adapted for military and diplomatic cryptography work. More recently, secure transactions via credit cards, electronic payments, and even wearable devices have continued the evolution of protecting sensitive data at all times while it is in-transit or at-rest.
The foundation of any data asset protection program requires very precise data classification, handling, and storage policies & procedures. Each should be designed to support the operating parameters defined in the organization’s risk appetite statement, compliance, or contractual CIA requirements. Risk registers provide a practical means of addressing specific risks to data and physical assets that include named risk owners as well as risk treatment & controls contributing to the ultimate calculation of residual risk.
The sensitive asset and data privacy review method is a logical follow-on activity to the critical business process review. Both rely heavily on documenting the business processes that describe appropriate use and potential abuse cases for both classes of assets. Threat modeling and FAIR scenario analysis facilitate the review of the current and desired target residual risk state. Risk Neutral has decades of experience delivering these engagements for FinTech, Healthcare, Large BtoC, Credit Unions, and Payment Card Industry (PCI) Level 1 Merchants.