00:02
This is CyberSound, your simplified and fundamentals-focused source for all things cybersecurity.
Jason Pufahl 00:12
Welcome to CyberSound. I’m your host, Jason Pufahl, joined by Steve Maresca and Michael Grande. Hey guys. So I think we’re going to try to probably do this podcast in a little bit of a shorter time frame, because we’re going to talk about a pretty specific topic, but, but it’s one that we get requests and have discussions around all the time, which is really, data management. How do you know the data that you have? How do you understand where that data exists within your environment? And then how do you how do you manage it, right? And I know, Steve, in preparation for this, you said, hey, there’s one, there’s a disclaimer I want to make immediately, right? To really lay the ground for this.
Steven Maresca 00:51
Yeah, we hear all the time, I’m not a target. We don’t have any sensitive data. And the truth is, every single organization on the planet with employees or bank accounts or, you know, a public image they want to protect has sensitive data, HR benefits, payroll, credit cards, bank statements you name it,
Jason Pufahl 01:05
So I’m going to say this. You don’t want to make it more complicated than you have to. I feel like, you know, one of the challenges we we talked about avoiding the word governance, because it feels like it makes it so much more formal, and it can be, of course, but in reality, a lot of our discussions are not much more complicated than, what data do you store and where is it? And that second question is always the most complicated part, right?
Steven Maresca 01:32
And really the motivator for that is, you know, do you have to prove how you handle it to any interested third party? That could be an auditor, could be one of your customers or prospective clients. That’s really what you’re concerned about, and that sort of thing,
Michael Grande 01:45
Prove how you handle it and at the same time access it when needed, when called upon for different, you know, use cases. I’m thinking about something more from the sort of HR, payroll, benefits perspective, for, you know, employees that maybe haven’t worked for the organization in several years. You know you’ve got that challenge of going back into records, ensuring that you have data accuracy, that they’ve been securely stored, and that you can, you know, access what you need in a short amount of time.
Steven Maresca 02:13
Absolutely. And you know, if worse comes to worse, too, being able to actually, with clarity, notify if you have a breach of any kind.
Jason Pufahl 02:21
Or expunge, if you’re asked to for something like a GDPR, so you have to know where this data is. And too often, I mean, we do absolutely have those, those comments where people say, well, I don’t have any data that matters. I mean, I think that that’s false for 99% of the of the customers that we work with. And then, typically, I think people have a, maybe a false sense of where their data exists. They believe that it’s all located within a system of record, right, and not sprawled on people’s laptops or printed out and left in places on copiers, etc, right?
Steven Maresca 02:54
And invariably, even if a really robust corporation has a data warehouse or a system for reporting that’s maybe managed by a third party, the truth is, people are using it all the time. They’re extracting reports, they’re saving all their systems. They’re not putting in file shares or, you know, protected locations.
Michael Grande 03:10
They’re emailing PDFs,
Steven Maresca 03:12
Absolutely.
Jason Pufahl 03:14
So yeah, go ahead.
Steven Maresca 03:15
Yeah, you touched on governance and data governance is the the term of art in terms of rigor in protecting and safeguarding data at the basic way of representing it. It’s writing down what you do, documenting how you work with the information, and making sure all of your employees know what to do, so that you can demonstrate that to others. It’s not really a need to overcomplicate it. If you don’t have a lot of data, it’s a very simple thing. If you’re a large organization with decades worth of stored information, you probably have several years of effort to make that sort of a sound conversation.
Michael Grande 03:53
I have a question as it relates to sort of third party integrations and understanding how, let’s just use a payroll service or maybe a Benefits Administration service. You know, small businesses, is it, is it okay to rely on their systems of security and governance, or are there things that people should be asking for, sort of at the office at the onset of an engagement, to say, hey, I’d like to know how you handle this data in the future. How much will be retained? You know, what type of security protocols do you have in place? I’m thinking, you know, small small businesses, very few run their own payroll anymore. Almost all outsource it, right? So you’ve got these huge companies. Everyone knows who they are. You know, they house a lot of sensitive information,
Steven Maresca 04:39
So, rely on the third party services, but recognize that during hiring, there’s probably something that was recorded that you’re storing the same thing for benefits, discussions and so forth. You can’t really fully get away from that reality and use the techniques and the tools that are available in an ADP or an HR Management System or a bank, you know, for handling payroll, but at the end of the day, if you have any of that in house or a portion of that flow, you still have to think of it with the same level of rigor, because it’s not so much that ADP is going to protect the data. Of course they are. Their business would crumble if they didn’t,
Jason Pufahl 05:20
Wait, but I think still go through that third party risk management process. Validate your vendors. Not everybody is as, say, well secured as an ADP. There’s a lot of smaller vendors out there that probably don’t have the same practices.
Steven Maresca 05:32
Of course, of course, you want to make sure that they’re they have good answers for how the data is defended and encrypted and transmitted. You don’t have to start necessarily, from the systems of record where the data is stored. Those change, and there might be many, many in parallel, depending upon the business and its complexity, right? You could instead go through how people are interacting with the data. Use Google 365, some of the tools that they have for managing data flows, finding sensitive data, and they’ll tell you real challenge. Yeah, right, but that’ll also tell you where your highest risks are, because data in flight is susceptible, and that’s probably how you need to constrain it if you don’t have a good sense of where the data resides.
Jason Pufahl 06:19
The I mean, it’s good that you went into the tool space a little bit, because I think you opened this up talking a little bit about the policy requirements, the procedural requirements, people are still going to gravitate toward, what is the easiest way for them to get their jobs done, and that typically means copying data places, working at it locally. So you do want some of these third party tools. Almost everybody is now working with an Office 365, or a Google environment. You can even look more broadly, using tools like Varonis or Sperion, for example, to look at specific data types. They won’t catch everything, but it was an aid.
Steven Maresca 06:54
Yeah they’re backstops to business process, because the business generates data or intakes data. Those can help clean it up or narrow where it lives. But it’s a continual process to find it, to make sure that there’s no new storage of information, new export that could leave the bounds of the org or something like that.
Jason Pufahl 07:17
You have to define it. You have to define where you’re storing it, because I’m thinking of certain things we spent time already talking about, I’ll call it personal data, PII, things that you can use tools pretty effectively to look for addresses, names, credit card numbers, social security numbers, much more difficult to have a tool look for CUI or FCI in that sort of DOD space which we work in, right? So you do have to know the types of data that you have, maybe some of it’s defined contractually for you already, and where do you store it, and you might not have tools that can find that for you.
Steven Maresca 07:52
And ultimately, that’s what data governance is. It’s in listing the things that matter to your organization or that you’re obligated to fulfill in a regulatory capacity, the sorts of data that are associated with it, and then, as a result, what roles in the org, what departments, what systems need to be considered as things to protect, right?
Jason Pufahl 08:12
Michael, you, you were talking a little bit about retention at the beginning of this.
Michael Grande 08:15
Yeah, I was just gonna say it. I, you know, feels a little bit like long, lost for the days of, just hold on to your tax returns for seven years, right? You know that I just remember, you know, hearing that when I was, you know, growing up.
Steven Maresca 08:28
Well, it still remains the well. It still means practice everywhere. But for all data, we have to keep that for seven years, right?
Michael Grande 08:34
Exactly. It’s just sometimes it feels that there’s made up numbers, and then you have to really go down the well of you know, what am I required to do? How much do I need to, you know, retain this for prior employees and benefits administration. And, you know, the that’s just the business aspect of things, not just the customer data aspect.
Jason Pufahl 08:52
And it’s not all defined in regulation. I remember, you know, dealing with data like IT records, IT logs things like that. And, you know, in the state of Connecticut, their language was, you know, keep that data as long as it is administratively useful, right? You know, there’s no time frame associated. So that goes back then to that policy and procedure space where you say, we maintain X record for three months, six months a year, and then adhering to what you’ve written down.
Steven Maresca 09:17
Unless obligated to retain for a certain period, the timing involved is one of structured convenience and just imposing, like a deadline for the org to follow. Yeah, that’s it. It’s a control liability too, because if you have a disposal practice, you’re shredding your documents, you’re deleting your data on a regular basis. If you don’t have it, it can’t be disclosed and it can’t be a notification.
Jason Pufahl 09:42
Yeah I mean, there’s a strong argument to be made that shorter timeframes for keeping data information is better, right? Unless, of course, you’re running afoul of laws.
Steven Maresca 09:52
I want to note on a very specific item where orgs like communications and PR firms, they often think, hey, all of our data is public? Well, that’s partly true, right? Because they might be working with orgs that have material impact to their revenue based upon, arguably public information that passes a certain time threshold, the same types of considerations apply. It’s not sensitive in the sense of regulatory sense, but it definitely has negative impacts if it’s disclosed when it shouldn’t be after that date. Yeah, public, but worth considering,
Jason Pufahl 10:29
Yeah, I mean, in short, so I think we’re actually going to, we’re going to have a company on as one of our guests that is in the data disposal business, right? The data destruction business. So I think you know, our goal will be air this first is a bit of a primer around what data governance is and how important it is to protect your data and understand where it is. Every every organization has this challenge, I mean every single one, and really to go back, because I think it’s so important to go back to what you said. If you don’t think you have confidential or sensitive data, you’re mistaken. It may not be as much as an ADP, but you’ve got it. You need to understand where it is. You need to protect it.
Steven Maresca 11:09
And some easy takeaways, because there are some actual things to do if you’ve not approached data governance in a holistic and deliberate way, make a list of where your data exists. Is it a third party system? Is it an internal database? What is the data that resides in those locations? Are you obligated to report? Is there a legal or a public relations impact if it gets disclosed, define that, there will be some decisions that fall right out of it, just by thinking it through in a constructive way. That’s it.
Jason Pufahl 11:40
Yeah, great, yeah, yeah, write things down. Know where it is, protected, so both of our business is, did you write it down? Alright, well, I mean, I think that’s enough. That’s probably enough data governance. It’s hopefully enough to get people thinking a little bit about the fact that they probably have data, yeah, that they may not feel confident that they know where all of it is, and they should start thinking about it, that’s the takeaway we want here. Yep. So as always, you know, hopefully you got, you got, you learned a little bit. You got a little bit of value from this. If you have any questions, let us know. We’re happy to we’re happy to answer them. Thank you. Thanks guys, awesome. Thanks.
12:16
We’d love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn and remember, stay vigilant, stay resilient. This has been CyberSound.