How Mapping Out Requirements Can Help Your Credit Union Deal with Privacy
In Part I of this three-part series ("Not Worried About Data Security Requirements? Maybe You Should Be," Jan. 25) I discussed issues related to privacy and its costs. Here in Part II I will address the challenges of information privacy and an approach to meeting the challenges. If you "Know What You Know" and "Know What You Don't Know" about privacy requirements and your credit union, then you at least are aware of strengths, weaknesses, and what you need to do to ensure your sensitive data stays private.
It's the "Don't Know What You Don't Know" that can give you a false sense of security, or can keep you up at night wondering if there is some regulation or industry requirement you're not complying with, or if there is something out there that will change, or is currently changing, your sensitive data from private to public.
The first challenge is to identify what regs and requirements affect your CU. This may take a little effort as it requires you to look at all the data being processed, transmitted and stored. You will also need to understand your data business processes. In my experience organizations have a high-level view, but not the detailed-level required to understand what they need to do to comply. Given current demands, this is understandable.
Discovery and Classification
To identify your compliance profile a data discovery should be undertaken to uncover all the sensitive data in your environment to allow you to perform a data classification. This includes structured data, such as that in databases, semi-structured data such as e-mail and instant messaging, unstructured data on network file shares and individual devices-and did I mention paper documents?
To perform a data discovery tools will need to be employed that can identify sensitive data in motion, in use, and at rest on networks, servers and work stations, tools such as DLP (Data Loss Prevention) and file share crawlers. Once these types of tools are in place they can be used ongoing to maintain and monitor sensitive data, which is a requirement of many regulations and requirements.
As regulations and requirements are identified they should be mapped together to find overlapping objectives to reduce the effort and cost of implementing or updating IT controls. This is not the most exciting task but can pay big dividends in streamlining effort and gaining a holistic view of your compliance profile.
Once this is completed, it must be sustained. Keeping up with new and changing regulations and requirements is an ongoing effort requiring at least an annual review of your compliance profile. Also a review is needed when there is new sensitive data introduced, or changes to existing sensitive data. This is not a "Set It and Forget It" type of exercise.
As an example I have provided mapping of three requirements from the MA 201 CMR 17 to the PCI DSS to demonstrate the kind of overlap that can be leveraged. MA 201 CMR 17 is focused on sensitive information for Massachusetts residents and PCI DSS is focused on payment card information. If you look at the requirements for both, you will see some overlap in the sensitive information. If you look at the actual requirements; you will see many of the same objectives with varying level of detail.
A quick look shows that credit or debit card information is considered sensitive data in both as shown in Illustration 1. However, MA 201 CMR 17 includes more information in its requirement. That's not a problem if you look at the actual requirements for protecting the sensitive data as a whole and apply the same controls to all the sensitive data, not just the credit or debit card data.
The mapping example of the detailed requirements to identify where there is an opportunity to leverage time, effort and cost and meet several requirements with one set of controls is shown in the Compliance Requirement Mapping table.
I know mapping regulations and requirements together may sound like common sense, and some of you may be doing this already. However, since this is not the focus of most IT departments, it often takes a back seat to other initiatives and each regulation or requirement is handled as a unique situation to just get it out of the way. As expedient as it may seem at the time, repeating the same efforts for multiple compliance requirements makes it more expensive, and continually making adjustments to automated and manual controls to meet the compliance requirement of the day makes it error prone.
So you may ask, "what do I do now?" Well if you want to take this approach and minimize your costs and risks from a compliance standpoint you need to first, take stock of your situation and second, put together and work a process that will result in the information you need to identify and protect sensitive data and comply with multiple regulations and requirements in a cost-effective manner.
Take Stock of Your Situation
Know what you know and document known information.
- You have sensitive data that must be protected.
- There are regulations and requirements you must comply with based on known data.
- You have controls in place to protect sensitive data.
Know what you don't know and answer what you don't know.
- What risks do I have and how do I mitigate those risks associated with processing, transmitting and storing sensitive data?
- How do I comply with regulations and requirements in a cost effective manner?
Don't know what you don't know--proactively evaluate your environment to identify unknown issues.
- There is sensitive data in your environment that you don't know about.
- There are regulations and requirements you are unaware of with which you must comply.
- Existing controls are not working increasing the risk of a privacy breach.
Work a Process
Discover-Sensitive data and type of data
Identify-Government regulations and industry requirements
Map-like compliance requirements across government regulations and industry requirements
Classify-Understand sensitivity of your data as well as retention and disposal requirements (Don't keep what you Don't Need-Dispose of Properly)
Risk Assess-Identify missing and weak IT controls (Perform self assessment as well a use third parties to provide an objective assessment)
Remediate-Implement policies, processes and procedures to mitigate risks and address compliance requirements
Audit-Test controls to demonstrate they work and meet compliance requirements (Use your internal IT Audit Team and third party IT Auditors). This process often times uncovers what you "Don't Know You Don't Know."
Now you should be able to find your privacy.
Bill Franklin is a Senior IT Auditor with the Lighthouse IT Compliance Group and can be reached at firstname.lastname@example.org