12:40 PM
On Data Mapping and Rumsfeldian Thinking
A, um, wise man once said, "There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we now know we don't know. But there are also unknown unknowns. These are things we do not know we don't know."A similar sentiment (albeit one that can be more simply stated) holds true when it comes to defending enterprise systems and applications from fraudulent attempts to access sensitive data. It is one thing for a carrier to protect the data it knows it has stored on its various systems, but it is another to go about protecting the data that exists in the dark, uncharted corners of its IT environment.
Referring to a 2008 survey from Verizon (here's a link to the 2009 version of the report), Jill Frisby says that 66 percent of data breaches involve data that the victim didn't know was on the system. "It's a tell tale sign of some of the problems with data protection," says Frisby, a senior manager in Crowe Horwath LLP's risk consulting group. "We don't do a good job of mapping where our data is and understanding our data universe and we don't have the type of monitoring controls in place to even know when we have been breached."
In many ways, Frisby says, it's a disconnect that exists along the line between structured and unstructured data. Most companies have a centralized database or system for key data, she says. "They're probably aware of these major systems. Where we tend to see more problems is with copies of data and unstructured data, where they have backup tapes or development environments or other channels that they are not aware of."
At Crowe Horwath, a large accounting consulting firm that counts financial services among its largest verticals, Frisby says that data mapping has become an indispensable tool when assisting clients with their data privacy and protection issues. Data mapping allows an institution like a bank or insurance company to follow the path of data as it moves throughout the enterprise. "It's very useful to start at the beginning -- at the point of data collection -- and trace that data through the organization and see where it sits and where it is most at risk," Frisby explains. "Often, the places that it is most at risk are the places they don't think about."