Parry Atfab has an article in Information Week on building data maps to help manage privacy issues. A data map is the result of a detailed study about how data is collected and used in an organization. Data maps are useful for more than just privacy, however. They are also used for creating access control strategies and determining identity management infrastructure needs. Can you answer these questions about the data collected in your company:
- What kinds of data are you collecting?
- How is it being collected and input?
- Why was it collected?
- Were special conditions on its use established at any time?
- How and where is it stored? What software and hardware are used in its storage?
- How can the data be accessed? What software and hardware are used in its access?
- Who has access to it by authority and by ability?
- For what purpose do they have access?
- Where are those who have access to the data? Do they work from a corporate location, on the road, or from home or shared offices?
- If laptops are involved, what security measures are taken for their loss or for theft of data?
- How is authority to access the data controlled, supervised, or reviewed?
- Are there backups? How and where are they stored? Answer the same questions posed above about backups.
- Who can make changes to data, how, and for what purpose?
- Can the data be transmitted? In bulk or only on an individual basis?
- How is all of this logged or documented? Where are the logs or documents stored?
- How are they accessed? How are those logs flagged to show unusual transactions?
- Who receives those flagged logs?
- Is any of this data available on PDA, palmheld devices, or handheld devices? If so, what security measures are taken for their loss or for theft of data?
- What firewalls, software, and encryption systems are used?
- Who has access to those?
- Who receives reports of any intrusions or attempted intrusions to those systems?
This may seem like a lot of work, but ask yourself what it means if you don't know the answers to these questions. Here's a strategy to get started creating a data map of your organization's data:
- Require that all new data stores answer the above questions prior to approval and going live.
- Institute a system of periodic reviews of data sources that review these questions and the answers.
- Get a list of all the data repositories in your organization, who the owner is, and whether personally identifying or otherwise sensitive data is stored in them.
- Create data maps for the ten largest data stores in your list that store sensitive information. Keep moving down the list as resources allow.
Even with a piecemeal approach, this can be a large undertaking. At the State of Utah we had hundreds of data stores that would have had to be audited. That's a full time job or more.
Data usually gets the short end of the stick since people see applications as the important, animating factor in getting work done. One way to overcome this is to link data reviews, cleansing, and audits to application development and maintenance projects. Even so, I'm convinced that understanding data is a key step in running an effective IT organization.