It seems we can’t find what you’re looking for. Perhaps searching can help.
Different information and data are handled by all companies. Nowadays those information and data are created, stored, exchanged and updated via company’s data networks. Some of those data shall be treated in special way as their loss, change or theft can result in, for example, lowering business income (financial loss) if competition comes into possession of data important for further business grow, or breaking of personal privacy or specific law (regulation) which can lead to penalties or incompliance to regulation or a security standard.
Even company risk management strategy differs from company to company, defining data sensitivity is always about who should have access to sensitive data and how much harm would be done if those sensitive data were disclosed. The most sensitive data are ones which are regulated by specific laws or standards/regulations, and/or confidential data, which are classified as confidential by signing contractual obligation: company patents, production data, financial data, personal data and similar.
If not protecting sensitive data as it should be protected, risks are, in general, company financial and reputation loss.
For example, the European Commission developed the General Data Protection Regulation (GDPR) to help strengthen the safeguards around personal data, and also to create a more uniform standard for all EU countries (see THIS LINK ).
Organizations that fail to comply with GDPR will face significant penalties. The GDPR requires member states to specify the penalties for infringements on the regulation, requiring that these penalties are “effective, proportionate, and dissuasive.” *1
The regulation also features steep administrative sanctions, for example, imposing fines of up to 10,000,000 EUR or 2 % of its total worldwide annual turnover whichever is higher. Worse even, if a business is found to be in breach of certain other obligations under the GDPR, the fine may go up to 4% of its total worldwide annual turnover. *2
*1 European Commission, “Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)”, 25 January 2012, page 92, URL
*2 European Commission, “Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)”, 25 January 2012, page 93, URL
There’s no single technology or silver bullet that will address the evolving, challenging security requirements of a global enterprise. To address security requirements and risks, few following questions have to be answered:
- For each system or service, who has an access to data? How will access and other activities be tracked and assigned to specific individuals?
- Can data be kept private? It has to be ensured that only authorized persons have access to sensitive data and by that achieve confidentiality of data.
- How many different locations and environments does the data reside in? This includes detailing geographic locations as well as locations within a data center or extended data center (including virtual and cloud environments), and whether data resides on servers (whether file servers, databases, or virtual machines), storage volumes or shares, or disk drives, tapes, or other media.
- How many different data types need to be secured? Are sensitive data elements solely housed in structured data formats, for example as fields in a database, or are they housed in unstructured files like PDFs, images, or word processing documents?
- Where does data get transmitted? This can include data traversing networks between data centers, whether in point-to-point or multi-point environments.
- Are sensitive data correct (unchanged, not corrupted) and provided by right person? Person identity must be proved by authentication and data integrity must be checked.
- How date can be shared in secure way? If data are shared among specific users, are access privileges for those users properly managed and are those users authorized in secure way?
- Can security system be audited, monitored and efficiently managed?
- Can be legally proved that in system was performed bad action or process and by whom to also third party outside the organization? Non-repudiation concept must be used to provide evidence if someone did something within system.