All credit unions want to optimize their technology spend, especially when it comes to leveraging mission-critical information.
Credit unions should do everything possible to use their data to its fullest advantage. But many departments may hold or store information locally to meet their needs, not knowing the information is already housed elsewhere within the organization.
This type of data sprawl carries risk in that the information may not be current, and it adds technology costs associated with storing identical data in multiple places.
Identifying the “crown jewels” that are of the upmost importance for a credit union to protect is not an easy process. Finding and protecting this information adequately takes time, energy, and coordination across the credit union.
It requires an understanding of data ownership and data flows both inside and outside of the organization, regardless of whether it involves regulated or compliance-related information.
In the wrong hands, a credit union’s crown jewels can have considerable negative consequences.
There are several steps to establish a process for identifying cyber assets most critical to the credit union’s mission.
1. Lay the groundwork
Credit unions need a continuous and systematic approach to managing information. Being systematic minimizes the chance data will be left undiscovered, and being continuous reduces the likelihood of gaps occurring that could leave information unprotected.
Establish ground rules early on in the process. Otherwise, an inordinate amount of different data will likely be considered crown jewels by various groups.
A credit union’s legal department can help by establishing data retention requirements with automatic document deletion early on that will greatly reduce classification efforts and the amount of exposure for the credit union.
Implement processes so that going forward, the crown jewels are immediately identified and properly protected in a continuous manner.
Conduct routine audits to ensure compliance, and hold employees responsible when they don’t properly classify or protect sensitive data.
2. Instill accountability
Once data hits a file share or data repository, its lineage tends to get lost. Every piece of data needs an owner and/or custodian to determine its importance to the business.
Owners assume responsibility for information, including determining who needs access to the information and how to handle requests for access.
These owners are responsible for creating the business policies around the data. Develop a means to appropriately tag data with these classifications.
Otherwise, once information leaves a specific file share or repository, determining its classification will be next to impossible.
3. Map data flow
Credit unions need to map how data flows through the organization. This includes documenting how the data is transformed as it passes through various systems, as the classification of data can easily change as it moves through the organization.
Once you establish a process for identifying a credit union’s crown jewels, implement appropriate levels of protection to protect the assets.
Information is the living lifeblood of every organization, and credit unions are no exception. As with any living data, it ages, has a limited useful life, and is used for multiple purposes.
Once its useful life is over, data must be retired in a secure manner to prevent leakage to unauthorized sources.
Building a process to handle the lifecycle of information will enable the efficient and cost effective use and storage of data. It also will limit the liability of leaving unused or stale information on your live system.
Look at your economic and risk issues related to information, and the potential benefits to your credit union will become apparent.
GENE FREDRIKSEN is chief information security strategist at PSCU.