RSI Security recently partnered with Ground Labs, a compliance and data risk management (DRM) services provider, to host a webinar on the fundamentals, challenges, and benefits of data risk management. To begin with, Nico from RSI Security introduced the panelists:
- Yad Jaura, Head of Product Marketing at Ground Labs, who leads product-to-market strategy there and has extensive experience in global product marketing.
- Mohan Shamachar, Director of Information Security and Compliance at RSI Security, who has extensive experience in IT infrastructure and cybersecurity management and has conducted multiple compliance assessments.
From there, Nico handed it off to Mohan, who outlined the agenda and started the discussion.
What are Data Risks?
Mohan started by emphasizing the impact of data quality on business decisions. In industries like healthcare, poor data quality can compromise decision-making around patient treatment.
Data loss is a significant risk with long-term financial, reputational, or operational consequences.
Mohan expounded on some common data risks:
- Poor data governance – Gaps in data governance can lower data quality and hinder sales and business growth, especially when organizations handle large amounts of data. However, when managed effectively, data governance can aid decision-making and minimize business risks.
- Data mismanagement – Errors related to acquiring too much sensitive data, poor data validation, and compliance issues can place data at significant risk during its movement across entities and assets.
- Lack of data protection – Unlike poor data governance and data mismanagement risks, it is less common to observe data security risks because most organizations implement data safeguards. By leveraging such safeguards, you can keep data secure and available, whether at rest or in transit—minimizing the risks of data breaches.
Then, Mohan handed it off to Yad to speak about the importance of data risk management.
Why is DRM Important?
Yad mentioned that DRM helps secure stakeholders’ trust and reduces the risks of:
- A damaged business reputation
- Monetary loss
- Potential data breaches
Regulators and governments also want organizations to handle data safely, evidenced by the strong privacy safeguards in frameworks like the European Union (EU) General Data Protection Regulation (GDPR), which is considered the gold standard for data privacy protection.
What are the Steps to Address DRM?
Yad then spoke about the three steps to implementing DRM:
- Identify data locations – Using data discovery tools, you must identify all the locations of sensitive and non-sensitive data. Whereas most organizations are unsure about where sensitive data is located across their IT infrastructure, this makes them prone to cybersecurity risks and lowers the effectiveness of security controls.
- Manage the data – After scanning IT assets and identifying data locations, the next step is to manage the data. Implementing regulatory compliance processes will help protect and minimize data risks properly.
- Remediate data – Protecting sensitive data from data risks requires implementing controls such as:
- Masking data via hashing
- Deleting sensitive data to make it irrecoverable
- Encrypting data with passwords and other access control measures
Yad also emphasized that DRM depends on how broadly you can scan your IT assets for both structured data (e.g., databases) and unstructured data (e.g., files, emails). Implementing the steps will minimize the risks of data loss, especially when working with a compliance partner.
PCI DSS Compliance and DRM – Updated PCI DSS 4.0 Framework
Yad then talked about the recent updates to the Payment Card Industry (PCI) Data Security Standards (DSS) 4.0 framework (released March 2022) and their implications on sensitive data management. Unlike previous PCI DSS releases, major changes around DRM in 4.0 include:
- Data discovery is now a specific compliance requirement to:
- Provide guidance on PCI scoping and revalidation best practices
- Help organizations keep track of all data locations
- Organizations must revalidate their scope every 12 months to maintain ongoing data protection across assets.
Compliance with the PCI DSS data discovery requirements can be simplified via tools like Enterprise Recon, which scans assets for sensitive data like CHD as often as needed.
Mohan added that data discovery is critical to identifying the CHD environment (CDE) and differentiating it from less sensitive environments. Yad agreed, highlighting that card payment data has become considered personally identifiable information (PII) that requires similar privacy protections to other types of sensitive PII.
PII and Business Critical Data
Mohan briefly described PII, emphasizing that cybercriminals can use the unique identifiers in PII to identify and target individuals. He added that frameworks like the California Consumer Privacy Act (CCPA) and the GDPR contain strong data privacy safeguards that have enabled many organizations to mitigate privacy risks to the PII.
Data privacy protections also start with:
- Identifying the specific need to collect or store PII (and document storage locations)
- Defining which information constitutes PII (e.g., business-critical, public, or private data)
Yad added that sensitive PII should only be processed for specific reasons. However, many organizations process PII outside protected data environments, exposing it to privacy and security risks. Here, discovery tools can help identify and remediate such data privacy gaps.
Applying Cybersecurity to Elements of DRM
Mohan mentioned that the PCI DSS framework provides a great example of prescriptive controls for minimizing cybersecurity risks. PCI compliance starts with scoping systems to identify sensitive data and then implementing controls to prevent cyber criminals from accessing these data. The PCI DSS Requirements guide the implementation of security controls.
For instance, security awareness training helps minimize social engineering risks by empowering employees to identify potential phishing emails. Risk assessment also helps identify the likelihood of risks and their threat level. Here, a comprehensive understanding of data risks helps identify and mitigate threats early in their development.
How Does DRM Minimize and Secure Stored Data?
Considering the PCI DSS framework, Mohan mentioned that the best compliance strategy is to avoid storing data unless absolutely necessary. Data management must include the appropriate safeguards to protect PII from privacy and security risks.
Yad added that organizations should not make copies of data unless it is absolutely necessary. Minimizing copies reduces exposure risks; any data that does exist in multiple copies needs to be identified and remediated, especially if any copies are redundant, obsolete, or trivial.
Compliance and Risk Assessment
Mohan emphasized the need to conduct data risk classification when scoping data within and outside of sensitive environments. He added that data governance and management also depend on implementing effective security policies across the organization to oversee compliance and overall cybersecurity. Once you establish controls and achieve PCI DSS compliance, continuous monitoring is critical to keeping sensitive data safe.
Yad added that it is more challenging to protect data if an organization does not know where the data is located. But, with the help of data discovery and related controls, it is much easier for organizations to differentiate between data in safe vs. unsafe environments.
Questions from the Audience
Following Mohan and Yad’s presentations, Nico read out some questions from the audience.
Question: Does RSI Security or Ground Labs provide data governance assessments? Once an initial assessment is done, does RSI Security or Ground Labs provide a data governance management service for organizations that might not have the resource in-house?
Mohan responded by saying that RSI Security provides data security compliance services via:
- Compliance assessments and audits
- Risk assessments
- Security testing services
However, within the umbrella of DRM, RSI Security does not provide data management and governance.
Question: Does Ground Labs scan both on-premise and cloud? Also, can you scan Salesforce data?
Yad mentioned that Ground Labs performs data discovery on-premise, on the cloud, and within a platform like Salesforce. He added that identifying sensitive data requires broad data discovery scans of user endpoints, servers, databases, etc. By identifying and remediating data across these assets, you are more likely to decrease security risks.
Question: Does Ground Labs have a local US team?
Yad responded that Ground Labs has a sales team in the US and also partners with other organizations, such as RSI Security.
Question: How do you price a vCISO service? Is it based on the number of users in the organization?
Mohan mentioned that RSI Security provides various types of vCISO services. Some organizations have pre-established security programs and only need governance and monitoring support for a few hours a day, week, or month. However, some organizations require a turnkey service where a vCISO can help set up a security program’s essential functions.
The pricing of vCISO services will depend on other factors (e.g., organization size, needs, etc.).
Question: Do you offer SIEM and SOAR?
Mohan mentioned that RSI Security offers security information and event management (SIEM) services but not security orchestration automation and response (SOAR).
Nico closed the webinar by thanking the panelists, partners at Ground Labs, and participants.
Manage Data Risks with RSI Security
Keeping sensitive data safe is critical to mitigating data breach risks and remaining compliant with regulatory and privacy frameworks. Working with a data security partner like RSI Security will help you effectively manage data security across your assets.
To learn more, contact RSI Security today.