Reduce risk

Security breaches, cyber-crime and data privacy regulation – your organization’s data will inevitably contain sensitive information. Knowing where this information resides, being able to address identified risks and ensuring compliance with policies – these are crucial capabilities to reduce risks relating to file data.

01

Business Needs

Improve Compliance & Data Protection

The accelerating threat of cyber-attack and a rapidly tightening regulatory environment are turning data protection and compliance strategies into business critical decisions.

Unstructured data, as the most chaotic and fluid information repository within the organization, is simultaneously the most important and the most difficult to manage for data protection and compliance teams.

02

Recommendations

Insights & Recommendations

Identify & Remedy Dangerous Working Practices

Improve User Handling of Organizational Records

Targeted Behaviour

Working copies of Records are being abandoned in unsecured locations.

Directive

Files temporarily retrieved from records management systems for editing or reference, must be returned correctly to the records management system after edits have been made and all reference copies must be deleted as soon as work is complete.

Records may not be indefinitely stored in Home Drives, SharePoint Sites, Office365 file shares, or on NAS storage. Records may only be stored in designated records management systems.

Policy Requirements

  • Scan once per week for files containing ‘customer numbers’, ‘employee numbers’, ‘supplier numbers’, social security numbers, credit card numbers, and/or other specific PII/PCI data, that have not been accessed/modified within the past seven days.
  • Notify Data Stewards/Records Managers when suspected records have been identified.
  • Require that Data Stewards/Records Managers review file lists and perform appropriate actions.

Identify & Remedy Dangerous Working Practices

Avoid Unnecessary Retention of Sensitive Job Applicant Data

Targeted Behaviour

Personal letters and CVs collected during recruitment processes are being retained within Managers’ Home Drives. The sensitive personal data within these files is not appropriately secured.

Directive

Personal letters and CVs collected during recruitment processes must be destroyed immediately after the position is filled. If the manager wishes to retain these documents for future reference then a dedicated location can be provided.

Policy Requirements

  • Home Drives (including O365 file storage) are scanned on a monthly basis.
  • Files containing relevant strings/patterns (social security number, “CV”, etc.) are identified.
  • The owners of identified files are notified, asked to remove the offending files and reminded of the organizational directive.

Identify & Remedy Dangerous Working Practices

Remove Practices of Storing Password Details in Files

Targeted Behaviour

Users are storing personal passwords as well as application and service account login information in file shares.

Directive

Users must store all login credentials (including user names and passwords for personal accounts) in a dedicated system (KeePass). No ID or password information may be stored in files, encrypted or otherwise.

Policy Requirements

  • File shares and O365 file storage are scanned once per month.
  • Files containing text strings associated with passwords and user IDs are identified.
  • The owners of identified files are notified, asked to check the file contents and reminded of the organizational directive.

Identify & Remedy Dangerous Working Practices

Ensure Destruction of Sensitive Annual Review Data

Targeted Behaviour

Sensitive personal data, including salary information, is distributed to managers on an annual basis to support annual review processes. These files are not being appropriately deleted after the conclusion of review processes.

Directive

Employee information that is provided in support of annual review processes must be deleted following completion of these processes. Historical information can be provided upon request and should therefore not be retained independently by managers.

Policy Requirements

  • Home Drives (including O365 file storage) and Common Shares are scanned on a monthly basis.
  • Files containing relevant strings/patterns (“Annual Review”, “Salary” and employee numbers) are identified.
  • The owners of identified files are notified, asked to remove the offending files and reminded of the organizational directive.

Delivering on Specific Audit Requirements

Test to Ensure Records are Correctly Located

Targeted Behaviour

Compliance to written policies for record location is not being actively monitored.

Directive

Tests must be performed to confirm that users and Data Stewards are correctly locating files containing PII or PCI data according to standards.

Policy Requirements

  • Tests must be performed on a weekly basis to ascertain if files suspected to contain PII or PCI data is being stored in SharePoint sites or OneDrive for Business file stores.
  • Presence of ‘customer numbers’, ‘employee numbers’, ‘supplier numbers’, social security numbers, credit card numbers will signify a failed test.
  • Results of each test are sent to Records Managers.
  • Tests will be performed on a monthly schedule and available to Record Managers and Data Security personnel to run on an adhoc basis.

Delivering on Specific Audit Requirements

Workflow for Responding to Legal Hold Requests

Targeted Behaviour

Requests to place data related to specific people, projects, products or cases on Legal Hold are being poorly fulfilled. A lack of sufficient insight into data content is leading to unnecessarily large volumes of data being quarantined and to relevant data being excluded.

Directive

A scientific method of identifying files that should be subject to legal hold is required. The organization is exposed to unnecessary (and significant) infrastructure and services costs when excessive data is placed on legal hold. Similarly, the organization is failing to fulfil its legal obligations when relevant files are missed. The ability to query file content and identify the presence of relevant strings is necessary.

Policy Requirements

  • Legal announces that all data connected to a person, company, case, etc. should be placed on legal hold.
  • IT identifies the Data Stewards (Business Unit Managers, Department heads, Records Managers, etc.) that should be involved, and creates the quarantine location with relevant permissions, retention policy, etc.
  • Data Stewards provide lists of the data repositories that should be scanned (text-mining) for files connected to the person, company, case, etc. Scans are configured and executed.
  • Data Stewards receive notification when data is collected and review file lists – moving relevant files to quarantine.

05

Other

More of what we deliver

Reduce Cost

On-prem or in the cloud – storing your organization’s data is costly, especially when considering all expenses associated with housing the data, and keeping it over time. Identifying and removing data categories like ROT (redundant, obsolete, trivial), and archiving other categories, will significantly reduce costs. 

Increase efficiency

Data grows continuously and mostly in an uncontrolled way – efficiency of those owning and being dependent of the data decreases as it becomes increasingly chaotic. Having insight and control over your file data will improve efficiency of data owners, and of those tasked to control the risks associated with the data.

Corporate responsibility

Pressure mounts on all organizations to take more social responsibility – IT services, internal or external, need to incorporate capabilities facilitating CSR. The ability to measure and compare for example environmental impact of different file services, and to take action to improve is no longer optional capabilities.

Northern Parklife icon
We accelerate the goals of growth stage companies by providing the expertise and experience they need to hit their next stage of growth faster.

Let’s take control over your data management

Contact Us