Here’s a startling statistic: 73 percent of businesses experienced a sensitive data leak in the past year, according to Microsoft research.
An almost equally surprising stat is that only 23 percent of businesses extensively use automation for data security, one of the most important ways for warding off data security and compliance issues.
With its heavy regulatory burden, financial institutions cannot be among those businesses that leak sensitive data and eschew automation. From Sarbanes-Oxley (SOX) to Payment Card Industry Data Security Standard (PCI-DSS) and California’s new CPRA data privacy rules, financial firms must be serious about proper data handling. That means having the right automation in place.
Yet many financial institutions still are in the middle of digital transformation, with manual compliance processes or gaps in coverage. This puts financial firms at risk. If your organization is among those that have not yet fully automated compliance, here are the six steps for making it happen.
Step 1: Define Your Automation Plan
The first step is determining the full scope of expected data within the organization, who owns and accesses it, and which data regulations apply to the organization. This usually will require input from stakeholders throughout the company. As part of this plan, you should also define the various objectives and data sensitivity categories for each group of data, categorize data according to data type, and define classification levels for use later in the automation process.
You can get help with the data classification planning process by downloading our free ebook, How to Identify and Classify Sensitive Data.
During the planning process, you also should define and select the various technologies that will be used for data compliance automation. The needed tools largely will flow from your list of objectives and security requirements, but it should include a comprehensive data discovery and monitoring solution, an automated data classification engine, a real-time threat detection solution based in the cloud, and an automated security provisioning system.
Step 2: Inventory Data Resources
With a plan in place, next build an accurate inventory of the financial institution’s data universe by scanning all corporate resources, devices employees use for working with data, and any public cloud drives that may contain corporate data.
Make sure you select a solution that maintains employee privacy through anonymization, and communicate this to employees so they sign off on having their personal devices scanned. You can lessen resistance to this scanning by tying data discovery to your company’s work-from-home policy.
Set up your data discovery solution so it scans continuously after the initial scan, providing ongoing data discovery as new data is created.
Step 3: Tag Data According to Classification
Once the full data landscape is known, tag each piece of corporate data according to the classification schema established during the planning phase. Each piece of data likely will have more than one tag, and tags will correspond to compliance requirements, sensitivity level and security needs. With these tags, automation can act upon the data intelligently and apply the appropriate governance and security frameworks.
An automated classification engine is essential for tagging the large volume of data within the organization. The process for tagging should start with setting up the classification rules, running an automated classification process, then refining the automated classification and correcting initial misclassifications through manual review.
As with data discovery, tagging should happen continuously after the initial categorization effort so new data is automatically tagged as well.
Step 4: Set Up Real-Time Data Monitoring
The next step is putting a data monitoring and threat detection system in place for ensuring ongoing compliance and security. This could be a single all-in-one monitoring and detection system or multiple, overlapping monitoring solutions.
Whatever security stack is chosen, make sure it scans continuously so your organization can monitor data flows and risky behavior in real-time. It should be cloud-based so it covers the entire data landscape, and it should have the capacity for monitoring not just corporate-owned resources but also devices and cloud services employees use during the normal course of business.
The right solution will provide an ongoing high-level snapshot of data, but also allow for drilling down to specific data elements. It should include automated flagging based on rules set by the compliance and security teams, adaptive risk scoring for spotting issues before they arise, and both accumulation and exfiltration indicators.
Step 5: Apply Automated Security Controls
With all data now tagged, next set up and apply automated access and security controls for each data category. The tagging done earlier in the process will serve to guide and trigger the appropriate automated compliance and security processes for each piece of data.
The nature and scope of security controls will vary according to each financial institution, but the crucial element is making sure that all compliance and security processes are automated and do not require manual intervention. Financial institutions will want to monitor these processes and refine them over time, but all processes should occur automatically without manual intervention so data compliance is maintained regardless of staff workloads or human error.
Step 6: Test and Refine the Automation System
The final step in automating data compliance often gets minimized, but it is one of the most important. Once automation is in place, financial institutions should rigorously test each step in the process against defined objectives, ensuring automation performs as expected. Even if the right planning and implementation have occurred, there will be a few kinks in the system that must be corrected before it performs as expected.
This process of testing and refinement should be ongoing, too. As part of the automation rollout, establish a periodic review process for updating compliance rules based on changing regulations, adapting security controls for the latest threats, and evolving data compliance automation based on changing corporate needs. This should include periodically reviewing all steps in the automation process to ensure that the system continues to perform according to compliance and security objectives.
Automating data compliance is not hard. It just requires proper planning and the right tools in place.
One tool that makes automated data compliance easier is Qostodian Recon™, our automated data discovery, classification and monitoring solution. To see Recon in action and learn how it can help financial institutions meet data compliance needs, schedule a demo today.