Security Think Tank: Data controllers are essential in modern business environment

Failing to map where data is held and how it flows in a company’s IT system is often cited as an information security weakness – and a key reason for a company falling foul of a compliance test.

Consider these questions: 

• Do you know what data your company holds, its value and its type (public/internal)?
• Do you know who in your company owns or has control over each set of data?
• Is the data transient or persistent and if persistent do you know the lifetime of that data?
• Do you know why the company holds the data and what it does with the data?
• Is the data necessary?
• Do you know where all the data (by type) is stored or will be stored?
• Do you know what processes each data type will be subject to?
• Do you know who or what process can see or change the data and are they authorised to do so?

The answers to these questions form an important input to understanding the data flows in a company, which in turn informs the information security planning. The goal being systems that are secure by design with an information security management system (ISMS) that will keep the data safe, free from tampering and free from unauthorised access.

In turn, these are key ingredients to meeting compliance requirements be they contractual, legal or regulatory. The General Data Protection Regulation (GDPR) is an exemplar of where poor information security will directly lead to a state of non-compliance. 

A key part of information security is controlling who or what can access data and for what purpose. A data owner or controller should decide who or what has access to a specific set of data and what can be done with the data (read only, read and update, process) and modern operating systems and file storage applications have such granularity by design.

Sadly, a general poor understanding of security by both the business and management of a company has meant in the past that information security has been thrown over the fence to IT. While IT can design and configure systems to be secure, they should not be put in a position to specify what security is required.

Where this happens, it often leads to a flat file system with everyone having access to everything. This is a recipe to fail a “secure by design” compliance requirement (GDPR) and a recipe for disaster should ransomware get into the company.

 It is within the business that data owners or data controllers should be formerly identified by role, and in that role, identify to IT who or what process can create/import or export/modify/read a set of data and what the data set’s lifetime is.

Companies should also create an information security role and for the larger company’s and public bodies a data protection officer (DPO) role will also need to be created to comply with GDPR.

These roles would be active with IT and the data owners or controllers in the design and maintenance of an ISMS and the ongoing management of data. These roles would also be involved with or responsible for the management of IT related compliance requirements including GDPR.

Given the rise in outsourcing of IT to the cloud, and the ability to create systems using a range of services bought in from a variety of cloud suppliers, these roles will become critical as the boundaries between systems becomes “grey” and the information security imperative of the IT supply chain becomes critical.