What is Data Lifecycle Management?

The Data Lifecycle goes through 5 steps: creation, usage, transport, storage and destruction. Most companies have parts of this lifecycle under control, but that means there are lots of areas for gaps in the control measures that could let a threat affect the data. The multiple part blog, (I am not sure how many parts it will take), will walk through the steps of the data lifecycle and what a company can do to implement a good process for all the data management challenges. Data lifecycle management (DLM) is a policy and procedure based approach to manage information movement. Data has to be classified and evaluated to properly protect it with the right resources. Ownership is a key factor in managing and maintaining data throughout the lifecycle The 5 Steps
  1. Creation – How does data creation get managed?
  2. Usage – What limitations are on data usage?
  3. Storage – What controls are in place for storage?
  4. Transportation – How is data transmitted between company, customers and business partners?
  5. Destruction – What is the validation and verification process over data destruction?
The Data Management Problem
  • Weak processes in place to track creation usage, transportation, storage and destruction
  • Weak ability to monitor and manage a customer record throughout the lifecycle
  • Inconsistent processes across each phase of data movement
  • Lack of enforcement capabilities
What should be the goal of data lifecycle management?
  • Provide practical steps to manage each step of the customer record management process
  • Provide cost effective solution for risk mitigation
  • Provide framework for data management
  • Reduce risk of data loss
Challenges to Customer Data Records Management
  • Rarely does a company have a centralized process to track controls over data, over management processes around data, over logging and monitoring, and removal
  • Organizations rely on technology to secure data not processes that drive technology purchases
  • The 5 steps of data management are not followed by all functional groups in a company
  • No clear ownership and classification of customer data elements
Did you know…
  • 1 in 400 emails contains confidential information
  • 1 in 50 network files contains confidential data
  • 4 out of 5 companies have lost confidential data when a laptop was lost
  • 1 in 2 USB drives contains confidential information
  • Companies that incur a data breach experience a significant increase in customer turnover—as much as 11%
  • Over 35 states have enacted security breach notification laws
  • Can openers were invented 48 years after cans
Reblog this post [with Zemanta]
Adobe Systems Incorporated
Image via Wikipedia
Vendor risk assessment are not part of everyday corporate managememnt but it should be. If you drive a car and every week you have to get something fixed it would prove pretty annoying, disgusting, outrageous and you probably you would never buy that model again and probably wouldn’t by from that manufacturer either. So why do we accepts buggy software that is vulnerable to things like cross site scripting attacks, buffer overflows, malware and such? But we do that everyday. Everything from vulnerable operating systems such as Windows to vulnerable applications such as Adobe and weak website such as Facebook. As stated by CIO.com, “SANS and Mitre, a Bedford, Mass.-based non-profit, federally funded technology research and development organization, today is also releasing its second annual CWE/SANS Top 25 list of the most common programming errors currently being made by software developers. The authors say the errors on the list are responsible nearly every major type of cyber attack, including the recent intrusions at Google (GOOG), and numerous utilities and government agencies.”  The biggest companies are culprits. So what are we do to about buggy software? How do you force a vendor risk assessment on all yoru vendors? Maybe scream “I’m mad as hell and I am not going to take it anymore!”  Might feel good for a second or two, but not going to solve the almost daily patch process we have to go through for our software. Patch management is a thriving sector! As I see it, some theoretical things the end user can do to change the deadly cycle of poor software:
  1. Sue! I don’t know if that’s possible, but if you bought a car with bad acceleration problems (ahem Toyota) you might just sue the manufacturer if you got into an accident. What can we do that if some hacker breaks in through buggy software?
  2. Stop buying from that vendor! Apple seems to be taking this tactic by not allowing Flash on the IPad. But can we all move away from Microsoft tomorrow? Probably not.
  3. Make the vendors conduct Risk Assessments of their products prior to release. A third party risk assessment is probably a good idea. Something with more teeth than a SAS70 type review.
Gary Bahadur http://www.kraasecurity.com http://blog.kraasecurity.com http://twitter.com/kraasecurity Address: 200 Se 1st St #601 Miami FL 33131  *Managed Security Services *Vulnerability Management *Compliance & Policy Development *PGP Security  *FREE Website Security Test  Gary Bahadur http://www.kraasecurity.com http://blog.kraasecurity.com http://twitter.com/kraasecurity Managed Firewall Managed Vulnerability Scanning
Reblog this post [with Zemanta]