The Data Lifecycle goes through 5 steps: creation, usage, transport, storage and destruction. Most companies have parts of this lifecycle under control, but that means there are lots of areas for gaps in the control measures that could let a threat affect the data. The multiple part blog, (I am not sure how many parts it will take), will walk through the steps of the data lifecycle and what a company can do to implement a good process for all the data management challenges.

Data lifecycle management (DLM) is a policy and procedure based approach to manage information movement. Data has to be classified and evaluated to properly protect it with the right resources. Ownership is a key factor in managing and maintaining data throughout the lifecycle

The 5 Steps

1. Creation – How does data creation get managed?
2. Usage – What limitations are on data usage?
3. Storage – What controls are in place for storage?
4. Transportation – How is data transmitted between company, customers and business partners?
5. Destruction – What is the validation and verification process over data destruction?

The Data Management Problem

• Weak processes in place to track creation usage, transportation, storage and destruction
• Weak ability to monitor and manage a customer record throughout the lifecycle
• Inconsistent processes across each phase of data movement
• Lack of enforcement capabilities

What should be the goal of data lifecycle management?

• Provide practical steps to manage each step of the customer record management process
• Provide cost effective solution for risk mitigation
• Provide framework for data management
• Reduce risk of data loss

Challenges to Customer Data Records Management

• Rarely does a company have a centralized process to track controls over data, over management processes around data, over logging and monitoring, and removal
• Organizations rely on technology to secure data not processes that drive technology purchases
• The 5 steps of data management are not followed by all functional groups in a company
• No clear ownership and classification of customer data elements

Did you know…

• 1 in 400 emails contains confidential information
• 1 in 50 network files contains confidential data
• 4 out of 5 companies have lost confidential data when a laptop was lost
• 1 in 2 USB drives contains confidential information
• Companies that incur a data breach experience a significant increase in customer turnover—as much as 11%
• Over 35 states have enacted security breach notification laws
• Can openers were invented 48 years after can

Why does traditional security not work for DLM?

Users have risky behavior. They will always have risk behavior and we rely on mostly technology controls to keep them in a secure box.  Solutions aimed at the external threats coming in, not the regulation and governance of internal communications going out. Problems we see are typically:

• Unauthorized application use: 70% of IT say the use of unauthorized programs result in as many as half of data loss incidents.
• Misuse of corporate computers: 44% of employees share work devices with others without supervision.
• Unauthorized access: 39% of IT said they have dealt with an employee accessing unauthorized parts of a company’s network or facility.
• Remote worker security: 46% of employees transfer files between work and personal computers.
• Misuse of passwords: 18% of employees share passwords with co-workers.

The reasons typical technology controls will not work in the full DLM process are:

• Products are not geared to protect a full life cycle of a customer records
• Most solutions and processes are outward facing, based on perimeter security
• Encryption can affect data management
• Real-time intrusion detection and remediation is rare
• Context and intent of messages was not analyzed properly
• Functional areas in organizations create different policies, monitoring requirements, enforcement priorities and reporting
• New technologies can avoid security measures
• Technologies look at the network, the operating system or the application not the data across all environments
• Not mapped properly to regulations

What risks does customer data loss pose for organizations?

If we know that security is not working, what are the risks we face? A very recent example of how this can have a practical affect is with the Massachusetts Privacy Law 201 CMR 17.00. Loss of data can have a great financial impact with this law. Key things we need to consider include:

• Penalties: Not complying with regulations can cause civil and financial penalties
• Confidence: Loss of customer confidence because of a customer data breach can lose customers
• Reputation: Damage to reputation will lose customer and damage relationships
• Competitive Advantage: Information and customers can move to competitors
• Costs: Ponemon Institute’s 2008 annual study, average $6.6 million per breach.
• Valuation: Decreased stock prices could result