How Data Discovery Tools Can Help Zero-in on Data Non-Compliance
In many organizations, traditional methods of data storage have been ad-hoc with data security procedures not being given due consideration. For instance, let’s take the example of banks and the payment card industry. During the process of enrollment, customers are often asked to fill out their data in a physical form. The information in these forms is then manually entered into the system often in an unencrypted format. In many cases, the forms are scanned physically and stored in the system. There are no specific guidelines on how scanned data is to be stored in the system or emailed within the organization, such that it is not vulnerable.
A large majority of data breaches occur due to inadvertent storage of sensitive data. Generally speaking, the term sensitive data relates to any information whose unintended disclosure, modification, or loss could result in significant financial, legal, or reputational impacts to an organization or an individual. This includes data such as Social Security Numbers (SSNs), credit/debit card numbers, Personally Identifiable information (PII), Passwords, Biometric Data, Medical Records (PHI), State identification card numbers, Trade secrets and digital signature, etc.
Keeping sensitive information secure from theft and vulnerability in today’s digital world is not as easy as putting a lock on the file cabinet – especially with the widespread adoption of cloud computing. Even if you take every precaution with your online accounts and identifying information, there are many ways that information can land in another individual or company’s data management systems, where it can then somehow be made vulnerable to data theft or data leakage.
At SISA we have scanned thousands of computers/servers/storage devices/emails/databases etc. and identified sensitive data in audio files, images, screenshots, scanned copies, log files, temp files, recycle bin, excel sheets, notepad, xml files, webpages, compressed/ zipped files and many other files.
Let’s say your company has designed an application such that it does not capture sensitive data. But someone may accidentally run the application in debug mode, so it captures sensitive data. There could be even more simple instances like an employee emailing sensitive information to a colleague innocently during the course of work. As per Shred-it’s 2018 State of the Industry Report, 84% of C-suite executives and 51% of Small Business Owners in the US who participated in the survey said that employee negligence is one of their biggest information security risks. Also, this threat is further magnified when employees work remotely.
During the process of scanning voice data for organizations such as BPOs, banks and insurance companies, we’ve often found a lot of sensitive data imbibed in the recorded voice conversations. Similarly, on several instances, we have found sensitive data in image format such as .jpg .gif .png .bmp and many other extensions. Companies can easily avoid such data breaches by actively observing their practices and incorporating data discovery programs.
When an organization tries to become compliant, however, there are very strict guidelines that require that there should be no redundant or unauthorized data stored in the system. Uncovering this non-compliant data is very tough. Often, this is hidden away in obscure systems or buried under layers of folders.
Companies sometimes try to use manual searches to track down this data. However, given the huge volumes of data that every organization possesses, it is physically impossible to dig through all the data in an effort to find non-compliant data. Therefore, manual testing can only be done on a sample basis, which severely impacts its effectiveness and accuracy. Therefore, in most cases, manual methods to ensure compliance are simply not sufficient.
The other approach that organizations take in order to save costs is to use free open source tools for payment data discovery. While these perform the task better than manual methods, there are inherent risks associated with using software downloaded from the Internet. It can bring in malware etc. which can severely compromise company data.
For companies involved in issuing or processing payment data, non-compliance can have dire consequences. Not only are they liable for heavy penalties, any data breach can severely impact organizational reputation. For public companies, a data breach can drastically bring down share prices and consequently hurt revenue and profits.
Therefore, the best approach is to use a trusted data discovery tool such as the SISA Tipper tool to ensure compliance. Here are some things to look for in a card data discovery tool:
Multiple formats and Sources
The tool must be flexible enough to identify data across different formats. SISA Tipper, which is built on a Machine Learning algorithm, can scan data across multiple file formats including audio, excel, zip files, text documents, pdf files, images etc. For example, it can read a scanned document that has been uploaded. Users should also have the freedom to define their own search criteria.
Also, the tool must be in a position to scan through multiple environments such as Windows servers, MySQL databases, IBM Aix servers, Oracle databases and serves, Solaris servers, Linux systems (Ubuntu, CentOS) etc.
The tool should not only be able to identify non-compliant data, but it should also be able to mask, truncate or delete unencrypted payment card data stored in network systems, hard drives, databases, emails. Besides, the capability to generate reports to meet PCI DSS compliance is important.
1. Know Your Files
When you are dealing with a file, it is important to know if it contains sensitive data. Some tips to help with this include:
- Keep a track of the type of sensitive data is stored in your environment
- Identify servers or storage devices that usually contain these types of files.
2. Evaluate Your Retention Needs
When you have finished using/reviewing a file that contains sensitive data, it is important to consider if the file needs to be retained.
- Is there a business need served by retaining the file?
- Are there contractual or legal or compliance requirement for retaining the information?
3. ERASE sensitive Data That Is No Longer Needed
If you have files that contain sensitive data and do not have to be retained, then it is best to delete them. When it comes to sensitive data, always remember that less is more! Especially get rid of all unencrypted data in your organization.
4. PROTECT sensitive Data That Must Be Preserved
If sensitive data needs to be retained, then it should be protected. Some simple steps that you can take to help improve the security of sensitive data include:
- Encrypt all the data that needs to be stored.
- Give access based on only need to know basis.
- Do not store sensitive data on removable media.
- Perform a quarterly or monthly scan for sensitive data.
Data discovery is not a one-time activity. Scheduling scans at regular intervals is important in order to ensure compliance at all times.
SISA’s Data Discovery Tool – SISA Tipper, is a proven tool to discover high value / sensitive data in your IT infrastructure. With just click of few buttons, you can scan your environment to detect, mask, truncate and delete any unencrypted data.
For a large organization with lots of IPs, SISA tipper allows you to install agents and run multiple scans simultaneously to save time without comprising on the quality of the scan. In addition, if you are a small or medium sized company, you scan without any agents or even perform a remote scan for sensitive data.
Moreover, SISA Tipper allows you to scan any type of sensitive data in a single interface, making it a one-stop solution for all your data discovery needs. Having a data discovery program and observing few basic habits goes a long way toward preventing accidental data exposure and data breaches.
If you’d like to see how SISA Tipper helps ensure superior data discovery to ensure compliance, sign up for a free trial at: https://pcicardfinder.sisainfosec.com/