Here are questions you should be able to answer to insure that you have proper controls over the data and systems within your corporate environment. How many can you easily answer?
- What do I have?
Sounds simple, right? But, do you really know what you have? How many file shares, Public Folders, SharePoint sites, etc. How many servers, endpoints, BYODs accessing systems? What applications do you own? Not so simple, there are so many variables and possibilities, and there isn’t one solution that can give you the answer, you need to pull information from disparate sources to come to the proper conclusion.
- Who Owns the Resource?
For all of your resources, can you identify who should be responsible for making decisions about that resource? Do you have a list of data owners, application owners, systems and infrastructure owners? A proper, full-scale inventory is critical to answering these questions, but it is not a simple task.
- Who Has Access to the Resource?
Can you with confidence say that your resources are accessible by only those who need access? If you know who has access you can go to the resource owner and find out if they should have access.
- Who Has the Keys to the Kingdom?
Have you designed and implemented sufficient controls over who has administrative / privileged access to systems and data? Managing who can make the most impact on your organization through increased authority is imperative in maintaining control of your environment.
- What is Business As Usual?
Can you tell what should be going on in your environment; and when anomalous behavior is taking place can you identify it? Once identified, do you have policies and procedures in place to make sure that what is going on should be going on and if not, what has to be done to stop the behavior?
Ok, that seems to have been a lot more than 5 questions, but it shows that having proper governance of data and systems is not easy. There are a lot of variables. There is information from a number of sources, a need for correlation of data and processes in place to maintain them. Most companies recognize they have this problem but do not know where to start. In this day of ever-increasing threats from external hackers, internal threats (malicious and inadvertent) and data loss, it is imperative that companies have policies and procedures in place to mitigate risks as best they can.