Home / Resources / ISACA Journal / Issues / 2024 / Volume 2 / Addressing the Privacy Security Risk and Operations Aspects of the Data Ecosystem

Addressing the Privacy, Security, Risk, and Operations Aspects of the Data Ecosystem

Light burst over computer code
Author: Mathura Prasad, CISM, CISSP, ITIL V3, OSCP
Date Published: 1 March 2024
Related: Applied Data Management for Privacy, Security and Digital Trust | Digital | English

Data is the driving force behind the Fourth Industrial Revolution and the lifeblood of modern digital economies. It drives innovation, strengthens enterprises and shapes society, and its significance continues to grow. The global datasphere is expected to increase from 45 zettabytes (ZB) in 2019 to 175 ZB by 2025, according to the International Data Corporation (IDC).1

To meet the needs for storage resulting from the creation of so much data, the IDC predicts that more than 22 ZB of storage must be distributed across all media formats from 2018 to 2025 with approximately 59 percent of that capacity provided by the hard disk drive sector.2 Figure 1 illustrates the growth of big data by technology category.3

Figure 1

Data privacy, security, risk management, and operations are complex aspects of the global data ecosystem, and enterprises should address them with solutions based on research and best practices.

Data Privacy and Security

The appropriate use and processing of personal data while giving individuals control over their data is referred to as data privacy. In short, data privacy gives people the power to control who can access and use their personal information.

It can be challenging to stay on top of terminology, regulations, and legislation regarding data privacy, especially with new laws aimed at ensuring that organizations handle user data in an ethical manner; however, it is essential.

Cross-Border Data Transfer
In today's interconnected world, cross-border data transfer is vital because it enables enterprises to work efficiently and transparently across national borders; however, it also presents significant privacy and security challenges. Enterprises must walk a fine line between enabling data exchange and protecting data confidentiality. Best practices to help enterprises navigate this difficult terrain include:

  • Data encryption–The foundation for secure data transfer is encryption. Data is encrypted from end to end to protect it during transit. Imagine sending a secret message inside an envelope that cannot be opened until it reaches its destination. Even if the envelope is intercepted, only authorized personnel capable of interpreting the contents can access the information inside. Adding layers of security by running transport layer security (TLS) over web traffic and using virtual private networks (VPNs) on top of remote connections are also helpful.
  • Data residency mapping–Different jurisdictions have different data residency laws that must be respected and adhered to. Think of a world map with pushpins indicating the various places where data must be stored. Failing to follow these laws can result in legal consequences and cause damage to an enterprise's reputation. For example, Uber faced significant consequences and damage to its reputation in 2016 when it experienced a major data breach compromising the personal information of 57 million users. The breach exposed Uber's failure to adhere to data residency laws in various jurisdictions, notably in its delayed and nontransparent disclosure of the incident. Instead of promptly notifying affected users and authorities, Uber paid a US$100,000 ransom to hackers, resulting in legal investigations and fines in multiple countries.4 The incident serves as a stark reminder of the importance of respecting data residency laws, as noncompliance not only leads to legal repercussions but can also severely impact an organization's standing and public trust.
  • Standardized protocols–Enterprises need to follow standard protocols to facilitate safe data transfer, such as hypertext transfer protocol secured (HTTPS), which secures web communications. Imagine that these protocols are spoken dialects for data interchange. Just as speakers from various cultures communicate by using some mutually agreed-on common language, standardized protocols facilitate the passage of information securely across national boundaries free of ambiguity. Leading technology giants such as Google, Facebook, and Microsoft exemplify the use of standardized protocols, particularly HTTPS, to ensure secure data transfer globally. By treating HTTPS as a common language for data interchange, these organizations establish a universal and unambiguous method for secure communication. For instance, Google's adoption of HTTPS as the default connection for its services ensures encrypted data exchange, transcending linguistic and cultural barriers. This commitment to standardized protocols, showcased by initiatives such as HTTPS Everywhere, not only bolsters cybersecurity but also facilitates a seamless and secure flow of information across national boundaries.5

    • Enterprises must walk a fine line between enabling data exchange and protecting data confidentiality.
  • Data minimization–When it comes to cross-border data transfers, less is often more. Instead of transmitting an entire data set and thereby increasing the potential for security breaches or mishandling, only data that is pertinent to the particular purpose should be transmitted. For example, when going on a journey, packing the minimal amount needed reduces the weight of luggage and avoids the loss of precious belongings. Likewise, reducing the amount of data transferred improves security and makes regulatory compliance easier.

By including these best practices in a cross-border data transfer plan, enterprises can tap into the benefits associated with globalization while protecting confidential data and safely sending data across borders.

Data Localization
Data localization laws, designed to safeguard national interests and bolster data security, require enterprises to store data within specific geographic regions.

Complying with data localization regulations requires careful consideration and adoption of best practices such as:

  • Compliance assessment–Compliance assessments are a way to help enterprises navigate the labyrinth of data localization legislation. Enterprises should regularly check on applicable laws throughout the regions in which they operate to ensure that they are complying with these laws. Leading tech companies display exemplary practices in addressing complex data localization legislation through rigorous compliance assessments. For instance, organizations can respond to the EU General Data Protection Regulation (GDPR) by conducting thorough compliance assessments, ensuring alignment with evolving global data protection laws. Similarly, when implementing cloud computing, organizations should consistently conduct comprehensive assessments to comply with data residency laws in various international operations. Proactive compliance assessments not only ensure legal adherence but also contribute to building trust with users who rely on these enterprises to handle their data securely and in accordance with prevailing regulations.
  • Hybrid cloud solutions–Hybrid cloud solutions are the link between on-premises storage or data centers and highly secure remote data storage centers. They give enterprises access to local data and at the same time take advantage of the security in centralized data centers. It is similar to keeping the family jewels and other priceless possessions inside a secure vault located right down the street from a rented storage unit.
  • Data encryption and tokenization–Local encryption in combination with tokenization adds layers of security. Encryption wraps data in an impregnable shield, whereas tokenization transforms highly confidential information into tokens that cannot be understood without a key. Encryption can be compared to a lock, and tokenization is a secret passcode possessed only by authorized users.
  • Data life cycle management–Data has a life cycle, and it should be managed from cradle to grave wherever it is stored, whether on or off premises. This means that enterprises must have authority over data for its entire life cycle, from creation and use to archival or destruction. Best practices in data life cycle management include implementing customer relationship management platforms that offer data management and data archiving tools. These tools empower enterprises to define data retention policies and govern data efficiently throughout its life cycle. Another example is the provision of platforms like Cloud Volumes ONTAP by data management and storage solution providers, enabling the smooth management of data across a variety of environments. These tools can be used to exercise authority over data, ensuring compliance and efficient governance from creation to disposal.

Risk Management

Globalization opens a whole new world of possibilities as well as new challenges. To navigate this dynamic landscape, a comprehensive risk management approach is essential, and it should include:

  • Risk assessment–It is important to continuously review the cybersecurity risk profiles of all operational areas of an enterprise. Best practices in the IT domain include providing comprehensive security risk assessment services, such as ongoing evaluation and prioritization of cybersecurity risk. This proactive approach is akin to a compass guiding an enterprise through the dynamic and evolving threat landscape, ensuring a robust defense against potential vulnerabilities, and ensuring the integrity of IT operations.
  • Incident response plans–Robust incident response plans outline what procedures to follow in an emergency. When developing (and refining) these plans, it is important to consider the specific pitfalls of operating globally, including:
    • Legal and regulatory variations–Consider diverse legal and regulatory requirements globally.
    • Communication barriers–Address language differences and time zone challenges.

      • Following best practices for risk management enables enterprises to reap the advantages of globalization while reducing risk exposure and protecting sensitive data.
    • Cultural sensitivity–Account for cultural nuances in incident response and provide training that applies to diverse crisis response approaches.
    • Data privacy concerns–Align with global data protection laws.
    • Supply chain dependencies–Coordinate responses with global vendors and partners.
    • Infrastructure disparities–Adapt plans to varying technology environments.
    • Political instability–Prepare for disruptions due to geopolitical challenges.
    • Resource allocation–Adjust resources based on workforce and operational differences.
    • Varying threat landscapes–Tailor plans to address regional cyberthreat variations.
  • Third-party due diligence–Outside service providers and partners must be fully screened to ensure they maintain the same security and cybersecurity standards that the enterprise adheres to. For example, Equifax's 2017 data breach, exposing 147 million individuals' data, was attributed to a vulnerability in a third-party software component.6 In contrast, organizations should demonstrate the importance of robust due diligence by thoroughly assessing the cybersecurity standards of their extensive network of vendors and service providers. Proactive due diligence not only mitigates risk but also ensures that security standards are maintained throughout the business ecosystem, emphasizing the critical role of vetting external partners in maintaining data integrity and reputation.
  • Employee training–Employeesrepresent the first line of defense against worldwide cyberattacks. Employees should be educated about cybersecurity and incorporated into the risk management plan. Diverse training methods and a culture of continuous learning empower employees to play an active role in safeguarding organizations against evolving cybersecurity risk. These programs can include phishing awareness through simulated exercises, regular comprehensive training covering data protection and incident response, programs that encourage employees to become cybersecurity advocates, the use of a continuous learning framework,and gamified training for enhanced engagement.

Following best practices for risk management enables enterprises to reap the advantages of globalization while reducing risk exposure and protecting sensitive data.

Operations

Data operations touch all phases of the data life cycle, from the time it is collected until it is safely discarded. Keeping data secure and adhering to regulations also depend on operational excellence. Best practices for effective data operations include:

  • Data governance framework–Like any structure, a well-designed data governance framework needs a firm foundation that clearly defines roles and responsibilities and sets out rules for the collection, storage, and use of data. Just as an architect depends on blueprints, a data governance framework provides a plan for the proper management of data at every stage of its existence.
  • Data auditing and monitoring–Auditing and monitoring tools play the role of security cameras inside a data space, providing continuous surveillance of outliers and potential threats. These tools offer advantages such as real-time analysis of machine-generated data, database security and protection, comprehensive security event monitoring, the ability to track changes across IT environments, database monitoring activities, and data security platforms for auditing file systems and email systems. These tools collectively provide continuous surveillance, enabling organizations to identify anomalies and potential threats, ensuring proactive cybersecurity measures and supporting incident response efforts.
  • Regular security audits–Security checks are like health checks on the data environment. These extensive scans are designed to uncover susceptibilities and weaknesses. Tools such as Nessus, Qualys Vulnerability Management, OpenVAS, Rapid7 InsightVM, Tenable.io, and Security Scorecard can be used to perform continuous scans to identify vulnerabilities and weaknesses, prioritize risk and offer remediation insights,implementopen-sourcevulnerability scanning, conduct real-time audits for prompt threat response and implement continuous monitoring and risk assessments. These tools collectively enable organizations to proactively address vulnerabilities, reducing the risk of cyberthreats and maintaining a secure IT environment.
  • Data privacy by design–Data privacy principles such as data minimization, consent and transparency, security measures, user control and data life cycle management should be incorporated in the design of products and systems. By taking a proactive approach, the likelihood of privacy violations can be reduced, ensuring that the security of personal data is not an afterthought but a priority.

Incorporating these best practices into data operations fosters a secure, compliant, and efficient environment for managing data throughout its life cycle. Much like the gears of a well-oiled machine, these practices ensure that data remains safe and serves its intended purpose while adhering to privacy and security standards.

Conclusion

In the ever-evolving global data landscape, success hinges on taking a proactive approach to data management that encompasses privacy, security, risk reduction, and operations. Enterprises stand at a crucial crossroads and must stay abreast of evolving regulations. This means that prioritizing data security and making sound technology investments are essential. Furthermore, enterprises that strive to promote a culture of cybersecurity awareness empower employees to be vigilant front-line defenders.

By adopting best practices and staying informed of new research and emerging risk, enterprises can thrive in the data-driven world. Like a skilled ship captain crossing treacherous seas, enterprises that secure their vast information networks can protect their data assets in this challenging environment.

Endnotes

1 Reinsel, D.; J. Gantz; J. Rydning; The Digitization of the World From Edge to Core, International Data Corporation, USA, November 2018, http://www.seagate.com/files/www-content/our-story/trends/files/idc-seagate-dataage-whitepaper.pdf
2 Ibid.
3 Taylor, P.; “Big Data and Business Analytics Market: CAGR of Top Technology Categories 2015–2020,” Statista, 23 May 2022, http://www.statista.com/statistics/773976/worldwide-big-data-business-analytics-technology-growth/
4 Bickis, I.; “Uber Hack Raises Disclosure Concerns, Calls for Stronger Data Protection,” Canadian Underwriter, 23 November 2017, http://www.canadianunderwriter.ca/technology/uber-hack-raises-disclosure-concerns-calls.stronger-data-protection-1004124247/
5 Bankston, K.; R. Schulman; L. Woolery; “Case Study #1: Using Transit Encryption by Default,” New America, http://www.newamerica.org/in-depth/getting-internet-companies-do-right-thing/case-study-1-using-transit-encryption-default/
6 Fruhlinger, J.; “Equifax Data Breach FAQ: What Happened, Who Was Affected, What Was the Impact?,” CSO, 12 February 2020, http://www.csoonline.com/article/567833/equifax-data-breach-faq-what-happened-who.was-affected-what-was-the-impact.html

MATHURA PRASAD | CISSP, OSCP, ITIL V3

Is a seasoned professional in governance, risk, and compliance processes, specializing in application security, penetration testing, and coding. His journey in the realm of cybersecurity has been marked by a relentless pursuit of innovation with a focus on leveraging artificial intelligence to elevate day-to-day work.