Compliance and security aren't the same, but they are often related. And even when they are at odds we need to accomplish both. How to do it effectively is the challenge. Starting with the fundamental idea that information security is supposed to secure information, we first need to determine what information must be protected.
Here regulations may help specify, but there is much more information to protect in your environment than what is required. Certainly confidential patient data and customer financial records must be protected, and not just because HIPAA or PCI DSS require it. Your organization may also have trade secrets, marketing campaigns, merger plans or other information which should be protected regardless of regulatory imperatives. A basic rule of protection is that you must know what you have and where it is before you can protect it.
It doesn't matter if you need to defend jewelry from theft or credit card numbers from loss, you have to know where they are before you can protect them. So identifying the information you must protect is a logical first step towards both security and compliance.
The information to be secured will vary by organization and change over time, and therefore will require a flexible and versatile identification method. One effective approach is to start by asking three questions about the information to be protected:
- How does the information enter the environment? Identify every point of entry for the information. Include the origins of internally created information.
- Where is the information stored and accessed internally? Not simply where it is stored but also where it is used.
- How does the information leave your organization? Map every egress point including submissions to any outside organizations.
Now for the truly informative step: connect the dots. Map all of those entry and creation points to the storage and use points and then to the egress points. You will likely discover paths and storage locations previously overlooked.
You may even need to go back and re-answer the three questions armed with your new insights. With this exercise complete you can begin to build a plan for both securing the information and meeting your compliance goals. Streamlining the information flow and reducing the number of storage points would be a valuable next step. This will reduce your exposure and simplify future security and compliance tasks.
With this foundation you should be better prepared for your next steps towards both security and compliance.