How to protect your data through its lifecycle – part two
In part one of ‘How to protect your data through its lifecycle’, we discussed how digital transformation is taking hold and the dangers that storing data holds for organisations. If you missed it, it’s available for you to read here.
In part two, we discuss why and how your organisation should implement a data lifecycle strategy.
Lifecycle data management – from cradle to grave
To effectively mitigate the risk of data exposure and avoid the costs of storing and handling unnecessary information, an organisation should implement an end-to-end process for managing its information from creation to disposal. Data lifecycle management comprises of a strategy, process, and technology to effectively manage information, improving the control over an organisation’s critical data.
A lifecycle management programme can bring significant benefits to an organisation through the simplification and consolidation of IT resources and systems.
Specific benefits include:
Reduced risk: Reducing the storage of unnecessary or expired information and making your data easier to manage. Reducing the volume of unneeded information will lessen the risk of a data breach. Knowing where specific data is stored will reduce the chance of missing critical information when searching.
Cost savings: Storing data costs money. The more data you have, the more it costs to store. Legal and eDiscovery costs can also be reduced with better management of information.
Improved service: Data management can become less of a drain on IT and legal resources, allowing them to focus more on business-critical/customer-focused tasks.
The data lifecycle includes six phases:
Create – Data creation occurs throughout organisations. Most data is created by business functions such as finance, marketing, sales, and human resources rather than the IT department whose typically responsible for managing the data once it's been created. It can take place on-premise either in your data centre or on employees' devices or externally in the cloud. Protecting your data during this phase will include access controls such as passwords, threat scanning for antivirus, and data classification that will specify the data type, its location, how it should be protected, and who has access to it.
Store – Once data has been created, it is typically stored on a computer hard drive or in a data centre. Certain types of transaction or analytics data might be generated in transit or in memory but not permanently stored to disk. Storage also involves near-term backups that must also remain protected. Once data is stored, responsibility for its management typically falls to the IT or security team.
Storage protections include access control around who can read and overwrite the data, device control such as data encryption, backups to protect the data from loss, plus security measures to protect the backups themselves.
Use – During the 'use' phase, data is accessed, viewed or processed. Protecting data during this phase will usually fall equally between the lines of business and the IT department.
Protections during data usage include access control, encryption, data rights management for copyrighted information and data loss prevention, which involves software and business rules to prevent unauthorised access to sensitive information.
Share – Data is often shared amongst internal employees and to corporate partners outside of the organisation. Data sharing can occur through the network, via removable media, or across the internet via transfer sites or email. When data is shared, it is subject to new risks.
Data sharing safeguards involve access control, encryption, network security (firewalls/intrusion detection) and data loss prevention. When organisations are dealing with third-party vendors, they should have clear measures in place for data removal and verification after services have ceased.
Archive – For short-term data protection, all data must be backed up regularly, either onsite or offsite. When an organisation needs to retain data for the long term, it can be archived to tape or disk media and placed in remote, secure locations.
An organisation's operations team would usually take responsibility for archiving as opposed to IT or the lines of business. Protecting archived data include access control and encryption.
Destroy – When an organisation's data reaches the end of its life, it must be permanently erased. Determining which data is erased, how it's erased and how that erasure is verified depends on several factors, such as content type, usage needs and regulatory requirements.
When it's considered at all, the "Destroy" phase is most often addressed by the operations team. But when managed properly, end-of-life data destruction is truly the responsibility of all stakeholders, from IT to the lines of business.
Lifecycle management in your organisation
The management of data across its lifecycle is not a consideration for many organisations. But without a data lifecycle strategy in place, an organisation is leaving itself exposed to serious security risks and costs.
Lifecycle management shouldn't be the responsibility of just one department; there needs to be a collaborative approach that involves all the stakeholders of the business.
Organisation's that rely heavily on data for their success should consider establishing a Chief Data Officer (CDO) whose main role is to ensure the prioritisation of data protection. Once a CDO is in place, you then need an information governance team that involves the lines of business, legal, IT and operations team.
Each department has its own role to play in the data lifecycle. The lines of business heavily depend on data, but they should not just assume that someone else is managing it. They should work closely with legal and IT to ensure they're in compliance with regulations and that they have the right policies, tools and processes in place to protect critical information. IT departments must work with the lines of business to ensure they fully understand the requirements and challenges of protecting data at every stage. And legal must ensure that every employee understands the potential risks that not complying can have on the organisation.
In the end, the policies and procedures that govern the management of the data lifecycle may reside in the IT department, but an organisation must remember that all stakeholders must be actively involved to ensure that all data is protected from the moment it is created until its end-of-life.
Today, the cost of ineffectively safeguarding data comes with ‘too high a price.’ Data breaches, damaged reputation, lost customers, downtime, and large fines are all potential risks for an organisation that doesn't effectively manage its data's lifecycle. Those organisations that take the time to invest the necessary efforts and resources in data lifecycle management can minimise the risks and costs of their business-critical data at all stages.
Do you want to know more about how to protect your data throughout its lifecycle? Our latest report delves into the six stages of the data lifecycle and why it's so important to ensure you have an up-to-date strategy that protects data at each stage.
Download it here.