Privacy and Data Protection

Printer Friendly, PDF & Email

Data Mapping: A Necessary Risk Management Tool for Simplifying Data Compliance

Overview: As data breaches continue to threaten the safety of information and corporate infrastructure, risk assessment for data is no longer a nice-to-have—it is a must have. Data mapping, the process of electronically identifying and organizing data, can minimize the impact of a data breach by allowing organizations a clear understanding of the location, format and security level of their important data.

In early July of 2015, the U.S. Office of Personnel Management (OPM) was faced with a catastrophic data breach. The OPM reported that files of more than four million former and current federal employees had been hacked. According to the formal report, this meant that, “information such as full name, birth date, home address, and Social Security numbers” were out on the open market.

During the scramble to mitigate the damage of this breach, the OPM launched a full investigation into the security of the department’s data. They found an additional cache of data that had been hacked in a repository not previously considered in the OPM’s initial impact assessment. This new repository contained a huge amount of Social Security Numbers (SSNs), spouse names, and even fingerprint records—bringing the number of affected individuals to more than 21.5 million in a matter of hours.[2]

This revelation added fuel to the media debacle because the OPM had seemed to initially “understate” the breach impact. This was not a piece of valuable information that the OPM simply chose to ignore, they simply didn’t know at the time. The OPM’s breach event supports the Inspector General’s warning in 2014: put a simple security measure in place—a data map. Without an inventory of OPM’s servers, databases, and hardware, the OPM had no accounting for the thousands of pieces of information being exchanged and infiltrated every day.[3] A data map could have saved them millions of dollars in data investigation and remunerative fees, notwithstanding the security “black eye” which they could have lessened or avoided altogether.

Unfortunately, too many of these breaches have shown how little even very large-scale organizations seem to know about their data. Without a clear understanding of the total data picture, any organization is more vulnerable to unsuspected and devastating attacks that can affect its reputation and financial stability.

This document is only available to subscribers. Please log in or purchase access.