Data Lifecycle Analysis
Challenge
As organizations struggle to manage the unbridled data explosion created both internally and externally by partners, suppliers, and customers, they are continually trying to improve business processes that use and create company data. However, managing the flow of an information system's data throughout its lifecycle - from creation and initial storage to the time it becomes obsolete and is deleted - is a monumental task for even the largest IT organizations. In addition, meeting regulatory and compliance requirements for domestic and international data protection and privacy rules, HIPAA, Sarbanes-Oxley, Basel II, etc. is placing additional pressure on organizations to secure, delete or archive data.
Solution
FishNet Security's Data Lifecycle Analysis offering combines automated and manual discovery processes that identify the flow of data throughout its entire lifecycle. Through interviews, team discussion, and discovery scanning processes, FishNet Security catalogs how data flows through the environment, where it is stored, and how it is protected. Our consultants help gather information about data as it relates to specific applications or business processes. Upon completion of this phase, our consultants deliver a series of diagrams and matrices that create a baseline of systems related to your specific data types and business processes.
Benefits
- Identifies broken or rogue business processes
- Provides documented evidence that your data meets security best practices throughout its entire lifecycle
- Identifies security issues before cyber criminals can take advantage of them
- Ensures the integrity and security of your information assets
- Increases user confidence that sensitive, business-critical data is protected throughout its lifecycle
FishNet Security's Data Lifecycle Analysis services can be tailored to meet your security and budget requirements. Services include:
- Establishing project scope and expectations
- Identifying, analyzing, and mapping business processes and applications
- Identifying and documenting data management and security controls
- Data discovery, analysis, and validation
- Creating information lifecycle diagrams
- Creating reports and other deliverables
A financial fraud monitoring company engaged FishNet Security to discover and map the data flows related to the company's customer-facing systems and applications. The primary objectives of the project were to:
- Identify what data types each customer application uses and how the data is created or collected, living, protected, and destroyed during its lifecycle
- Identify which systems store, process, or transmit data for each customer-facing application
- Discover previously unknown storage repositories and incidents of network-based data leakage involving customer data
Through a series of interviews with the data and business process owners, IT staff, and business analysts, FishNet Security mapped out all data flows related to each customer-facing application. Previously undocumented or "one-off" data flows were noted during the interviews, as were areas of lax security control and policy violations.
FishNet Security used data loss prevention (DLP) scanning and monitoring tools to scan the company's storage repositories and monitor network activity, thereby discovering:
- Customer data and related employee-access controls
- Potential leakage
This project resulted in a number of data lifecycle diagrams and supporting worksheets that outlined various details surrounding the customer-facing applications, including:
- Network protocols used to transmit data
- Encryption controls for stored and transmitted data
- Data retention and backup processes
- System-to-system authentication methods
- Data not protected according to its assigned classification level
- Weak or inadequate security controls
The data lifecycle diagrams and worksheets were then combined with the discovery and network monitoring results to give the financial fraud monitoring company a complete picture of its customer data storage and transmission environment.