By: Mike Detrow, CISSP, Senior Consultant and Manager of IT
Maybe your data went to a football game on an employee’s smart phone. Or, perhaps your data met some international friends at an offsite backup location used by one of your service providers. In either case, if you do not know how your data moves and where your data is stored, you cannot protect it.
During our IT Audit engagements, it is not uncommon to see bank employees storing or transferring non-public information (NPI) using services such as Google Drive or Dropbox. This creates a very dangerous situation if one of these services suffers a data breach or the data is synchronized to personal devices infected with malware. In most of these cases, senior management does not understand how employees are handling NPI.
The importance of understanding and controlling NPI data flow and data storage is emphasized in the newly released version of the FFIEC’s Information Technology Management Handbook, as well as in the declarative statements to meet the Baseline maturity level within the Cybersecurity Assessment Tool. This article will discuss a process that can be used to document the data flow and data storage locations used within your institution and those used by your third-party service providers.
The table shown above will be used to illustrate the way that an institution can document data flow and data storage. You will first identify each Service or Application that uses NPI. Some examples of these services and applications include: core processing, lending platform, internet banking, and online loan applications. Next, you will identify the Vendor(s) associated with each service or application. The Process Type is used to identify the various processes that are performed using the specific service or application that may use different methods for accessing the data or result in data being transmitted through different connectivity types. An example of different process types can be illustrated with internet banking where data may flow between the core processing system and the internet banking system through a dedicated circuit, but customers access the internet banking system through a home internet connection. The Type of Data will most often be customer NPI, but may also include proprietary institution data. Data can be accessed in numerous ways including: institution workstations, institution servers, employee mobile devices, customer PCs, and customer mobile devices. The Connectivity Type may include: dedicated circuits, virtual private networks (VPN), local area networks (LAN), wide area networks (WAN), wireless networks, or the internet. Controls in Transit may include: encryption, firewall rules, patch management, and intrusion prevention systems (IPS). The Primary Storage Location(s) should include known locations where the data is stored such as: application or database servers, data backup devices, service provider datacenters, and service provider backup locations. The Optional Storage Location(s) should consider other places where data can be stored such as: removable media, an employee’s workstation, mobile devices, Dropbox, and Google Drive. Identifying the Optional Storage Location(s) may take a significant amount of time, as this step will involve discussions with application administrators to understand the options for exporting data and discussions with employees to understand their processes for transferring and storing data. A review of this information may lead to the implementation of additional controls to block the use of unapproved sharing and storage services.
Controls at Rest may include: encryption, physical security, and environmental controls. The Access Rights column should identify who can access the data at any point in time, which may include institution employees, service provider employees, and subcontractors used by a service provider.
This may seem like a daunting task to complete, and it may take a significant amount of time depending on the size and complexity of your institution. One option for implementing this process is to start with your annual vendor review process rather than trying to complete the process for all of your services and applications at one time. When you are gathering and reviewing documentation from each service provider, complete the table shown above for the service or application provided by that service provider. Documentation for internally managed systems and applications can also be completed over a period of time.
Upon completion of this process, you should have a full understanding of how your data moves between devices and where the data is stored. This information will allow you to justify the risk ratings within your information security risk assessment and identify additional controls that need to be implemented to properly protect your data.
For more information on this article, contact Mike Detrow at 1.800.525.9775 or click here to send an email.