07 August 2017

Knowing what you need to protect - The fundamentals of governing risk and achieving compliance

By Phillip Mason, Software Director at IRM

A few years back, well before the panic of becoming GDPR compliant entered Legal and Security’s consciousness, I wrote an article about how IRM was supporting HMG Departments to automate and orchestrate their Senior Risk Management Overview (SRM).  You’re probably already questioning how this relates to the title of this blog. But please hear me out…

Governing risk and maintaining compliance has always come down to knowing what you need to protect. In the halls of HMG, civil servants have for many years been practicing what so many of us now are preaching or needing to adopt – while not perfect, the concept of Information Asset Owners or Information Asset Management, has long been well established.  I grant you that linking risk to information assets is not always understood or reported but perhaps this comes down to not understanding consequences in a zero sum game. However, the process of identifying, quantifying, approving and reviewing information assets are well understood.

Information has an intrinsic value to you, your competitors and third parties wishing to do you harm. In order to protect this data the first step must be to know what you have and where it is. In addition to this, having an accurate Information Asset Register (IAR) is a key requirement for organisations that want to exploit the value of their information assets to the fullest.

Without these processes in place, commercial organisations and still some HMG departments will fail to achieve or maintain GDPR Compliance. The upcoming changes to the EU GDPR requires companies to create, track and maintain an IAR. If you don’t have an IAR or better yet, an automated process for identifying and approving new information assets then don’t be surprised to see marketing or the R&D departments using Cloud Solutions to collect and store PII outside of your GDPR programme. This is only going to get worse as we face a backdrop where company’s need to spin up and spin down services quickly – we live in a culture where we must succeed quickly and fail quickly. If we don’t establish processes for identifying and maintaining information assets we’ll never manage risk effectively.

As a cyber security company, we offer services that will identify your key information assets and the flow of the information through the organisation identifying business processes, data users, locations and IT systems.

We also help organisations identify appropriate and proportionate controls to support GDPR and have a dedicated platform (SYNERGi) that provides capability for maintaining GDPR compliance. More information can be found on our website or if you would like to contact us with any questions you might have around our services or Platform, please email us at: hello@irmsecurity.com