Building and operating a data management plan can be time consuming and overwhelming. You don’t have to go it alone. BARR Advisory asked Dariek Howard, manager, Attest Services, to share his thoughts and recommendations for building an effective data management plan. Here are his top tips to help you through the process:
1. Understand what data you have and where that data resides. Without this information, it’s impossible to understand what safeguards need to be in place and where your priorities—and immediate resources—should be focused. Start by compiling an inventory of the data in your environment. Then, using internal classification schemes, assign classification levels to that data based on its sensitivity.
2. Implement security controls in order of priority. Let’s face it, there are never enough resources available to classify everything as ‘highly confidential’ and implement the strongest technical safeguards all at once. Prioritize implementing security controls like encryption and access management for data deemed the most critical to your organization and its mission first.
In order to have a well-defined data management life cycle, it’s also important to set retention periods on assets in accordance with your internal classification standards and statutory or regulatory requirements. A secure means of disposing the data should be implemented once those retention thresholds have been exceeded.
3. Leverage the assets that process, store, or otherwise support the data within your environment. Here are some of the most critical points to consider:
4. Understand your organization’s unique risks. Completing a risk assessment is crucial to understanding your organization’s current security posture and where your primary risks are. Systems that store or process data should undergo regular risk assessments to determine the likelihood and potential impact of a breach, the aggregate strength of mitigating controls in place, and the environment’s overall residual risk rating. When residual risk ratings exceed internal risk tolerance thresholds defined in risk management procedures, additional security measures should be implemented to protect the organization’s most critical data and reduce residual risk ratings to an acceptable level.
A risk assessment can also be a useful resource in gaining buy-in from the executive level on additional resources, like people and tools, that may be needed to better protect the organization’s data and the people it represents.
Interested in learning how to build and operate a data management plan? We are here to help. Contact us today to get connected with a BARR associate.
Dariek Howard
Manager, Attest Services
As a Manager for BARR’s Attest Services, Dariek specializes in planning and executing attestation engagements, primarily SOC 2 and SOC 3. Dariek brings extensive experience to clientele operating in cloud environments.
Prior to joining BARR, Dariek was a senior Consultant in Wolf & Company’s IT Assurance practice where he performed work in numerous industries including technology, healthcare, and financial services. He has a Bachelor of Science in Cybersecurity from Utica College.