Have you mapped your data lately?
Mapping how data in your organization is received, processed, disseminated, and stored is critical to designing appropriate protections. In order to conduct cyber risk assessments and to mitigate cyber incidents, you have to know how data flows and what specific pieces of data require extra protection due to statutory privacy and data protection laws.
Internal Controls include data privacy and robust cybersecurity controls to not only protect data, but ensure that operations and systems are not disrupted due to a cyber incident. Here is a simple set of questions to assist with mapping out your data lifecycle in your organization.
Data Lifecycle Management
Know WHAT data is being made or received.
Know WHY that data is being made or received and do not collect Personally Identifiable Information (PII) or sensitive data unless required to do so.
Know WHO has access to data, what data they have access to, and WHY they have access to this data. - Efficiency should be only one consideration. - Data privacy and security should be of equal or greater concern. - More access = more risk.
Know WHERE the data resides, travels, and is stored. Map data from its' inception to wherever it travels until destruction.
Know HOW data resides, travels, and is stored, and how it is protected by encryption, locking, or masking.
Know RETENTION and DESTRUCTION schedules, and ensure proper destruction of PII (M.G.L. c. 931).
See our Cyber Center for additional resources and links for cyber alerts, and contact CTREmergencyNotification@mass.gov with any incidents or suspected incidents of fraud or cyber attacks.