Can You Find My Data Now?

Digitally generated cyber hacking image
Digitally generated cyber hacking image

Marketing has brought many familiar catch phrases into popularly accepted lexicon, including "where's the beef?" and "do you hear me now?". However, in the realm of cyber risk, I've often posed a question that would provide a good touchstone if it gains similar common-use status in corporate settings: "where's our data?" or even "can you find my data now?".

It is a sad fact that for many organizations their business units, vendor management group, and even procurement, truly have no idea exactly where all their data is stored, or even who has access to it - and yes - this includes fourth-party access and storage as well. As IT environments continuously expand their support to include follow-the-sun methodologies, it's more important than ever to traverse that ground and pursue answers now to this very important question.

A great case in point is a recent incident I've been made aware of at a Fortune 100 company in which a compliance director was informed that one of their company's IT vendors commented they were processing data for a key application in China. He further explained that China is a location that was "verbally understood" by the parent company to be forbidden, but was never explicitly documented and communicated to the vendor. Further investigations identified that the data processing was originally handled in India, but the IT vendor moved the work over to China without the knowledge or consent of the outsourcing company's business unit.

Perplexed as to how this occurred, he immediately requested a copy of the contract for review and noticed there weren't any clauses or directives stating that the work must only be performed at the India facility or that changes to subcontractor use had to be pre-approved by the outsourcer. In discussing this further directly with the third party vendor and the outsourcer's business unit management, the director concluded the change had been made in response to "cost pressures" imposed by the business unit onto the vendor.

To rectify the situation quickly, he notified additional executive management within his own organization for guidance, which included the Chief Information Security Officer, the Chief Privacy Officer, and his senior legal counsel. Almost immediately the parent company's compliance management called a meeting with the business unit management, the heads of IT Security and procurement, and the vendor's account management. The vendor and the business unit understood that the data and all operational support for this and all other applications, were not to be moved anywhere without the express consent of the business unit, procurement, and IT Security. Once this understanding had been formally established, additional steps were enacted immediately, including:
  • A rapid assessment of the current location of where the work was being processed;
  • Provision of a remediation work plan timeline by the vendor for moving the data processing back to India (they were given 45 days to complete the move back to the India datacenters), during which they were being monitored for progress weekly by compliance and IS Security;
  • Amendment to the master services agreement, which stated that any physical process or data moves must be approved by the outsourcing company's executive management;
  • Amendment to the master services agreement that stated what locations are permitted to process the scope of work; and
  • Lastly (and with greater impact...) the vendor was barred from bidding on any new projects for a one-year period.

This may seem extreme to some, but this response underscores the importance of knowing who touches your data and where and how that information is being accessed. Constant threats surround the cyber landscape and it's important to have your finger on the pulse to be aware of every aspect of how your vendors are treating your most precious resource - your data.

It is urgently important to have contract wording - which may be included in contract addendums - that specifies, appropriate to your organization's risk needs, where the work will be done and who has access to it. This includes the most current copies of the third party's business continuity and disaster recovery plans, as these recovery locations must also be properly vetted during a third-party risk assessment. These documents should be continuously updated as scopes of work change and new projects are added (or even removed). And finally, the business unit - along with procurement - should always maintain copies of the fully executed (dual-party signature) agreements.

Taking the stance that "who has my data?" is one of the single most important questions to be able to answer will help boost your organization's risk posture in the eyes of regulators, assessors - both internal and external - and senior management of your company, including the board of directors. As an outsourcer, knowing where your data is and who and where (and yes, even how) it is being accessed is one of the rock bottom essentials to a functional, effective risk management program that provides more than lip-service protection for your organization.