Data protection strives to minimize business losses due to the lack of verifiable data integrity and availability. The practices and techniques to consider when developing a data protection strategy are data lifecycle management, which is the automated movement of critical data to online and offline storage; data risk management; data loss prevention and data backup and recovery; among others.
When building a strategy of any kind, part of the process is to identify the desired outcome of the strategy and then identify the actions needed to achieve the goal. In the case of a data protection strategy, the goal is data that is protected from damage or destruction by any internal or external risks of threats. Considering how important data of any kind is to an organization, a well-thought-out protection strategy is an essential part of an overall data management program.
It's important to identify the necessary components of a data protection strategy. Below are 20 elements that factor into an overall strategy. Although all the components might not be initiated -- for any number of reasons -- the goal is to have as many components in place and operational as possible that make sense for the enterprise.
Fundamentally, once data and information have been created, several activities must also occur. These include primary storage and backup storage arrangements; choosing the types of storage to use and the appropriate storage infrastructure; addressing access management and the associated access controls; and establishing data security measures and a security strategy to protect the data from unauthorized access and attacks. Figure 1 depicts the various activities that form a data protection strategy.
In the following sections, we'll briefly examine each of the components of a data protection strategy. First and foremost, ensure that senior management approves the creation of a data protection strategy. Second, make sure that a strategy aligns with the business processes performed by the firm. Note that the following activities aren't in order of importance or preference.
1. Data lifecycle management
Establishing a data lifecycle prepares a framework for data from creation to storage to archiving to destruction. It's often considered a fundamental component of a data protection strategy.
2. Data risk management
Identifying and assessing risks and threats to data is essential when formulating most aspects of a data protection strategy, as the strategy aims to minimize the likelihood of the risks occurring and mitigate severity of events that negatively affect data.
3. Data loss prevention
These activities ensure that any data created is protected from potential loss or damage through activities such as storage and archiving and securing data integrity with encryption technologies.
4. Data backup and recovery
Once data has been created, unless it's no longer needed, it must be backed up to a secure and protected location for future use. When the data is needed, a recovery process releases it from its secure storage/archiving and verifies that it's ready for use. These activities are also key components of business continuity and disaster recovery (BCDR) initiatives.
5. Data access management controls
Among the most important components of a data protection strategy is the process for securely accessing and using data. Data access controls are typically examined by auditors as part of an IT audit.
6. Data storage management
This activity encompasses all activities associated with securely moving production data into a secure storage repository -- e.g., on site or off site in a cloud environment -- for subsequent use. In situations where the data might be needed at a later date and time, storage management moves the data into an archive facility.
7. Data breach prevention
These activities prevent unauthorized access to data by a cybersecurity attack or other malicious event using network security measures to prevent external access and data protection systems to block unauthorized internal data access.
8. Data sovereignty protection
For global organizations dealing with data from other countries, it's important to have measures in place to protect data sovereignty so it remains undamaged by internal or external attacks.
9. Information lifecycle management
Along with data lifecycle management is the process of protecting information all along its lifecycle from creation to destruction.
10. Confidentiality, integrity and availability
These are the cornerstone attributes of data protection and, specifically, data security. Components of a data protection strategy achieve each of these attributes.
11. Cybersecurity management
These activities prevent unauthorized attacks on network perimeters, internal networks and data in motion and at rest. They include access management software, perimeter security software and hardware, antivirus software and ransomware software.
12. Ransomware protection
These activities prevent situations where access to data and systems is compromised by a cyberthreat actor with access granted only by some sort of ransom, e.g., financial payment. This has become a key component of cybersecurity protection activities.
13. Password management
Still widely used as a technique for preventing unauthorized access as a factor used in access authentication, password management has consistently improved with the use of numerous password creation and management tools.
14. Policies and procedures
Policies establish the "what" associated with data protection activities and procedures define the "how" activities. Both are essential in a data management program and are typically examined as part of the audit process.
15. Standards and regulatory compliance
Good data protection practice presumes knowledge and use of the various standards and regulations in place that govern how data should be protected. One of the most widely recognized of these is the European Union's General Data Protection Regulation. Numerous similar metrics have been established in the U.S. by the National Institute for Standards and Technologies and others.
16. Reporting to management
Regular briefings to senior management on all aspects of data protection programs ensure that senior leadership is fully aware of how the organization's data and information are being protected and managed.
17. Testing and exercising
Regular testing and exercising of data management program activities, e.g., data backup and recovery, data access management and cybersecurity prevention activities, ensures these important programs perform properly and the employees responsible for them know their roles and responsibilities. These activities are also components of BCDR initiatives.
18. Training and awareness
These activities ensure people responsible for data protection activities know their jobs. They also ensure all employees know how their data is managed and protected and know their responsibilities for ensuring their data is secure.
19. Auditing and assessing
To ensure data protection strategies are being followed and all associated data management programs are performing properly, they must be periodically examined, assessed and audited. This is especially true to ensure compliance with relevant standards and regulations.
20. Monitoring and reviewing
A well-organized data management program provides ongoing monitoring of all aspects of data creation, transmission, storage, archiving and destruction. These activities provide essential evidence for auditors examining data protection and management controls.
Once a strategy has been established, its development and implementation will occur based on the company's business needs, available funding, staffing and senior management's commitment to a secure data infrastructure.