Published On April 26, 2022State, local, and education institutions can take a major step forward in terms of enabling security and privacy by considering data across the entire information lifecycle. Here are three steps to get you started on that process.
Loss of critical data and information continues to draw the attention of state, local, and education organizations because they know data loss erodes constituents’ trust. The National Association of State Chief Information Officers (NASCIO) latest annual State CIO Top 10 Priorities ranks “Cybersecurity and Risk Management” as the top concern in 2022, with a specific focus on governance, data protection, insider threats, and third-party risk. EDUCAUSE listed “developing processes and controls, institutional infrastructure, and institutional workforce skills to protect and secure data and supply-chain integrity” as its number-one IT issue for 2022.
According to a recent commentary article in StateTech, “Human error, natural disasters, cybercrime, and system outages could cost government agencies billions of dollars in data loss. At the rate of $141 per record lost, a government entity with millions of unique data records … could potentially lose over $7 billion if hit with an unexpected cyber event.” Financial impact to state and local agencies and educational institutions is only one factor of data loss, the cost associated with declining trust of citizens, students, and parents is often more concerning.
Protecting personally identifiable information (PII) and maintaining citizens’ trust has never been more critical; how can state, local, and education organizations move forward in their quest to establish a more secure environment? It starts with a comprehensive data management program.
A three-step process to better data security
State, local, and education institutions can take a major step forward in terms of enabling security and privacy by considering data across the entire information lifecycle. This might sound like a daunting task—to identify, track, and manage data from its creation to disposition—but the process itself can be broken down into three key steps:
Assessment. Organizations begin by conducting privacy assessment audits to identify requirements associated with risk management, retention, and compliance to better control information from the point of creating a record to its final disposition. Audits include taking inventory of stored data and developing an information roadmap of stored records, as well as where those records are located and who is responsible for managing them. Assessment audits provide the foundation for strengthening security.
Classification. Once the privacy assessment audit phase is complete, state, local, and education organizations must classify inventory to comply with retention schedules and retain records in accordance with legal, regulatory, or privacy requirements. The process of “content classification” can leverage a rules database to determine which records are able to be destroyed and when—immediately or eventually—through a proprietary retention management function. As part of this capability, organizations are able to automatically calculate the destruction eligibility of records according to specific retention policies and better determine when and how those records need to be securely destroyed.
Secure destruction. Data classification makes possible a more detailed plan for disposing of records and IT assets. When an organization determines a record or asset has met the requirements of its retention policy, it must determine how to securely dispose of that record or asset to ensure privacy protection. Inadequately detailed plans for disposing of data and assets could result in organizations being out of compliance with regulations, having to pay fines, losing custody of sensitive information, and suffering reputational harm. It is also important to note that following a precise chain-of-custody is a key component in the destruction phase to help prevent the loss or damage of a record. A chain-of-custody process is the complete, documented, chronological history of the possession and handling of a piece of information or a record.
The 2021 Verizon Data Breach Investigations Report shows that data loss due to physical incidents are prevalent and involve theft of devices, such as laptops, phones, and storage devices. With the evolving threat landscape, citizens need to have confidence that the information they entrust with state, local, and education organizations will remain safe and secure. To truly enhance citizens’ trust, organizations must develop a thorough, detailed plan to ensure PII and other data is not at risk.
To learn more, download our whitepaper Enhancing Citizens’ Trust: Privacy and Data Security is Step One, where we expand and provide insights on ways to enhance trust. Or, reach out to me directly at firstname.lastname@example.org.