One of the biggest problems for an officer retained to monitor compliance with data protection law is that, unlike the European Union, there is no overarching government regulation. Instead, the United States takes a piecemeal approach that relies on regulation, self-regulation and legislation written to address specific issues such as the Fair Credit Reporting Act.
While this may seem to be an odd approach, it stems in a large part from a constitutional clash. It has been described as a conflict between the explicit right to freedom of speech guaranteed in the US Constitution and the implicit right to privacy that was interpreted by the Supreme Court. While some states have made privacy an explicit right at the state constitution level, it still remains undefined at a national level. This leads to some unique challenges for compliancy officers that may not be immediately obvious.
Common Data Protection Errors
The size of your company should not be taken as an indicator of how complex your data is. Even the smallest business can potentially have a huge amount of data, from HR databases and financial records to research and reports that are unique to your organization. The following issues have been highlighted as being among the most common causes for concern when audits are undertaken:
Not following the rule of least privilege – Businesses should restrict access to private company and customer data to selected employees and administrators. Taking time to drill down and investigate who exactly actually needs access to any given piece of data can save a lot of problems later.
Ignoring compliance on virtualized services – A common mistake is to assume that you only have to ensure compliance on individual virtual machines. In fact, your entire virtualized infrastructure needs to be compliant.
Not changing vendor default configurations – It might seem obvious, but just as there’s no point in restricting who has access to a system if you don’t change the default passwords, you still need to redefine the default configurations of virtual machines.
Failing to properly define the scope of your network – Network segmentation is a crucial tool to tighten data protection. It means for instance assessing whether individual servers need to be able to see each other.
Not tracking data flows – Related to the rule of least privilege, this process is an essential process for compliance officers to stay on top of. It’s the mapping of the who, what, where and why of data so that there are no nasty surprises.
Lessons To Be Learned
What all these common issues have in common is that it is very easy for the compliance officer to lose track of who has access to what. This is particularly true in virtualized environments where traditional scanning tools are less effective.
Many compliancy officers find themselves in a situation where it is very easy to rely on automated tools for discovering and mapping resources. The ultimate responsibility for ensuring that their company does not fail compliance with a raft of legislation lies with them, and so adopting a pro-active approach to taking on issues is in their own best interest.