Knowing What You Are Protecting

Our job is to protect stuff. What exactly is that stuff? Networks, data, systems, web sites, physical equipment and locations, etc.... As information security professionals what we protect often depends on what our jobs are. Some of us are responsible for protecting everything and some are responsible for specific areas. So what we protect can and does vary and therefore so does how we protect them.

What I'm wondering is even within your specific area do you really know what you are protecting? I guess this question really is directed more towards those who are tasked with protecting data. What I'm talking about is the data stored on your systems. Do you protect everything? Do you protect everything equally? Do you even know where all the data is that needs protecting? Is it all stored nicely on network drives and in databases? Oh if that were the case. If it only that simple and easy.

Unfortunately even though the data may very well be in those places the question is "Where else is it?" Is it on desktop and laptop hard drives? What about USB sticks, IPods, CD's, employees home computers? Did it get emailed, printed and removed from the building, ftp'd off site?

OK, lets not go there for this post. Let's keep it simple. Let's assume that you have DLP or some other solution in place that has eliminated all of the above. Do you still know where your data is? Do you still know what really needs to be protected? All data does not have the same value to the company and therefore unless you have a very simplistic network protecting everything equally is not easy or necessary. Obviously you want to protect you entire network, but you want to protect financial data, PII, and information of a sensitive nature more than you want to protect Andy's ITunes library backup.

So again I ask do you know where all of he data is? You do? Great! One more question. Do you know what it is that needs to be protected? Has management determined what really is important and what really needs an extra measure of protection. Rebecca reminds us that if we (the organization and management) haven't identified what is considered to be PII then there can't be an expectation of protection.

If you, as the company security professional, don't know the answers to these questions then you need to get answers quickly. You need to meet with your manager, department managers, the CIO, or who ever it takes because you can't adequately do your job if you don't have all the information. Being tasked with "just protect everything" isn't good enough. You have limited resources and time so you need to be able to make wise decisions on where to invest them.