Data flow visibility. Compliance and beyond.

Information is like oil in the ground or the sun’s energy – if you can’t get to it or use it in a cost-effective way, it is not valuable to you. Information can be incredibly valuable, but we must be able to make use of that information to realize its value.

From the perspective of today’s interconnected world, a document (physical or electronic), has limited effectiveness as the means for storing vast, complex information. It is especially limiting when the need arises to cross reference with other data for valuable insights. Great tools for document management exist to help with finding information and making sense of it. But some objectives require much more coordination and structure to manage and make sense of the information upon which they depend.

We know that a comprehensive understanding of how and what data travels throughout an organization is a key element to managing risk of data loss or exposure. It is why regulations and frameworks such as HIPAA, GDPR, PCI, or NIST CSF call for or even require documentation of sensitive data flow and the organizational assets that use/store data.

This information is important beyond meeting a compliance objective, as we will discuss further. But today organizations store this valuable information scattered across documents, spreadsheets, and static diagrams - unstructured data - where it then becomes marginally valuable. In the name of better security, operational efficiency, or digital transformation, we would be well served to step back and ask ourselves if we are using the best tools for the job.

Imagine the solutions that have made information more useful, interconnected, and valuable to an organization such as ERP, CRM, ITSM, and GRC products. There are many examples like this that started with clunky manual processes around wordy documents where innovators eventually brought solutions to market that far exceeded the value of rudimentary word processing documents and spreadsheets.

There is an intersection that our company, IOR Analytics, is working on between IT, security, data privacy, compliance, and business process owners. Based on our experience with professionals in these areas, there is a need for better tools to capture, share, analyze and ultimately bring “visibility” to business processes; and to make clear the way those processes use data, interact with systems, and communicate with third party vendors. These individual groups are still pulling their hair out trying to get basic information together for what are usually shared objectives.

An example

We recently encountered an interesting example of how we’ve seen poor results of using unstructured data. IOR Analytics has a customer who is leveraging our IOR Insight cloud platform to expose and manage risks to their Disaster Recovery capabilities. Using our product, they exposed third parties and even internal applications and systems that their lines of business depend on to function, but had not been accounted for in their DR plans.

The surprising part - they have a purpose built, brand name GRC tool designed to help them manage DR plans. We found that rather than using its features for their DR plans, employees are simply creating word processing documents and uploading them as attachments - bypassing the tool’s features to support the original objective. That GRC tool was intended to provide visibility – instead it is now hiding bigger problems. And in this case, they are paying a very high price for a tool that is effectively being used like a shared folder for unstructured data. Beyond the wasted costs, if nothing changes this multi-billion-dollar company will not be capable of effectively responding to a crisis.

This customer continues to rely on IOR Insight to expose and bring visibility to their business processes, how they intersect with vendors/applications, and where/how sensitive data is being transmitted. This information is incredibly important to everyone (e.g., IT, Compliance, Data Protection, and Security) all at different times and for different reasons.

This is just one example but it represents drawbacks to relying on loose and uncoupled documents to capture important information that will be critical later. Without the structured and scalable data risk management capabilities of IOR Insight, this customer wouldn’t have clear visibility across scores of business processes and hundreds of data types and respective classifications. This also helps to solve a common problem for data protection teams; the identity management teams securing structured OR unstructured data; and data privacy teams coming to grips with heavy-handed requirements such as GDPR, HIPAA, and PCI.

IOR Insight provides value through actionable visibility

Organizations will continue to rely on unstructured data, but IOR Insight is the right approach for your data classification and risk management programs. We automatically paint the picture of how your business activities intersect with known and sometimes unknown resources and assets, data, security attributes, polices, and compliance concerns. Furthermore, we expose related risks and remove the need to build and maintain unstructured diagrams, spreadsheets and documents that result in low value and low visibility.

Your organization needs this visibility for many reasons, such as:

  • Understanding data handling to determine and prioritize security risks;
  • Responding to the continually evolving regulatory landscape;
  • Understanding the potential impact of a change or outage to operations; and
  • Ensuring and providing evidence that your organization is compliant with handling PCI, PHI or PII.

The value of data flow visibility is incredibly high and a cost-effective solution like IOR Insight to helps achieve that visibility while saving months of effort to gain and maintain that information year over year.

ArticlesMatt Linde