Business | Featured | IT Strategy | Tech Tips

Guidelines for an effective data management plan

The elusive and often indescribable Data Management plan is the antagonist of IT leaders, cybersecurity professionals, and business leaders. It is the theoretical battle between on-premises, cloud, or hybrid solutions. Business leaders seeking new solutions are caught in the crossfire between finance teams scrutinizing spend and IT teams providing services with correct cybersecurity controls. The solution is not straight forward, but it is adaptable to all organizations. We have created a simplified guideline for an effective data management plan.

A comprehensive Data Management plan is a blend of Business, Technical, and Cybersecurity requirements. Organizations that fail to create an effective plan significantly increase business risk (data availability) and cybersecurity risk (you cannot protect the data if you do not know where it is or how it’s interconnected).

Your plan should be based on a standards framework such as NIST CSF, CIS (Center for Information Security (CIS), and COBIT (Control Objectives for Information and Related Technologies). Consider the following elements when constructing an effective data management plan:

  1. Business. Be business-centric, consider current requirements and potential business changes.
    • Data. Understand your data and all data states such as rest (storage), in motion (transit) and in use (transformation).
    • Data Connections. Document how data relates to other data stores, data transmitters, and data users.
    • Data Insights & Intelligence. Identify how you leverage (or want to) the power of your data through reporting.
    • Organizational Changes. Identify growth plans, consider how data insights might create new opportunities.
    • Hidden Data Locations. Look throughout the organizations for hidden data, data that is on local computers or in unknown SaaS locations.
    • Compliance. Document all regulatory and frameworks requirements.
    • 3rd Party Data: Document all data that belongs to another organization, know the data state requirements.
  2. Technical
    • Where & how to store data. Be strategic, the debate and solutions are not new, your approach might need refreshing. Blend business, financial, cybersecurity requirements with your current solutions to identify the ideal solution(s). Your plans will evolve as your requirements change.
      • On Premise
      • Cloud & XaaS (Anything as a Service)
      • Hybrid
    • Data Definitions and Classifications. Adopt standardized data classifications then digitally tag. Consider the following classifications.
      • Company and/or Client Confidential, PII (Personally Identifiable Information), ePHI (Electronic Protected Health Information), or similar
      • Proprietary
      • Public
      • Unclassified
    • Data Mapping (interconnection and APIs). Map all data connections (automated or manual) between all systems. This includes internal, XaaS, and workstations. Include in your contingency planning.
  3. Cybersecurity
    • Risk. Include regulatory, technical, human, and other standardized threats. Formalize your risk management program.
    • DLP (Data Loss Prevention). Prevent the unauthorized removal (copying) of data. Common loss includes email, improper data connections, printing, or transmitting through remote sessions. Leverage data classification tags to enforce rules.
    • Encryption. Encrypt data (per data classification requirements) for all data states.
    • Integrate into Organizations cybersecurity program. The Data Management Plan is a key part of your cybersecurity program; areas of focus include user training, contingency planning, risk management, and vulnerability management.
  4. Document. Document your plan accordingly to complexity, risk, business criticality, dependencies, and impact.
  5. Policy and Procedures: Create a standards-based policy with associated procedures.
  6. Data Custodians. The role manages and controls data access, oversees data stewardship, and validates data integrity. Often the business managers are the Data Custodian and work in conjunction with the IT team to execute the responsibilities. It is common for business unit managers to serve as Data Custodians for their business unit.
  7. Vendor Management for XaaS.Leverage the Vendor Management program ensuring cloud-based data states align with data classification requirements.
  8. Review and Update Periodically. Your plan might be static; however, your data states are not. Be vigilant for organizational changes, data change rate, business, and regulatory updates.

Summary
Creating, implementing, and maintaining Data Management Plans can be daunting, consider leveraging a partner like ISOutsource to support your team. Manage your data carefully, it’s often your most valuable asset.