Protection of Sensitive Information: Technology is Only Part of the Solution

Criterion | Cybersecurity CoE

Protection of Sensitive Information: Technology is Only Part of the Solution


Data usage and security is top-of-mind these days for both commercial businesses and Federal departments and agencies. While the protection of sensitive information and information assets is a high priority, implementing cybersecurity technology is only part of the solution. The organizational security team must first develop and implement a protection strategy that meets the enterprise’s goals and objectives.

Sensitive information can be defined as non-public information. It is not necessarily classified, but it is critical to the ability of any organization to meets its mission. It is also likely to need to be frequently accessible or shared with others, which demands a protection strategy that has some degree of permeability built in. This is where the challenges – and the risks – lie. To build a system that meets these needs requires that an organization have a very clear definition of the risks it is willing to accept and the technical tradeoffs that mitigating such risks entail.

The first step is knowing what information an organization has and who has access to it. Internally, who has access? Should they have it? What level of access do they have? Externally, are you sharing with the right person? Do they have a need to know? How are you sharing the information? All these questions seem basic, but most organizations cannot clearly answer them today.

The next step is determining the sensitive information protection strategy. What information can you share? What shouldn’t be shared? What tools and capabilities do you have access to? What do you need today and into the future? These considerations are applicable across both commercial and governmental agencies. And when government and commercial enterprises work together, the questions and answers get more complex, with an added political element.

To help organizations follow these steps, the National Institute of Standards and Technology (NIST) provides a Risk Management Framework, NIST SP 800-37. Criterion has written about the RMF here. We have also created CyberScale®, a US patent-pending compliance and risk management solution designed to help streamline compliance and mitigate, measure, and report risk at every level of an organization. Learn more about CyberScale® here.

Governance is at the heart of being successful in any information protection strategy. A governance board with decision-making power needs to be established and have the correct members. For example, it should include both technical and business stakeholders. If you don’t include both knowledge areas, you have failed from day one. There are two models that exist today of a relatively effective approach to governance boards: the Department of Defense and the banking industry. There are still a variety of issues to be resolved, but they are a good source of lessons learned. [Note: Government Matters and Federal News Radio Ask the CIO are two good sources of information on this topic.]

In summary, developing a protection strategy for sensitive information is complex and requires not only key cybersecurity technology, but also knowledge of business goals and policies, procedures, processes, and administrative controls related to the systems and networks hosting the information. Organizations should adopt a structured risk management approach that enables them to define the current state of their processes and systems, then helps them to increase maturity over time.