Data Protection & Risk Management
Overview
Glen Willis and Arthur Mansourian walk through a simple play for any company. Know your data, apply a shared set of controls, and tune based on sensitivity. For SaaS, pick vendors you can trust, check the basics, and watch usage so surprises are less likely.
- Start with a data map so you know what you have, where it lives, and who can see it.
- Use common controls everywhere: access limits, encryption in transit and at rest, MFA, retention, vendor review, and an incident plan.
- Tier controls by risk level so the strictest rules protect the most sensitive data.
- For SaaS, look for SOC 2 or ISO 27001, clear encryption, and workable deletion policies.
- Monitor logs, review access often, and consider a CASB for better visibility.
Transcript
Glen Willis
Hello, I’m Glen Willis, Director of Cyber Technology at Kalles Group. I’m here with one of our wonderful privacy consultants, Arthur Mansourian. We’ve planned a series of topics to talk through that we hope you find helpful in understanding ways to set up for success with your privacy programs.
So let’s talk about data protection and risk management in that area. This can vary depending on the kind of business you’re in. If you’re serving federal agencies, for example, you may have different regulatory requirements to respond to. If you’re handling healthcare data, we all know HIPAA is the key regulation to anchor to. And for financial data, if you’re doing work that the SEC is monitoring, you need to ensure those regulations are addressed.
At the same time, when we take a step back, it typically comes down to knowing where your sensitive data is, training your people to handle it properly, and making decisions about what should be encrypted at rest, etc. The controls tend to be largely the same. So how can an organization with multiple types of exposure simplify down to a common sense set of practices that work across all those areas?
Arthur Mansourian
Yeah, absolutely. Great question. It definitely varies depending on the company, its size, and its industry. The different types of data can be overwhelming when trying to meet all the various regulatory requirements you mentioned.
But when you take a step back, most risk management principles are fundamentally the same. The key is to build a common sense, scalable approach that applies across different data types.
Number one: focus on knowing where your data is. The first and most important step is understanding what sensitive data you have, where it lives, and who has access to it. Many breaches happen simply because companies lose track of their data, old files, outdated databases, retired systems.
Data inventory or data mapping exercises are important. They help track data flows across departments.
Next, implement security controls that work for any data type:
- Access control: restrict access on a need to know basis
- Encryption: encrypt sensitive data both in transit and at rest
- Multi factor authentication: require a second step for accessing critical systems
- Data retention: delete data when it is no longer needed
- Third party vendor reviews: assess how vendors handle security
- Incident response plans: have a clear process for breaches or security incidents
Also, adapt your risk management approach based on the sensitivity level of the data:
- High risk data, such as Social Security numbers, needs the strictest controls
- Moderate risk data, such as internal business records, still needs strong controls but can be slightly more flexible
- Low risk data, such as public information, can have basic controls
At the end of the day, you do not need a separate security program for every data type, just a solid, common sense base that can be repeated.
Glen Willis
I’m going to sneak one more question in here, Arthur. For companies using SaaS solutions and storing internal company data in those platforms, what is the high level way to set up for success in that scenario?
Arthur Mansourian
Yes, that is a great question, and very relevant. More and more companies are moving to SaaS platforms as part of their digital transformation.
One of the first things to focus on is security controls and clear accountability. SaaS solutions offer convenience, but they also introduce additional risks and compliance challenges.
It starts with understanding your data, where it lives and how it is handled. Choosing the right vendor is a big part of it. You want a vendor with strong security and compliance practices. Some may be cheaper or offer attractive features, but you also need to evaluate their certifications and policies.
Look for:
- Certifications like SOC 2 and ISO 27001
- Encryption policies, both at rest and in transit
- Data retention and deletion policies
Implement access controls and monitor usage regularly. Review activity logs for unusual access patterns or unauthorized changes. Regular audits go a long way.
Also consider using a Cloud Access Security Broker to gain deeper visibility into potential risks.
Protecting data with encryption and backups is key. Staying compliant is essential. SaaS platforms reduce complexity, but they also increase risk, so it is critical to know your data, choose the right vendor, monitor for risks, and ensure good practices are followed.
Glen Willis
Thank you.