Are You Ready for the Auditors?
Are You Ready for the Auditors?The impetus for these potentially overlooked duties, particularly with regard to retail sales organizations, has been the emergence over the past two years of the PCI (Payment Card Industry) Data Security Standard. Regulated industries including banking, finance, insurance and health care are accustomed to the audit process and thus have a somewhat greater knowledge of what data is stored where. However, some historically unregulated businesses have amassed large amounts of sensitive customer information without keeping close tabs on where this data ends up. Addressing this gap in the data life cycle requires a two-pronged approach in order to achieve regulatory compliance while at the same time securing valuable data resources. First, IT managers must work with business managers to fully understand what data is being captured and where this information is being stored. Start by enumerating the most common business processes in your organization-a point of sale transaction, a restocking order, bill generation and presentment, and the like-and then follow the money. It makes sense to involve your database and applications staff in these reviews, as they should have an intimate knowledge of the data inputs and manipulation that are required to make the money move through your organization. Second, begin a formal process of tracking what data is collected by your organization, noting the points at which data is collected, where it is stored and where it is allowed to flow out. You can be sure that going forward, security will be as much about protecting specific types of information as it will be about patching software bugs and correctly configuring applications so that they only work as intended. --CS
While keeping a precise accounting of the data that's stored within your organization is a duty that's quite familiar to traditionally regulated industries, it's a chore that looms for a widening range of companies-whether they realize it yet or not.