Building a Data Inventory – Fundamental Steps

Why Build a Data Inventory? 

It is vital for security and privacy leaders to take data inventory when deciding where to focus and implement defenses around priority targets. With an inventory, it is easier to identify if certain data has been accessed, or a system as been disabled or affected during a data breach. Knowing what you have and what needs protecting will quicken the process of evaluating any damages to your data from a cyberattack. In addition, not only is data mapping in your organization’s best interest when protecting sensitive information, it is also necessary for compliance efforts. Control frameworks, such as CIS or NIST, are more commonly recommended as data privacy has become increasingly important. 

Data Inventory Best Practices

Data mapping involves taking inventory and knowing the full scope of your data. The process of taking data inventory may seem daunting but will ultimately streamline incident response. To efficiently create a thorough data map, it requires asking the right questions, such as:

• Do we know what we have?
• How long are we keeping it?
• Where are we keeping it?
• Why are we keeping it?
• Who has access to it? 
• Has the data been classified?
• Who is responsible for the data? 

Using the infographic below, Jonathan identifies key considerations when data mapping. He highlights the need to take the proper steps to verify the policies in place to protect your data. This includes steps to verify what you have and how you’re protecting it through various points such as a data classification policy, data loss protection (DLP) tools, data retention policy and data use policy. 

Data mapping is a tedious job, but ultimately provides great clarity and protection that will ensure that your risk management team can make decisions that are properly balanced. Take the extra steps today in mapping your data inventory to protect your organization tomorrow.