Credit and debit cards have an ever-increasing role to play across sectors, especially, eCommerce. As per an
Let’s take an example of a department store that has transformed its transaction processing applications to conform to PCI DSS requirements. Every transaction is completely secure and acquiescent except for few merchandise returns stored as digital images of the original receipt could include the credit card that was used, and the customer’s driver’s license or any other ID. There is a probability that these digital replicates are stored in folders on a server and in a running spreadsheet.
When a company conducts a PCI audit, there is a high possibility that the store will show all data for new transactions secure, but at the same time it cannot prove that all PCI-relevant data is equally secure. In such a scenario, the company must either shut down the server, or manually review its entire contents and implement appropriate controls.
Regardless of the industry, the fundamental aspects of compliance remain the same. Enforcing compliance on unstructured data stored on SharePoint sites, NAS devices, file servers, etc., through access control, the separation of duties, and the ability to audit are some of the aspects that are a part of the compliance structure. Having said that, different industries might use different terminology, but all regulations involve following things:
- Control of data: A lot of times, employees who store unstructured data on sites like SharePoint and Dropbox, accidently create confidential data outside of the business system, while merging data from different departments on these sites. Therefore, it is important to ensure that access lies with only those people who should be having it.
- Equal distribution of duty: Companies should also make sure that not too much power is not vested with one person/party as it might lead to conflict of interest. This is very similar to access control, but is more about who should be able to access what types of data.
-
Audit : Audit is considered to be one of the most efficient ways of substantiating that access control separation of duties are in place and rules are being followed. One of the key challenges with data governance is to figure out all the data that actually needs to be governed. If you don’t know what data is out there, which of it needs to be secured and how vulnerable you are to risk, you can’t prove compliance to an
auditor .
Besides above steps, what else can the department store do? Solutions are available that help discover and classify data, assess the related risk and point out where sensitive information is inadequately secured. The store also could proactively establish the correct rights for users, and restrict access in the same processes that grant rights across all other systems.
IT department needs to tackle the numerous threats that are posed to the company data, and at the same time, meet multiple compliance regulations and internal policies. The right technology choices will provide much needed data governance.
(About the author: This article has been written by Murli Mohan, Director & General Manager, Dell Software Group)
(Image: India Times)