EDITORIAL: Do We Need to Add a “Data Inventory” to the SSP?
The System Security Plan (SSP) contains three major architectural artifacts…is it time for a fourth?
The SSP and its three sub-components are key elements for assessors, Authorizing Officials, and potentially future litigation. The current three are the:
- Hardware List
- Software List
- Network Diagram (or Topology)
Get 70% OFF on PureVPN 2-Year Plan for Just $3.29/mo!
In the age of data protection and privacy is it not imperative we have a Data Inventory? Do companies and agencies know where and who is protecting their vital data? Data that could include privacy information, Intellectual Property (IP), Controlled Unclassified Information, personal health records, etc., need to be known not just for cybersecurity and privacy purposes, but growing State requirements to protect or be FINED laws.
New York and California are expanding such laws. Specifically, current deadlines are fast approaching for California and the California Consumer Protection/Privacy Act (CCPA).
It’s time we add the Data Inventory
What would have to be part of such an inventory? Here are a few suggested areas that should be added to better tracking data within a company or agency’s IT environment.
- Locations of all database repositories (physical locations)
- Is a Cloud Service Provider being used?
- What specific data security protection controls are being used? (NIST, ISO 27001, etc.)
- Is there shared security protection in place?
- Is there an active Service Level Agreement (SLA) ?
- How often is it reviewed?
- How often monitored?
- Number of current records
- Types of information stored (IP, PII, PHI, etc.)
- Whether the data is encrypted (Data at Rest (DAR) encryption requirements)
- What product is being used for DAR encryption?
- Privileged Users with elevated privilege access (System Administrators, Data Base Administrators, etc.)
- What product(s) are being used to track unauthorized access/use? (Automated audit log reviews)
- Insider Threat protections and programs
What do you think?
Dr. Russo is currently the Senior Data Scientist with Cybersenetinel AI in Washington, DC. He is a former Senior Information Security Engineer within the Department of Defense’s (DOD) F-35 Joint Strike Fighter program. He has an extensive background in cybersecurity and is an expert in the Risk Management Framework (RMF) and DOD Instruction 8510, which implement RMF throughout the DOD and the federal government. He holds a Certified Information Systems Security Professional (CISSP) certification and a CISSP in information security architecture (ISSAP). He has a 2017 Chief Information Security Officer (CISO) certification from the National Defense University, Washington, DC. Dr. Russo retired from the US Army Reserves in 2012 as a Senior Intelligence Officer.
