It is not possible to protect and secure all data and systems in an organization. It would be too expensive, too time-consuming and, above all, would reduce your performance. You must balance security measures with their impact on your operations. Determine the value added, identify the flows associated with the value creation and then the level of protection required for these systems and data.
To illustrate the method of identifying critical operations and data, I give you the example of 123House. It is a company that provides maintenance services (repair, cleaning and gardening) for its clients, hotels and property management specialists. They make appointments online or by phone. The company assigns a worker to the address, they do the job, and then 123House sends the invoice at the end of the month.
Step 1: Determine the value added
I can’t say it enough. The first step is always to understand the value added to customers. Whatever improvements you want to make, you need to think customer and value. It is from this added value that you will decide what to do. Because it will help you to protect what is just necessary.
I assume that you know your customers and what they are looking for. You have identified what sets you apart from your competitors and your competitive advantage.
For 123House, the added value is the online appointment system, which makes life easier for its customers. They know that customers appreciate billing management, which compiles all activity into a single invoice, but with the detail needed for each customer’s accounting. Finally, it is the deadlines offered and respected that distinguish 123House from the competition.
Step 2: Identify your workflows
The second step is to go down one level from the value chain to identify critical operations and data.
The analysis of the whole value chain can take time, so I suggest you focus on the key elements, and the added value compared to the competition. Beyond what is essential to your operations, you need to protect what sets you apart.
How do you carry out these activities in particular? Which system(s) do you use? What data do you handle? If you don’t have a clear idea, now is the time to go to the Gemba to observe these operations. Ask your teams to describe the process step by step. At first, focus on the standard operation, you will see the exceptions later.
Alina, the operational manager of 123House, had a module developed on the website to manage appointments. But Alina doesn’t know how it works, or even where the data is stored. The provider has created a form and the requests arrive in a SharePoint. Detailed billing is done by Miguel, a clerk. He receives information in paper form from the operational teams. He copies it into Excel, compiles it and then produces a summary with all the useful data for the clients.
Finally, the deadlines are the result of Alina’s experience, she determines the time required for each intervention and organizes the teams’ agenda. It is based on a task assignment management system. Teams receive their assignments on their phones, which saves them time: no need to come back to the office to find out what to do. They fill out the paper forms and bring them back to the office when they come in, once a week. Once again, it is the clerk, Miguel, who makes sure the system works. He shares the information with Alina so that she can update the timeframes available on the website according to the current load.
Step 3: Determine the level of protection for these systems and data
The critical operations and data you have identified should be grouped by data type or system. For each system or dataset, you will complete a grid with three information properties. Here I use the classic CIA: Confidentiality, Integrity and Availability.
Depending on your preference, you can use a scale of three to five levels. Here is an example of a three-level grid.
|Confidentiality||Confidential Data – Employee personal information, strategic plan, customer files.||Private Data – Internal documentation, company organization chart, employee contact information||Public data – Catalog, product sheet, press releases|
|Integrity||Financial statements, website contact information, logistics inventories, quality data and traceability||Product data sheets, production data||Public or informational website pages|
|Availability||Less than 24 hours||A few days to a week||More than a week|
Critical systems are those that store or process data with high confidentiality, integrity and/or availability scores.
Do you have non-critical, but confidential data?
I distinguish between two types of data to be protected: sensitive data and critical data.
Critical data: necessary for production in the value chain. They are not necessarily confidential, but require a high level of availability. These include production orders, stock and inventory, machine parameters, assembly drawings, your code or algorithms).
Sensitive data: confidential, but not essential for production. It must be protected from unauthorized access or disclosure. In each country, there are laws that explain what is considered personal data and how to protect it. This includes, for example, data from Human Resources or Finance.
In both cases, you want to protect data, but not necessarily in the same way, nor with the same impact. If your machine settings are stolen, it will take a lot of investment to replicate your product. On the other hand, stealing an algorithm can quickly undermine your competitive advantage. Similarly, fines for theft of sensitive data vary widely.
Finally, you may have sensitive and critical data, for example, financial transactions of your customers, or medical data needed for surgery.
On the other hand, if you have a lot of sensitive but non-critical data, this is also the time to question the value of that data. Do you need to keep it that long? Is it better to invest in protecting it or destroying it? Reducing your scope is a great way to reduce your attractiveness. And if you have data all over the place, a virtual 5S is the right tool to sort through your documents.
Example of analysis to determine the level of protection required
The appointment system cannot be interrupted for more than two days. Your customers don’t have any emergencies, you do general building maintenance, so you have a little bit of leeway, and this system can be down for a day or two. You can always make an appointment by phone if you need to, but this will prevent Alina from working on what brings more value.
On the other hand, this system contains the personal information (name, first name, address, telephone, e-mail) of your customers, as well as a detailed description of the work to be done on their premises. This is moderately sensitive data. Finally, the data must not be modified, otherwise you will go to the wrong customer or not honor your commitments.
And then what to do with critical operations and data?
We started with your value chain, we identified the critical operations and data. From there, we determined the need for protection for each system used.
You can now decide which solutions will give you the appropriate levels of protection. You know your operational constraints, so all that remains is to obtain quotes to adequately protect these critical systems and data.
For example, for the appointment management system, Alina will contact the supplier and check where and how the data is stored. It needs to know if the current situation is appropriate. It will then see how to improve and what options this provider offers.
Since Miguel stores the data in the storage cloud, you simply need to verify that the backup is working by attempting to retrieve the previous day’s file one morning. Next, you’ll need to document how they do it, because in the end, they are the most critical in the process. If he were to leave the company, no one would know what to do.