On behalf of my co-author, Corey Carpenter, greetings from RSA® Charge in Dallas, TX, the biggest GRC stampede around! We're knee deep in exciting announcements this year, including several new partner interoperability offerings. And of course let's not forget the official launch of RSA Archer® 6.3, with the latest additions to our Regulatory & Corporate Compliance solution domain: RSA Archer Data Governance and RSA Archer Privacy Program Management!
For many years, organizations have wrestled with the daunting task of protecting data in their business operations. The forthcoming European Union (EU) General Data Protection Regulation (GDPR), which takes effect on May 25, 2018, has gathered much attention and is certainly a hot topic of conversation around RSA Charge this week. The EU-GDPR places an increased emphasis on the importance of managing EU resident personal data and the consequences for failing to adequately do so.
The concepts of data governance and protection, while not new, have been pushed to another level under the EU-GDPR as organizations must ensure they clearly understand and adequately protect the EU resident personal data that they collect and use, and retain it appropriately with an increased accountability and transparency to consumers. While this aspect of GDPR may represent a "new normal" for many organizations, to a large extent we believe it merely reinforces what practitioners in the information security and risk domains have known for years. Whether the exercise is driven by regulatory exposure through EU-GDPR, Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI-DSS), or other similar standards; or simply battling the general risks that information thieves pose to everyone, the concept of data protection has always been critical in managing overall information risk.
As organizations in every market continue to face the ongoing risk of data breaches and the devastating fallout that can occur, in many respects compliance obligations merely underscore an already pressing business need to proactively maintain vigilant operational security processes and due care as critical elements of a sound risk management program. Whether the target is personally identifiable information, or corporate intellectual property, the techniques and approaches are often similar. In today's world of high stakes information thievery and corporate espionage, organizations must protect all types of sensitive data to survive.
Establishing effective controls to protect sensitive information begins with a clear understanding of what those information assets are. Where do they live? How are they used? How does that sensitive data flow into and out of our organization? How are third parties involved? How long should we keep the data? Questions like these may seem simple enough, but they often reveal a complex web of interconnected data siloes that companies struggle to understand and protect.
Enter RSA Archer Data Governance and RSA Archer Privacy Program Management…
RSA Archer Data Governance is designed to help document and understand the flow of key information assets in an organization. What are the entry points for that data? Is it collected through an internal process or third party? Where is it stored, sent, and shared? These types of important details can be documented and tied to the appropriate Notice/Consent statements using RSA Archer Data Governance. As sensitive data is processed and moved from system to system, those critical data flows can be clearly understood and documented, along with relevant data retention and disposal requirements. With a complete picture of the entire data environment, the organization is empowered to demonstrate proper governance and accountability.
RSA Archer Privacy Program Management is designed to help organizations assess the privacy impacts of their data environments and measure the resulting risks. As organizations communicate with regulators to answer questions, respond to inquiries, or even declare a data breach, they can utilize RSA Archer Privacy Program Management to document and manage those communications. For organizations still working through the process of documenting their data environments, this use case also can assist in understanding data inventory scope boundaries through questionnaires to key stakeholders such as application and information processing owners.
Did you know that companies with mature risk management programs are measurably more profitable? How would information like that resonate with your executive management? There's no better place to explore these topics with global experts than right here at RSA Charge, the largest GRC gathering on the planet! Stop by the demo pods in between your learning sessions for a look at the latest and greatest features in RSA Archer 6.3. You can also follow #RSACharge to catch trending conversation topics this week on Twitter.