If you are a global manufacturer with locations in North America, Europe or Asia and use cloud-based solutions for CRM, ERP and marketing automation, you are likely concerned about risks and audits that might result in huge fines for violations. So as a CIO or CISO, given the limited budget ending this year, this is an area to focus on that can provide you with some insights or reduce risks in the long run by the end of this year.
Consider data masking solutions for sensitive data to save costs on global transformation projects.
If you have sensitive data with regulatory compliance restrictions, such as data that cannot be shared outside the U.S., for example, investing in a test data management solution with the capability for synthetic data generation should be considered. Many private companies tend to ignore the risk or avoid addressing it for a long time until it becomes a major issue blocking them from going public or being SOC2 compliant.
Given the nature of the global team supporting your solution in different countries and the need for cost-effective offshore teams to provide long-term support, global CISOs should look at test data management as a risk mitigation effort to reduce costs. If you are in the middle of planning for an ERP upgrade or CRM transformation, project plans should address this need as critical, saving you money in the long run. For example, one of my clients is currently facing a significant cost upsurge to keep resources in the U.S. to mitigate the risk of exposing sensitive data outside of the U.S. in the middle of a global transformation project.
Proactively monitor PII with systems.
If you are a global manufacturer, PII classification is subject to different regulations of countries and U.S. states because of the sensitive, core and confidential nature of the data. On top of that, GDPR compliance in Europe has different rules on PII, which can make it more demanding and complicated to maintain. Most manufacturers leverage data governance teams to maintain a repository of PII across systems and take risk mitigation efforts accordingly.
However, given the volatile nature of data that can change on a daily basis with call center or sales teams entering contact information in text fields or note fields, it becomes more challenging to manage and monitor PII. Data monitoring solutions that can proactively monitor event logs for PII and report on violations would help in the long run to reduce the significant time invested in managing PII data dictionaries across systems. CISOs and CDOs should be looking at the following initiatives to reduce their risks with sensitive data.
1. Processes to manage data catalogs across systems for PII.
2. Control and process owners identified across applications to monitor access and management of PII.
3. Implementation of proactive event log monitoring solutions, which can monitor PII in real time and report on violations.
Audit logs and processes for violations on user provisioning as a year-end process.
As a global CIO or CISO, you should always consider the risks of access to sensitive data and the threat of unwanted access, which can bring down applications and result in huge losses for businesses. One of the initiatives often ignored in business continuity plans is granting access to cloud applications with system admin privileges or access to sensitive data. To reduce the application access risk, the following initiatives can be undertaken at year-end on cloud applications, which will go a long way to reduce risks.
1. Define process owners who will report on users with access to system admin permissions and validate that access.
2. Define control owners who will be in charge of making decisions on access violations and reporting to governance boards for future learning.
3. Add excess permissions to adoption reports provided by cloud vendors so that businesses can view the risks and take appropriate action. This can also lead to cost savings by reducing unwanted access, resulting in a downgrading of licenses and saving money.
4. Report on security controls for applications, define the list of users who have excess access and have the business explain the need for permissions on an ongoing basis.
5. Review access for temporary users across applications and have controls and processes to report on them and have processes to transfer permissions to the right users to avoid disruptions to business activities.
To summarize, if you are in the middle of a global transformation project that involves huge upgrades to your CRM, ERP or marketing automation systems, you should be looking at the following.
1. Investing in projects exploring test data management solutions with synthetic data options to reduce sensitive data access globally.
2. Proactive monitoring of PII data solutions and controls and process owners to manage PII data globally.
3. Year-end review of system admin and sensitive data access of your cloud applications and processes to reduce unwanted user access, saving license costs.