13 Essential steps to assess your Data Security Posture

Data security is and will always be one of the top priorities for every organisation. It’s not just a valuable asset - it’s high-risk and often the primary target for threat actors. The risk of exposure has grown significantly as data moves into cloud apps. Consider this: according to the 2024 AppOmni State of SaaS Security Report, 30% of 644 organisations surveyed suffered a data breach in their SaaS applications last year

To that end we’ve compiled 13-point evaluation criteria that can help you quickly assess your organisation’s data security posture. This checklist is aligned with the DoD Zero Trust strategy, CIS controls, and our Security-First approach.

Identify:

1. Data Management Process: Do you have a documented policy addressing: data sensitivity, ownership, access controls, retention, encryption requirements and the organisation data security standards?

Tip: a successful data management process should be developed with business stakeholders’ engagements, to answer questions like: Who needs access to sensitive data? What kind of data is considered sensitive? How is sensitive data stored and transferred? When and how should sensitive data be deleted or archived?

2. Data inventory: a data inventory should at least cover sensitive data combined with access permissions.

3. Data Discovery and classification: data classification scheme combined with the tooling to automate the discovery process. Ideally connected to all organisation’s data stores including cloud and cloud apps and feeding the data inventory.

4. Data Labelling: labelling structure and tooling. Labelling is usually a mixture of user-based and policy-based.

Tip: Consider the potential for mislabelled documents and ensure you have controls in place to automatically identify and correct them, applying the appropriate labels in line with your policies.

Protect:

5. Data Access Controls: What access controls are in place? This is one of the most crucial yet challenging questions to answer. The goal is to enforce role-based access controls (RBAC) across your organisation's data - structured or unstructured - no matter where it resides. These controls should be applied consistently to both human and non-human identities

TIP: consider the current controls in place, how it applies to data hosted in cloud and cloud apps, and access entitlement review processes.

6. Data Retention Enforcement: what are the current tools used to detect stale data, how it’s configured and what are the actions these tools will apply to the data identified

7. Data Encryption: evaluate the enforced encryption methods and protocols for data at-rest, in transit, and on removable media.

8. Data Loss Prevention (DLP): what are the DLP controls in the organisation? On a high-level, consider the controls applied to all possible outbound channels (Web, Email, Network, Endpoints, Cloud Apps, and APIs), how they are configured, monitored, and optimised.

9. Data controls on end-user devices: this is divided to encryption on disk level and endpoint DLP controls.

10. Segmentation: how is sensitive data segregated? Storing and processing sensitive data on the same assets like non-sensitive data can increase the risk od data breaches or abuse.

Detect:

11. Log sensitive data activity: evaluate the existing log capabilities for data access, modifications, and sharing. This is valuable for audits and investigations.

12. Anomaly detection: What tools are in place to monitor data access activities? Evaluate how well they detect suspicious behaviour, send alerts, and integrate with your wider security operations.

Respond:

13. Response capabilities to detected data threats: It’s important to include data-centric detections and alerts in the organisation wider Threat Detection and Response (TDR) solution. For example, when data is shared publicly by error, data exfiltration attempts or any suspicious user behaviour.
    TIP: Ask yourself: Do you have full visibility into your data activity? If someone were to abuse their access, how quickly would you know and respond?

A mature data security program relies on both well-defined policies and effective technical controls. Policies alone cannot provide protection without the right technology to enforce them, and technical controls require clearly defined policies to deliver optimal security. Multiple technology solutions must work together to ensure the full suite of capabilities needed to enforce your organisation’s data security policies

How does your organisation’s data security stack up? Contact us for a complimentary data risk assessment. We’ll help you discover critical data risks, provide remediation guidance, and offer expert advice to address your data security challenges, wherever your data resides!"