The Role of Information Governance in Incident Response Planning

Information governance policies need to be constantly updated to address new cybersecurity threats


In the ever expanding world of technology, new threats and challenges present themselves almost as quickly as the old challenges are addressed. This constant ebb and flow dictates that information governance and data management policies and procedures be constantly refreshed to address the new threats. A new study by Malwarebytes looked at 540 companies with a combined 3 million employees in the U.S., Canada, Germany and the UK. Nearly 40% of the businesses had been hit by ransomware over the last year. Additionally, Morgan Stanley’s AlphaWise research division surveyed 117 key decision-makers responsible for the engines of Internet of Things growth earlier this year and found that 90% of designers are incorporating connectivity products into new designs.

With these new technologies and increased occurrences of cybercrime, businesses are left wondering where their key data is located when trying to protect critical IT assets. Through the use of data mapping techniques, effective data tracking, disaster recovery policies, and education, businesses can make strides in obtaining a thorough understanding of where key data is, and prevent the loss of data.

Key Findings

Data Mapping
The key to combatting the changing landscape of cybercrime and technological advancement is knowing what systems are accessing your network, and where key datasets reside. Creating a detailed accounting of the IP address, physical location, category of device, and data contents, assists IT Manager, external auditors, forensic examiners, and legal teams with the tasks that they will undertake to prevent, respond, or recover from an attack.

When creating a data map, companies should consider, at a minimum, the following questions:

  • What types of data are collected/created/stored?
  • What types of devices are used/permitted within the organization?
  • Do we have an acceptable use policy?
  • Where is the data physically located (e.g., the building or location)?
  • Where is the data logically stored (e.g., the electronic location within a server)?
  • Is encryption used? If it is, what encryption standard is being used?
  • Who is the owner/custodian/manager of the data?
  • Who in the organization has access to the data?
  • Who outside the organization has access to the data?
  • What legal jurisdictions govern the data?
  • What is the retention schedule applied to the data?
  • What happens to devices of former employees?

Guidance from the National Institute of Standards and Technology (NIST) recommends that all PII residing in the organization should be identified, and the use, collection, and retention of PII should be limited to what is strictly necessary to accomplish a business purpose.

A practical data map includes a matrix that identifies and associates the primary attributes of the data map to each system within the organization. Such attributes include responses to the questions above and, depending on the detail of the map, may also include identification of the subject matter expert, format of the current system, backup policies, whether there is personally identifiable information (PII) within the system, and the safeguards applied to protect the PII. Organizations with a large number of systems may consider prioritizing which systems should be included in the data map. Once an organization defines the population of systems to be included in the data map, it may be necessary to further classify the system based on the data within the system. For example, a system containing PII, confidential information, classified information, or data with a high intellectual property value may be prioritized above other types of systems holding less sensitive data.

Along with the matrix, the organization or consultant should prepare a written report detailing the systems reviewed and describe any gaps identified through the data mapping process. In order to allow for efficient future maintenance and updating of the data map, the organization should detail the steps taken to create the data map.

Guidance from the National Institute of Standards and Technology (NIST) recommends that all PII residing in the organization should be identified, and the use, collection, and retention of PII should be limited to what is strictly necessary to accomplish a business purpose. Furthermore, NIST recommends that companies categorize all PII by its confidentiality impact level and apply the appropriate safeguards for PII based on those impact levels.

A systematic search for PII will need to be executed if the organization suffered a data breach, and the company needs to identify any exposed PII and then notify customers of the type of sensitive information that was exposed. In this example, the data repositories would be programmatically searched for sensitive information including valid social security numbers, tax identification numbers, credit and debit card numbers, specific driver’s license patterns across all 50 states, passport numbers and other PII terms.
Once a data map is developed, it allows a company to properly account for data within an organization, which can ensure that tracking, disaster recovery, and incident response plans are appropriately scaled to address all areas of the business.

The question is not if your company will suffer a major data disaster. In this day and age, the question is when will the major disaster occur, and more importantly, are you prepared?

Data Tracking
It is not enough to merely know where your company’s data is stored. In order to effectively prevent, detect, and respond to cyber incidents, companies need to know where their data is going, how it is being transmitted, and what systems are being accessed. Through the use of logging, data loss prevention (DLP) software, and constant auditing of systems, key decision makers and information security professionals can identify the paths that data takes, in order to identify vulnerabilities and gaps in security.

Firewalls hardware, security software, and other computing devices often contain features that allow for tracking of inbound, outbound, and internal activities. Using the logging features of these devices allows for detection of unauthorized activity as it happen. This information is also invaluable to information security professionals when investigating and responding to security incidents. Another tool in combatting data security issues is DLP software. These software applications either deny certain activities or require the user to affirmatively acknowledge that an activity they are taking deviates from policy. In either case, the action is logged and can be reviewed later.

Similar to DLP software, companies should employ the use of mobile device management (MDM) software. MDM software ensures that the policies applied to computer and similar devices is equally applied to mobile phones and tablets.

Tracking data sources using logging, DLP, and MDM software assures IT managers that if disaster strikes, the root cause and sources to be restored can be recognized.

Disaster Recovery
The question is not if your company will suffer a major data disaster. In this day and age, the question is when will the major disaster occur, and more importantly, are you prepared? The need for business continuity planning (BCP) is essential when responding to a critical loss of data caused by cybercrime such as ransomware or as a result of a data breach. A proper BCP serves as an insurance policy that can be executed upon in the event of data loss due to cybercrime or technical challenge.

According to NIST Special Publication 800-34, Contingency Planning Guide for Federal Information Systems, a BCP should be developed using the following process:

  1. Develop the contingency planning policy statement. A formal policy provides the authority and guidance necessary to develop an effective contingency plan.
  2. Conduct the business impact analysis. The business impact analysis helps to identify and prioritize critical IT systems and components.
  3. Identify preventive controls. These are measures that reduce the effects of system disruptions and can increase system availability and reduce contingency life cycle costs.
  4. Develop recovery strategies. Thorough recovery strategies ensure that the system can be recovered quickly and effectively following a disruption.
  5. Develop an IT contingency plan. The contingency plan should contain detailed guidance and procedures for restoring a damaged system.
  6. Plan testing, training, and exercising. Testing the plan identifies planning gaps, whereas training prepares recovery personnel for plan activation; both activities improve plan effectiveness and overall preparedness.
  7. Plan maintenance. The plan should be a living document that is updated regularly to remain current with system enhancements.

Education and Training
The training that companies develop or provide for their employees should address not just internal policies and procedures, but also common techniques used in data security incidents (such as social engineering) and the dangers of high-risk activities (such as clicking unknown links in emails).

All the preparation, data tracking, and disaster recovery planning in the world is a waste if key stakeholders such as CIOs, CTOs, employees, and IT professionals are not properly trained in your incident response plan. They should also be educated on proper data security and best practices for passwords, data encryption, and incident reporting.


With the constant specter of cybercrime, insider theft of data, and data loss disasters, businesses must ensure they have a complete understanding of where their data resides and what data they maintain. By creating a data inventory, activating data tracking, creating disaster recovery policies, and conducting proper employee training, businesses can ensure that they are well protected when a data incident occurs.

About the Experts

Back to top