Governments and public agencies that focus their identity management efforts solely on systems and applications could fall short of closing critical cybersecurity and compliance gaps associated with citizen data.
This is because data rarely sits still within a secure structured database. For instance, a state education department administrator compiling a report on the student population may access sensitive data from the learning management system (LMS) and then place that data into a presentation.
A county health department staff member doing research may export a set of data that includes personal identifiable information (PII) and protected health information (PHI) from a clinical system only to be saved into a spreadsheet. Typically, this data is then stored in network file shares, SharePoint and cloud drives. These locations are typically vulnerable to exposing sensitive citizen information to prying eyes.
What’s at risk and what can be done?
Whether from hackers with malicious intent or insiders who lack awareness of security practices, the threat of unintended exposure of sensitive data is always present. With information scattered in different files in various on-premises and cloud locations, that risk likely increases.
Governments and public agencies must also concern themselves with meeting a variety of regulatory requirements. For instance, law enforcement agencies are subject to Criminal Justice Information Services (CJIS) audits. Health departments must abide by Health Insurance Portability and Accountability Act (HIPAA) regulations. And IRS Publication 1075 compliance applies to all tax and revenue departments. Failing to comply with such regulations can result in significant financial consequences and a tarnished reputation.
So how do governments and public agencies successfully drive toward compliance and security? The three essential key steps below outline how to inventory and classify sensitive data, establish governance around access to the data, and assign ownership:
- Discover and Prioritize – Taking control first requires locating where sensitive data resides and then prioritizing which data sets to focus your attention on.
- Assess and Implement Controls – To effectively govern access to sensitive data, it is critical to identify who has access and remove excess permissions. A governance model that correctly identifies users who have the business justification to access specific types of sensitive data can then be instituted.
- Empower Data Stewards – It is essential that governments and public agencies determine and designate appropriate data stewards who have knowledge of and familiarity with the data to properly administer access to it.
To dive deeper and to better understand how governments and public agencies can mitigate security and compliance risks, read The 3 Steps for Securing Sensitive Citizen Data.