기업 데이터맵 만들때 고려사항 (Data map Template)

What, Where, When, Who, Why

데이터맵은 이디스커버리 뿐만 아니라 사이버보안을 위해 아주 중요하다. 디지털데이터는 늘어가고 사일로 저장소에는 기업의 중요정보가 관리되지 않은 채 취약점에 노출되어 있다. 특별한 소송 업무가 없거나 침해사고가 없는 평온기는 데이터맵핑을 준비하기 좋은 시기다. 사이트를 돌아다니면서 아래 정보들을 수집하고 요약하는 작업이 반드시 필요하다.

 

• What data is being stored?: Examples include data types like email, work product documents, audio/video files, databases, texts, collaboration data, social media content, cloud based platforms, hard copy documents – and potentially much more.  It’s important to identify a standard list of as many of the data types you can up front while remaining flexible to adding data types when interviewing specific custodians who may be tracking certain types of data not being tracked elsewhere.
• Where is it being kept?: In other words, what physical location or device location does the data reside.  Examples could include everything from accounting file room/file server/software application to workstations checked out to individuals to even Bring Your Own Device (BYOD) devices like iPhones.  Again, it’s a good idea to start with specific standard classifications that you can supplement as you gather more information.
• When do we need to keep/destroy it?: Of course, that includes retention/destruction schedules and when the information was created in the first place, so you know what data is ready for destruction.  Your Data Map should be able to point you to those ten year old accounting reports that need to be deleted or shredded because you’re only required to retain them for seven years; in fact, if you’re maintaining and tracking your Data Map regularly, those reports should be long gone before then.
• Who is responsible for the data?: The specific custodian or department responsible for it; for example, Payroll keeping pay stubs, the HR coordinator keeping health insurance forms, etc.  Those are the obvious ones, especially within your organization’s facility or servers.  What about responsibility for maintaining/archiving collaboration conversations on Slack?  Or responsibility for customer data on Salesforce when you may receive Data Subject Access Requests (DSARs) from individual customers for whom you’re tracking data that may be subject to General Data Protection Regulation (GDPR) privacy laws?  Those data sources have to be addressed as well, among many others.  In fact, for GDPR purposes, you may need to identify both the controller and the processor of the data in question – if you don’t know the difference, click on the GDPR link in this paragraph for more information.
• Why are we keeping/tracking it?: If you can’t come up with a good answer for this, then maybe the data should already be deleted.  After all, according to the Compliance, Governance and Oversight Counsel (CGOC), 69 percent of organization data has no business, legal or regulatory value.  In other words, as I discussed in Part One of my post about “Eight is Enough! Eight Considerations for Defensible Deletion”, that data is Redundant, Obsolete and/or Trivial (R.O.T.). The best reason to create a Data Map in the first place is to identify as much of that data as possible and get rid of it.

 

The 5 W's of Organization Data Maps - Ipro Tech

템플릿은 여기에서 구할 수 있다.

 

GDPR Data Mapping Template: 10+ Print-Ready Templates - Demplates