Getting Started with Data Asset Inventory

 

 

Overview

  • Data Asset Inventory (DAI) is where you list and manage your Data Assets.

  • You list all the places, physical and cloud, where you store data and what security you have implemented for their protection.

  • This enables you to manage your data Scans and the information is used in the SDV3 Dashboard to help you assess the valuation and risk to your data.

Initial DAI Set Up

To get started with DAI, do the following:

  • Add Assets to your DAI inventory:

    • This is where you list all the places your business keeps data, such as

      • Physical locations: Servers, laptops, workstations

      • Cloud-based: Dropbox, OneDrive, Google Drive.

  • Add Targets to be scanned:

    • These are the actual data that you want to discover and scan, both physical and cloud-based, so you can review the specific content of your data (like Social Security Numbers or Credit Card information).

  • Create and run Scans:

    • This is where you input the type of scans you want to run, based on your business needs.

    • For example, a scan to review all of your SQL database Targets for new Social Security Numbers every 45 days or where do we store the Credit Card numbers we collect and what is their security?

  • Use SDV3 to evaluate your data risks and valuations:

    • This is a visualization of the Value, Volume, and Vulnerability of your data that allows you to view overall risks and valuations and drill down into specifics to better understand your data risks and valuations based on your business needs.

Useful Definitions

The following are some definitions that are useful when working with DAI and the SDV3 Dashboard.

Expand a section for more information:

The following information can help you understand how a Data Inventory works:

Data Assets: This is the basic information about the asset.

  • Name

  • Type of asset, for example, database, cloud storage, application.

  • Administer

Organization: How the data is organized in response to regulation and other processes.

  • Regulation

  • Framework

  • Process and Policies, for example, ISO27001 or SOC-2 Type 2

  • Technical Security Measures: Remediation to protect or rectify information that is found on a Data Asset.

Data Asset Content: One or more Data Elements that document the type of asset data.

Data Elements: These are the actual pieces of information your company can store.

  • Personally Identifiable Information (PII)

  • Medical Information

  • Consumer Information

  • Marketing Information

  • Table and Field (resides within a database)

Classifications: Schemas used to understand and map Data Asset Content.

After collecting and recording Data Assets and their metadata, you are able to document the business context for each Data Asset and/or Data Asset Content. The helps you to comply with GDPR Article 30.

Process Information

The Process Information documents each defined process:

  • The actual process

  • Process owner

  • Purpose of processing

  • Defines if the process allows for CCPA sale of information.

  • This Process Information can then be related back to one or more Data Assets or Data Asset Content to help understand how the data is being used within your company and for what purpose. This helps you comply with various regulations such as CCPA and GDPR.

  • For each process, specifically if it is CCPA, your organization may associate one or more Data Category to further refine and understand more about the process.

    • Data Category can be Consumer, Health, and so on.

    • Business owners can also identify for each process whether or not that process should automatically be included or excluded when doing Subject Request Fulfillment Requests.

    • This will help streamline the processes for you by identifying up front which Data Asset and/or Data Asset Content will be reviewed as part of a Subject Request Fulfillment based on the Process defining the use of that Data Asset and/or Data Asset Content.

  • For each process, you can also identify one of more Legal Basis for Processing. You can select one or many Legal Bases, depending on the process and the regulation.

Responsible Party

  • A Responsible Party can be defined for each business process, but is not required for CCPA.

  • The primary role of the Responsible Party is to ensure that your organization processes the personal data of its staff, customers, providers, or any other individuals in compliance with the applicable data protection rules.

  • In EU institutions and bodies, the Regulation (EU) 2018/1725 obliges them each to appoint a Date Privacy Officer (DPO) as the Responsible Party.

    • There can be more than one DPO appointed, but there is only one primary DPO.

  • You are able to specify the actual geographic location (GeoLocation) for the data asset and specific process that has been identified.

  • Based on the geographic location identified, you are able to specify the overruling Regulation.

Controllers and Processors

  • Each Process Information may have multiple Controllers and Processors.

  • A Controller is the entity that determines the why and the how for processing personal data.

    • There can be one primary controller or joint controllers.

  • A data Processor is the entity that actually performs the data processing for the controller

  • An organization may interact with Third Party vendors who might also process or use the data. An organization needs to be able to understand Third Party Vendor, specifically if subjects are not allowing sale of info or processing of their personal data.

  • For each Process defined, organizations will also need to understand where they are collecting data (Data Sources) and routing the customer data (Data Destinations).

    • Both Data Sources and Data Destinations may be a Third Party Vendor.

    • There can be multiple sources and destinations for each process defined and supported.

    • Geolocations should be captured so that the organization can understand where the data is originating and where it ends up.

SDV3 is a dashboard showing the Value, Volume, and Vulnerability of your sensitive data sorted by various criteria.

The accumulative score of matched data weight on the scanned asset indicates the total value of the asset itself.

  • 10 social security numbers (SSNs) with a weight of 10 = an SSN value of 100,

  • 5 CCNs with a value of 50 = 250.

  • Asset data value total = 350.

Subsequently, the Asset Value receives a score based on the Total Asset Data Value.

This will normalize the number for a simpler SDV3 Risk score. (TDV = V1)

  • Total number of matches receives a total count score which indicates the Asset's Volume.

  • The total count Score is normalized in a scale of 1-100 and becomes the Asset Volume Score. (TM = V2)

  • An Asset's Vulnerability is measured by the Asset Type and Asset "Security Measures".

  • Each variable is given a score.

  • The values for both variables (asset type and Security Measures) are assigned a base score by the user in the Asset section of the DAI.

  • The total of these values is the Vulnerability Score (AT+SP=V3)

*All data is normalized to fit a scale of 1-100

*All data is calculated from the results of the LAST COMPLETED SCAN