Data centre management staff, privacy staff and security staff are responsible for protecting data in an organisation. It is surprising to realise that many, if not most, organisations do not know where their sensitive data is located and saved, much less have a protection plan for their old sensitive data.
Legacy and migrated data represent the core types of sensitive data in any organisation. Organisations that use mainframe systems, in particular, will have an extensive database of legacy data that includes sensitive information. This may include production data, non-production data, old development test data sets, and other accumulated data.
While security staff members are most concerned about cyber-criminals accessing the data, other potential sources of breach include application vulnerabilities or accidental disclosures, public interest groups, service providers, and even auditors and authorised users. Studies have found that insiders are actually a key cause of data breaches.
The starting point for data protection is to have data security staff know all the data sets that need to be protected. This means looking back at accumulated data, so the security staff can set out new procedures and protection tools for new and accumulated data.