Data Audit Guide

Data Audit Guide

SEARCH, PRODUCE,

and EXPORT EXACTLY

WHAT YOU’RE

LOOKING FOR.

WORKSHEET

NetGovern Data Audit Guide 2

DATA AUDIT GUIDEData audit planning works best when the key decision-makers in your organization are on board and included in the process. This should include a representative from each department, such as IT, finance, C-level management, human resources, and so on. Once your team is assembled, you are ready to begin your data audit planning.

For those who are unfamiliar with a data audit, a data audit will help your organization assess the quality of your information. Unlike a financial audit, a data audit requires you to examine key metrics, rather than just quantity to evaluate the value of your data assets.

Performing a data audit will help you answer several important questions:

• Do we have any personal or sensitive data?• In what ways do we collect data?• How valuable is the data we’ve collected?• Where are we storing the data?• What do we do with the data?• Do we have a process for deleting old and unnecessary data?• Who owns, controls, and has access to the data?

Asking yourself these questions and finding the answers through a data audit is one of the most effective ways to identify issues with your organization’s data governance practices.


Step 1: Find out what data you haveFirst, consider the primary types of information that your company handles, such as social security numbers, payment card numbers, patient records, designs, employee records. Prioritize what must be protected. What kind of information are you collecting? Essentially, you need to make sure the data you have is beneficial for your organization.

With the growing accumulation of structured, unstructured and semi-structured data in organizations—increasingly through the adoption of big data applications—dark data can be seen as the operational data that is left unanalyzed or underused, and often lost altogether.

Why is dark data important? Because it can be an opportunity for organizations if they can take advantage of it to drive new revenues or reduce internal costs. Here is the break down:

15%—Business Critical Data—This data is strategically important to an organization’s daily operations and success. It is usually pro-actively managed. This includes product road maps, business plans, customer lists.

33%—Redundant, Obsolete, Trivial (ROT) Data—This data has little or no business value and should be eliminated regularly to avoid the unnecessary storage space and costs associated with it.

52%—Dark Data—This data is hidden and unstructured, expensive to secure and store, but most companies do so because of compliance regulations; the credo being ‘store everything just in case’. Some examples of data often left dark include server log files that can give clues to website visitor behavior and customer call detail records that can indicate consumer sentiment.


There are risks with dark data:

• Regulatory: Leaking or losing sensitive, dormant data and PII.

• Intellectual Property (IP): Failing to protect IP.

• Opportunity: Missing out on chances to improve.

The costs of dark data including loading, updating, storing, and managing unused data, which consumes personnel time and storage space. This time and infrastructure could be better spent on higher-value work.

DATA TYPES

There are many types of data but for our purposes, we will mainly consider two types of data: structure and unstructured.

What is structured data?

Structured data is defined as the data you find in relational databases or in spreadsheets with a clearly defined format and structure. Data is easy to enter, store, retrieve, search and analyze, such as a database or an Excel spreadsheet containing all your customer records or patient histories.


Unstructured data is data that is not in a database and does not follow the same definitions and rules as structured data. This type of data is traditionally related to many different types of files, such as Word documents, images or digital audio files (there is textual and non-textual unstructured data). Semi-structured data sits between them both.

What is unstructured data?

Unstructured data represents the fastest growing type of data today. By far, the majority of information your organization holds is unstructured. Unstructured data can sit anywhere in your company in any type of file, in any format, in your file system and storage hierarchies. Unstructured data is omni-present in wealth management, insurance claims processing, medical files, account administration, and so on. There is also the inevitable email data growth. Most companies store email attachments without business value.


Data types at a glance

Structured Data Unstructured Data Semi-Structured Data

Easily understood information in a strict and rigid format, easily searchable.

Information that does not have a predefined data model or is not organized in a predefined manner. Typically text-heavy, but may contain data such as dates, numbers, and facts as well.

A cross between structured and unstructured data. Tags or other markers identify certain elements within data but it does not have a rigid structure.

Customer, sales, sensor data

Images, photos Emails

Spreadsheets Audio, video

Web pages

PDF and Word files

Powerpoint presentations

Blog entries, wikis


Step 2: Discover where your data is storedOne of the biggest problems any organization can run into when they start planning a data-driven approach is disorganization. You may have collected and stored data in several different programs, folders, and servers. Still, more data may be stored with third parties. Identify and list where each item on the information list resides within your company, such as file servers, workstations, laptops, removable media, and databases.

Data map

Item Location


Step 3: Talk to the team to classify your dataIn order to build an effective data-driven strategy, you will need to know how everyone in your organization classifies the data you have collected. It is important to gain the insight of everyone involved in the data collection and utilization process. Performing a data audit with this in mind will allow you to come up with a strategy that is beneficial to your entire organization.

A classification scheme lets you rank information assets based on the amount of harm caused if the information was disclosed or altered. Your team should strive to be realistic and aim for consensus.

Typical data classifications

PublicMarketing campaigns, contact information, financial reports

Internal Phone lists, organizational charts, office policies

Internal (sensitive/confidential)

Business plans, strategic initiatives, non-disclosure agreements, customer lists, compensation information, merger and acquisition plans, layoff plan

Regulated Patient data, financial records


Step 4: Report findingsThe next step is to look back and determine which pieces of data are the most impactful for your organization. In general, if a specific data segment has a significant impact on your organizations’ revenue, that data needs to be prioritized accordingly. Any information that impacts your bottom line should take precedent over supporting data.

Collate findings and report back with recommendations on how data management practices could be improved. Common data issues faced include:

• Poor naming and filing systems so retrieval is a challenge.

• Lack of storage space meaning employees revert to using external hard drivesand laptops.

• No active transfer of data on staff retirement / departure meaning legacy materialis lost, mismanaged or remains on the server unused.

• Limited data archiving facilities, so employees often have to maintain theirresearch outputs.

• Growing space requirements.

Issue Action Priority


Step 5: Make recommendationsAs you are performing a data audit, you learn more about the information you are collecting, who values it the most in your organization, and how they use it. You’ve organized your data based on priority and now you’ve realized that some of the data at the bottom of your priority list is pretty valuable! You just haven’t taken advantage of it.

One of the most common gaps we identify when working with our clients is the failure to update data across all platforms. This problem stems from the issue of data silos we mentioned earlier.

Improvements to data management and security should include recommendations:

• Guidance on creating data and metadata/documentation to enable retrieval and reuse.

• Training and advisory support to help researchers adopt best practice through the lifecycle.

• Assistance with composing data management plans and carrying out suggested actions.

• Implementing data policies that clarify roles and responsibilities.

• Support on selecting data for the long-term so only that which is needed is kept.

• Additional storage when capacity is insufficient or to support different needs i.e. active data.

Item Recommendation


Sample Data Audit Workflow With NetGovern, the data audit workflow looks like this:

1. The audit manager does the following:

• Creates a new case and defines scope.

• Performs board criteria search to provide data for review.

• Tags all documents for review and assigns reviewers to the case.

2. Reviewers identify sensitive information and what should be kept, for how long, and what should be defensibly deleted.

3. Develop policies for data sanitization and retention.

4. Locate sensitive data through deep search using keywords, filters and advanced search.


5. Review and analyze data set.

6. Delete redundant, obsolete and trivial (ROT) data.

7. Train and educate staff on data policies and procedures.


Data Auditing with NetGovernWhether you are subject to SEC Rule 17a-3, 17a-4, FINRA Rule 3110, 4511 monitoring requirements, GDPR, or simply want to reduce your organization’s risk due to HIPAA, PIPEDA or other privacy regulations, you may be required to perform regular audits to find confidential information such as PHI, PCI, and PII. As that information grows, having broad visibility into that data becomes increasingly difficult.

With the increase in the number of locations used to store data, it becomes harder and harder to perform exhaustive audits in order to comply with information security policies. all data doesn’t have value and the value of data isn’t constant.

While performing a data audit using NetGovern Search, you can identify and view all your unstructured data and have a direct look into its content wherever it is located: file systems, email archives, Sharepoint, Sharepoint O365, and other file sharing solutions such as Box.com and Citrix ShareFile.

Learn more about how NetGovern can help you with data auditing and all your Information Governance needs. www.netgovern.com

About NetGovernNetGovern’s software enables regulated organizations to cost-effectively define and deploy vertical market ready Information Governance strategies in under 30 days, eliminating the “analysis-paralysis” phase that negatively impacts most enterprise data projects. Connect, Collect & Control petabytes of unstructured data stored in your file sharing, instant messaging, email and collaboration platforms, whether on-premise, on-cloud, or across hybrid systems. By providing comprehensive File Analysis (Audit), eDiscovery (Search), and Enforcement & Remediation capabilities, our clients can proactively organize, preserve, secure, and gain insight from what is arguably their most valuable asset – Information.

NetGovern Inc. 180 Peel Street, Suite 333 Montreal, QC H3C 2G7 514.392.9220 | [email protected]

© Copyright 2018 NetGovern Inc. All rights reserved. NetGovern™ is a trademark of NetGovern Inc.

Documents

Data Audit Guide