Description: Sensitive data can mean different things depending on the organization’s nature, its regulatory jurisdiction(s), and industry. The following are common sensitive data categories.
- Personal Identifiable Information (PII)
- Personal Health Information (PHI)
- Export Controlled Data (ITAR/EAR)
In accordance with least privilege principles, data owners must ensure that only necessary access is granted for sensitive data they are responsible for. When a user leaves the organization or moves within the organization, permissions must be revoked to prevent unauthorized access and privilege creep.
Benefit: Actively reduce the risk of a data breach due to unauthorized access from external actors and insider threats.
Watch the deep dive webinar to learn more about this security outcome.
Implementation Approaches
- Periodic Entitlement Reviews are Conducted by Data Owners
- Unused Permissions are Revoked after a Predefined Time Window
Security Frameworks
NIST Cybersecurity Framework 1.1
- PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
- PR.AC-3: Remote access is managed
- PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions
| Title | Periodic Entitlement Reviews are Conducted by Data Owners |
| Technology Components | Data Access Governance (DAG) |
| Description | In this approach, the organization assigns attestation responsibility over a given data set to the respective data owner. Examples of data owners can be CEO or CFO of a business that owns the respective data. The data owner must conduct an entitlement review periodically in order to attest that only the required users have access with appropriate permissions. |
| Pre-requisites | DAG is in place to assign responsibility to appropriate data owners DAG is aware of permissions to folders/files and how they get assigned (eg. directly in content mgmt system or using groups in user repository/directories) DAG identifies files containing sensitive data Periodic review campaigns are generated for reviewers with possible remediation. |
| Supporting Member Companies | Fischer Identity, ForgeRock, Omada, SailPoint, Saviynt, SecZetta, Thales |
| Title | Unused Permissions are Revoked After a Predefined Time Window |
| Technology Components | Data Access Governance (DAG) Access Management (AM) |
| Description | In this approach, a user’s access to data (e.g. a folder containing sensitive data information) or online resources (e.g. SaaS applications) is automatically revoked if the user does not access the data or online resource in any manner over a predefined time window. This should may be configured to allow for vacations and other leaves of absence. |
| Pre-requisites | DAG is in place to assign responsibility to appropriate data owners DAG is aware of permissions to folders/files and also usage history of these permissions DAG is configured with remediation workflow to revoke access after a predefined time window Access could be controlled by modifying the underlying account/entitlement information or indirectly through integration with Access Management product that is being used to control access to the content. |
| Supporting Member Companies | Fischer Identity, ForgeRock, Omada, SailPoint, Saviynt, Thales |
