We all know that information is the ultimate asset. It's also the largest and most challenging area of risk to organizations these days. Data ranges from being proprietary to confidential, including everything from personal information to health records, financial statements or otherwise government-regulated materials. Data is constantly being generated by internal users, partners, external customers, and even automated systems.

Data volume can easily climb into the Terabytes at most organizations, and it spans applications from Exchange, Public Folders, and SharePoint to the most problematic area-the Distributed Shared File System. Establishing data governance programs that satisfy compliance requirements and actually reduce the risk of data exposure take time and money, and often involve a complex roll-out, regardless of the organization's size:

Step 1 - in initiating a data governance program involves the creation of a governing body. The governing body usually consists of executive leadership, project management, line-of-business managers, and data stewards. Identifying data stewards is essential, as they will have a large list of responsibilities, including determining data classification, improving data quality, overseeing clean-up campaigns, and performing entitlement reviews. The governing body usually uses some form of methodology (such as Six Sigma) for tracking and improving enterprise data, as well as tools for data mapping, profiling, cleansing, and monitoring data.

Step 2 - is establishing the target repositories of data that will be included in the program. Some examples are Shared File Systems, Active Directory, Mailboxes, Public Folders, and collaborative environments like Share Point. Initial implementations may vary in scope as well as origin. Sometimes, an executive mandate will make the project an enterprise-wide effort. Sometimes, the mandate will be to create a pilot project that's limited in scope and objectives. In other cases, resources may be targeted based on automated or data steward-assisted classification on the sensitivity of the data. Usually, reduced-scope or mandated programs aim to either resolve existing issues or demonstrate value.

Step 3 - is the proactive review of permissions. Basically, knowing who has what level of access to which resources is critical. Permissions are a complex web in any organization, and to determine effective access to resources, we have to start at the domain level. Users and groups form the foundation of control over what resources can be accessed throughout the infrastructure. Effective access determination starts with whether an account is enabled or not, and flows into the relationship of users and their direct and effective membership of groups.

Step 4 - the final step- is constant monitoring. This is required to provide a historical view into how your environment is changing. Knowing who gave out or delegated access, or who is using their rights to interact with resources, is critical-especially when something goes wrong...

Tips for starting your campaign:

1. On average, organizations incur a $55 monthly cost to maintain one Gigabyte of data storage. Gartner estimates that 70% of unstructured data goes untouched as soon as 90 days after initial creation. That quickly translates into wasted money and space due to stale data. Archiving data to lower-cost storage tiers can slow the capacity demands, but deleting the data will actually free up these valuable resources.
2. Users with elevated privileges on local systems ultimately have access to resources that reside on those systems, including applications and data. Local system policies grant or deny access to the system via many different avenues, and this is a key point for evaluation when determining of effective access.
3. Care must be taken before removing users from any permission points or associated group memberships, as the removal could break their access to other valid and business-critical resources across the infrastructure.

By Christopher L. Olsen CISM, Vice President of Product Management - STEALTHbits Technologies, Inc.