Starting with the fundamental idea that information security is supposed to "secure information", we first need to determine what information must be protected. Here regulations may help specify, but there is much more information to protect in your environment than what is required- certainly confidential patient data and customer financial records must be protected, and not just because HIPAA or PCI DSS require it. Your organization may also have trade secrets, marketing campaigns, merger plans or other information which should be protected regardless of regulatory imperatives.
A basic rule of protection is that you must know what you have and where it is before you can protect it- even if the folks at MA OCABR can't figure this out. It doesn't matter if you need to defend jewelry from theft or credit card numbers from loss, you have to know where they are before you can protect them- so identifying the information you must protect is a logical first step towards both security and compliance.
The information to be secured will vary by organization and change over time, and therefore will require a flexible and versatile identification method. One effective approach is to start by asking three questions about the information to be protected:
- How does the information enter the environment?
- Identify every point of entry for the information.
- Include the origins of internally created information.
- Where is the information stored and accessed internally?
- Not simply where it is stored, but also where it is used.
- Not just where it is supposed to be, but where it really is stored and used.
- How does the information leave your organization?
- Map every egress point, including submissions to any outside organizations.
Note that you will have to account for remote workers, road warriors, and others "insiders" who store and access information while "outside".
Now for the truly informative step: connect the dots. All of the dots. Map all of those entry and creation points to the storage points to the use points, and then to the egress points. You will likely discover paths and storage locations previously overlooked, you may even need to go back and re-answer the three questions armed with your new insights.
With this exercise complete you can
pick up the ClueBat and start cracking heads begin to build a plan for both securing the information, and meeting your compliance goals. Streamlining the information flow and reducing the number of storage points would be good starting points, these will reduce your exposure and simplify future security and compliance tasks.