Your organization’s crown jewels — its data! — should be protected at all costs, of course. Securing that data — whether it was created by your organization or is consumer or third-party data — begins with managing it properly.
There is an exponential amount of ways data can benefit your organization, and a reflective amount of ways it can open your organization up to additional risk. One often overlooked facet of the data management lifecycle includes ROT data not being properly monitored or managed.
What is ROT Data?
Redundant, obsolete, or trivial (ROT) data is the digital information a business has despite the data having no business or legal value. This could be a duplicate piece of information, an old planning document, or simply data that doesn’t serve the company any more.
The more data your organization has, the wider its attack surface becomes. Now much of that data is necessary, useful, and even considered critical. But other data that is redundant, obsolete, or trivial can be floating around, adding a net negative to your security team’s resources.
Visibility and classification are the first steps of de-risking the data flowing through your organization, as explained in this webinar.
How are you handling ROT Data?
Now we know what ROT data is, but what do we do with it to help de-risk our data storage and the organization as a whole — and remain compliant?
Let’s look at a three-pronged approach of actions and best practices that will help your security teams handle ROT data.
- Un-share: Ensuring that ROT data isn’t shared is an easy way to ensure that it’s not adding additional risk to your organization. After all, over-privileged access is a key risk to data that can be reduced by only sharing current, necessary data with people who are authorized. In fact, sharing permissions should always be reviewed periodically as best practice.
- Archive: In the event that data is not totally obsolete, and there may be a need for it in the future (a customer whose subscription has expired but may return to a service agreement at a later date), your organization can choose to archive that information rather than keep it open and accessible or have to delete it altogether. Archived data is often encrypted and stored in file systems which have restricted access to truly protect it.
- Delete: This comes down to proper policy creation. If your organization doesn’t have a standing retention policy, deletion of ROT data is the best decision to de-risk your company and reduce your attack surface.
This all begins with data discovery, of course. From there you can gain visibility into and take action on the data your company is currently controlling. Find out how automating these processes will keep you both compliant and secure by requesting a demo today.
