Global Implementation of PII Identification, Remediation and Data Governance

Industry:
Hi Tech Manufacturing

Client Overview

The Client is an Ohio-based, innovative provider of equipment and services for data centers, with a portfolio of power, cooling and IT infrastructure solutions and services that extends from the cloud to the edge of the network. Headquartered in Columbus, Ohio, this company has twenty thousand employees and more than twenty five manufacturing and assembly facilities around the world. The company has regional headquarters around the world. The company is listed in the New York Stock Exchange (NYSE).

Project Scope

The scope of this project is to implement the PII Identification, PII Remediation and Governance for structured and unstructured data across their enterprise systems. This global implementation is a continuation of GDPR Audits and assessment completed for over three thousand five hundred databases. In this data governance project over five thousand and five hundred applications and databases are in scope. The approved sensitive attributes need to be identified in the ChainSys metadata management application. The sensitive data need to be remediated by data masking to avoid data breaches and stay compliant. The data Governance procedures and policies need to be established for continuous PII monitoring and remediation.

Business Situation

The Client is at the high risk of significant fines, data breach, brand reputation, and potential loss of customers if they do not mitigate the risk of adhering to GDPR, CCPA and other privacy laws. The sensitive and high value PII data is scattered across different applications and files across the organization and the client was looking for a centralized platform for PII Identification, Remediation and Data Governance.  

The new rules grant people more rights regarding how companies handle their personally identifiable information (PII), and it imposes heavy fines for non-compliance and data breaches--up to 4 percent of a company’s yearly revenue. For security teams, this means making sure that PII is adequately protected and that the proper reporting processes are in place.

The client faced the following major challenges:

1. 5500 + Databases need to be scanned and identify the PI Data Categories.

2. Identified PII data needs to be remediated

3. Scheduling of PII Data scanning process

4. Scheduling of Data Remediation Process

Technical Situation

The Technical Landscape at the client consists of 30+ heterogeneous applications and are integrated with a Big Data environment which consists of three Cloudera Hadoop clusters – Development, Production, and Disaster Recovery. The clusters are LDAP, Kerberos, and Sentry configured for authorization and access controls. Reporting is to be performed directly off the Production data lake only (via the Silver and/or Gold layers only) using standard reporting tools.

Solutions

ChainSys deployed dataZense part of Smart Data Platform for PII data scanning, Remediation and for implementing the Data Governance.
The PII Data Profiling and Data Masking within the dataZense application is broken out into the following three high level process

1. PII Data Identification

Identify Systems considered for Sensitive Data Identification (PII) and run the Data profiling process to identify the PII Attributes. Provides the complete visibility of the identified PII data. i.e. Server, Instance, Database, Schema, Table, Column level details.

Personal data are grouped into two different categories Critical and Confidential Data Elements or Categories.

  • Critical Data Elements/Categories

Critical data elements are those elements by which you can directly identify an individual/person such as their social security number, National Identifier, Visa Number, Passport Number, Employee Number etc.

  • Confidential Data Elements/Categories 

Confidential data elements are information which when combined with other personal data elements are able to identify individuals. E.g.: First name, Last Name, Date of Birth.


2. Business Review and Approval

The identified PII attributes will go through False-Positive / False-Negative analysis and approved for remediation 

3. PII Data Remediation and Governance

The PII Governance process is to get consent from the data owners to “Keep” the PII data in systems (Production and Non-Production). This will have a lineage to PII data value with the owner, Once the Owner gives consent or no-consent on their PII data attributes, we will trigger the appropriate remediation steps. The business approved PII attributes will be considered for remediation. 

  Remediation Options:

  • Scramble the Data
  • Mask the Data
  • Remove Data (With capture of logs) – remove from all production and non-production environments
  • Keep the Data (Encrypt in all Non-Production environments)

Illustrations

Benefits

  • Customized easy User Interface Screen to show the data
  • Enhanced Business Rules specific to the Client.
  • Configured tool level feature to enable scanning for password protected file 
  • Reduced data maintenance costs by shutting down more than two hundred unused databases
  • Helped the business to identify the gaps and put proper plans to mitigate the identified risks
  • Data Security is improved 
  • Dashboards and Reports provided a quick view of an overall situation of PII Data for better decision making 
  • Ensured proper GDPR, CCPA and other compliance levels across all systems in all regions 
  • Data Search capability
  • Enabled continuous improvement of PII monitoring and reporting

Products and Services Used

dataZense - To Visualize, Analyze, Catalog and Scramble Data for Effective Decision Making & Security.

Reference

No items found.