The problem of “rogue” assets
“Rogue” assets are a problem that fast growing companies often struggle with.
Due to fast expansion of your business, assets like servers, databases and applications… often get forgotten or are added without the correct approval of superiors.
The problem here is that when growing and expanding quickly these assets stay in the dark and often don’t receive patches or other employees might not even know they exist.
Due to lack of proper asset management these assets become a vulnerability in your business environment.
Mapping out the business applications
A great way to regain control is to start of from your applications. Applications handle data and often this data will be subject to GDPR.
The following tips are not requested by GDPR directly. But they can be of great help to fill in the register of processing activities as required by article 30 of GDPR.
Start off with building an application inventory, containing the following information:
- Name of the vendor of the application
- Name of the application
- A check if the application contains personal data or not
- The categories of personal data that are processed within the application
- Implemented security measures
- The hosting provider
- The physical location (the country) where the data is processed
In a later stadium you can make a visual model to visualize the flows of data within your business landscape. This will create a very clear view for your business and will help you to locate personal data. This visualisation will also help for your internal transparency.
Mapping out the database landscape
In this exercise will collect all the databases in a similar way.
The following information can be valuable:
- Name of the database server
- Type of database that is running on the server
- Database instances running on the server
This will be used to physically locate data and create an overview which servers require patches. The database instance names can be used to map the applications from the previous exercise with their corresponding databases.
To stay in control you will need to create policies. For example a change request policy to make sure that all changes require the signature of the correct superiors and no “rogue applications” enter your infrastructure. A change management policy that requires signatures when the production environment will be changed and that requires the application list, database list and the application and database landscapes to be updated.
This way you will always have a clear view on your internal operations.
To read more on how the GDPR will change the face of business, check out this article on our blog.