Data Life Cycle
A data lifecycle refers to the different stages a unit of data undergoes, from initial Create to when it’s no longer considered useful and deleted. It’s a continuous, policy-based process where each phase informs the next. The different stages of the data lifecycle can vary depending on the organization, but they generally follow the stages illustrated below.?
Data Life Cycle has 6 crucial stage they are Create, Store, Use, Share, Archive, Dispose.
Create:
Data creation occurs throughout organizations. Most data are created by business functions such as finance, marketing, sales, and human resources rather than the IT department whose typically responsible for managing the data once it's been created.
Once the data is created, the organization must classify and categorize it(Data Owner responsibility to classify the data ) . Data classification determines the sensitivity of the data and how important it is to protect their confidentiality, integrity, and retention.
Protecting your data during this phase will include access controls such as passwords, threat scanning for antivirus, and data classification that will specify the data type, its location, how it should be protected, and who has access to it.?
Store:
Once data has been created, it is typically stored on a computer hard drive or in a data center. Certain types of transaction or analytics data might be generated in transit or in memory but not permanently stored to disk. Storage also involves near-term backups that must also remain protected. Once data is stored, responsibility for its management typically falls to the IT or security team.
?Storage protections include access control around who can read and overwrite the data, device control such as data encryption, backups to protect the data from loss, plus security measures to protect the backups themselves.
should be encrypted with an industry-accepted symmetric algorithm like AES.
Use:?
During the 'use' phase, data is accessed, viewed or processed. Protecting data during this phase will usually fall equally between the lines of business and the IT department.?
Protecting data in use includes implementing the proper levels of access control, monitoring to ensure correct subject behavior, and isolating processes and their data.
Subjects must access stored information to complete business tasks, access controlled by authentication and authorization approaches that match the sensitivity of the data accessed. For restricted data, organizations should consider strong authentication.
Strong authentication uses two or more authentication factors that fall into three types.
领英推荐
Protections during data usage include access control, encryption, data rights management for copyrighted information and data loss prevention, which involves software and business rules to prevent unauthorized access to sensitive information.
Share:
?Data is often shared amongst internal employees and corporate partners outside of the organization. Data sharing can occur through the network, via removable media, or across the internet via transfer sites or email. When data is shared, it is subject to new risks.?
?Data sharing safeguards involve access control, encryption, network security (firewalls/intrusion detection) and data loss prevention. When organizations are dealing with third-party vendors, they should have clear measures in place for data removal and verification after services have ceased.
Once the data is outside the control of the data owner, there is no guarantee that the owner has a complete picture of the trust level of the external processor’s environment. Further, the external processor’s location might lie in geographic areas not allowed by regulatory constraints, like the GDPR.?
Archive:
For short-term data protection, all data must be backed up regularly, either onsite or offsite. When an organization needs to retain data for the long term, it can be archived to tape or disk media and placed in remote, secure locations.?
An organization’s operations team would usually take responsibility for archiving as opposed to IT or the lines of business. Protecting archived data include access control and encryption.?
Destroy:
Eventually, data is no longer needed for daily operation, requiring one of two approaches to disposition: archiving and sanitization. Disposition is vital for removing classified information from regularly used, regularly accessible storage locations.
Archiving is needed when regulatory or business requirements dictate data retention for a set period. Depending on the organization’s regulations, retention might require data archival from one year to forever. Federal regulations or agencies that regulate retention include
Reference: