Greatest Risk to Data Integrity – People
May 10, 2017
While technical controls and effective computerized system validation are clearly essential to establishing and maintaining data integrity for electronic systems, the greatest risk is still the behavior of the people who use and maintain systems, including infrastructure and databases.
Training is an important starting point, but it is important to move beyond reliance on training alone to help ensure that the people who maintain and uses systems are aware, vigilant, and consistently compliant with policies and procedures designed to protect the integrity and security of the data.
What actions can be taken beyond training? First and foremost, it is important to instill a culture of data stewardship; understanding and accepting shared responsibility for the data in each person’s custody. In a culture of data stewardship, each person recognizes that every level of access comes with an obligation to access, process, or maintain the data and its infrastructure.
It is important that all personnel understand the concept of chain of custody as it applies to the data throughout its life cycle from its collection to its final disposition (whether destruction or archive).
A data chain of custody is composed of the complete history of the data, including where it has been, who has had access to it, who has entered or changed it, when, and why.
This includes it’s physical locations, transmission protocols, infrastructure, and hardware, and the persons and entities that have access to, control over, or physical custody of the data for any purpose, including data hosting, data archive, or application or infrastructure support.
Working to make all personnel consistently aware of and consistently respectful of their role in the data chain of custody is a matter of daily practice, well-defined procedures, effective performance management, and visible management leadership.
In an environment in which these principles are consistently applied, the risk to data integrity from human performance failures can be well controlled, and technical measures can most effectively perform their role.