Like many large organizations with global operations, data is the connective tissue that connects each segment of a business.

Throughout a business lifecycle, data is collected in data lakes, cataloged in data warehouses, modified in applications, stored in databases, and called, passed, transformed, analyzed, and used as it makes its way through the ever expanding web of structured systems that are common in today’s organizations. With the growing plethora of standards and regulations surrounding data, corporations are being put under a heavy burden to both understand their obligations and comply with relevant standards, including General Data Protection Regulation, HIPAA, the California Consumer Privacy Act, and the National Institute of Standards and Technology (NIST) framework, as well as contractual obligations such as the Department of Defense’s Cybersecurity Maturity Model Certification (“CMMC”).

Situation:

For the client, a global telecommunications company, a steady flow of information is critical to serving its customers, from service orders to data needed by technicians in the field. In order for the client to preserve billions of dollars in government contract revenue, the client needs to fulfill the new CMMC requirements by identifying controlled unclassified information (“CUI”) in more than 3,500 applications comprised of approximately 7,000 structured databases and protect the information in methods outlined by the government. The timeline for identification and protection reduced from 18+ months to less than one year and the privacy concerns must be mitigated while not interrupting critical business operations.

Our Role:

FTI worked with internal stakeholders and custodians to evaluate each application and understand the type of information and CUI generated and stored within it. An enterprise-wide system inventory was conducted and analyzed to create an individualized solutioning approach for each application and underlying database(s). This began with an application rationalization assessment to defensibly decommission data sources that were redundant or no longer needed by the business. For the remaining applications and databases, FTI utilized a data protection platform to scan a sample of each database, database schema, table, and field, across SQL, Oracle, Hadoop, DB2, and others, to classify data that has potentially personal, sensitive or controlled information. With this insight, the team worked to validate whether the data required protection, what protection method was appropriate (encryption, data masking, tokenization), and what level of access individuals or user bases required. Throughout the project, while the client remained highly focused on CMMC, FTI ensured each decision accounted for overall program success and holistic data governance.

Our Impact:

FTI’s work identifying and analyzing thousands of applications and databases across the organization helped the client hit its first critical milestone—identifying sensitive data across all systems, defining the protection obligations required by the CMMC, GDPR, or other privacy rule, and developing a mitigation path for each. The protections that are being implemented will be foundational to fulfilling the new CMMC rules required for the company to preserve billions of dollars in contract work with the U.S. government, as well as ensuring the company adheres to the latest privacy regulations.

The team architected and deployed a data governance approach that both supports compliance with the most stringent regulations and remains agile enough to adapt to new, emerging laws and data protection requirements.