About the Utility
This U.S. natural gas distributor has more two million customers in five states and manages 30,000 miles of pipelines. Sensitive information, including details on the distribution network and location policies, as well as customer data and payment details, are continuously collected and must be protected to ensure smooth operations and compliance with multiple regulations.
Challenge
A natural gas utility had two challenges: keep operational documents from leaking and achieve PCI-DSS compliance. It maintains internal documentation on the company’s distribution network and operating procedures. It also collects payment from their customers electronically through a PCI approved payment application, and in-person through credit cards and bank checks.
The Utility established rules that govern the use and retention of these documents, however, they were unable to find the right tools to inventory the assets and proactively audit the usage.
To meet PCI compliance, the Utility needed to keep their internal information systems free of insecure PCI data and provide a quarterly compliance report. It had limited resources and did not want to rely exclusively on outside consultants to comply with PCI-DSS.
Senior leadership began a search for technology to inventory their network for sensitive data, correct business processes, and achieve compliance.
Solution
The Utility selected Data Security Posture Management (DSPM) provider, Spirion, as step one in their data governance journey. The solution immediately added value and sensitive data protection by:
- Performing scans on file servers, shared storage, Intranet websites, and databases.
- Identifying sensitive information specified by the utility terms, and cardholder data.
- Establishing one central platform, enabling all data collection and reporting to be used for compliance auditing and internal management.
After being installed on only one computer, the technology scanned all shared storage and file servers, enabling the utility staff to immediately gain valuable insight and start the important process of understanding and protecting their data. Also, since no file servers needed to be restarted, there was minimal disruption to the operations.
Results
The Utility loaded their sensitive information search terms, enabled cardholder search, and then Spirion quickly identified risks in their data environment, such as:
- Where sensitive data lived.
- What files were used and who owned them.
- Data classification and sensitive information type.
The Utility’s management team used the results to call attention to process and behavioral changes to maintain a more secure environment. Shortly after, corrective measures were taken to fix data issues while Spirion continued to monitor internal systems for insecure data. The reports also provide a wealth of information to continually improve the processes.
The impactful result for the Utility was an enterprise-wide process for sensitive data monitoring, auditing, and compliance reporting — all setup and maintained with minimal staff resources.
