By Dennis Andrie, Director of Professional Services at NextLabs
NextLabs routinely advises customers whose businesses handle Controlled Technical Data (CTD) such as ITAR, EAR, and data controlled by non-US Jurisdictions, to take a proactive, systematic approach to managing CTD throughout its lifecycle. Many of these enterprises have been in business for a number of decades, during which time they have created substantial CTD organically, and acquired additional CTD through various business transactions and transformations. The CTD routinely spans every type of electronic storage that has ever been used in the enterprise. A portion of this CTD, in some cases a substantial portion, has reached Legacy CTD status, which means that it is no longer actively used in the normal business operations of the enterprise.
Windows file shares were the first large-scale devices to democratize the storage of Enterprise data, literally making very large amounts of storage available to almost every user with little supervision or control over what types of data were stored. These file shares in global enterprises often contain a mix of CTD that was or still may be managed by certain applications, as well as data that was put on the file share because the creator, manager, or user didn’t know where else to put it. In our experience, Windows file shares are a ubiquitous treasure trove of Legacy CTD, and an excellent choice to learn more about your Legacy CTD.
The first step in approaching Legacy CTD on file shares is to get an accurate listing of file shares across the enterprise. From that list, develop a high level map of what CTD is stored on each file share, and, if possible, how frequently the CTD is accessed. Next, determine if the data is associated with a product or service family that is currently sold or serviced by a business in the enterprise. If the data meets this test, then you can involve the owners of the product or service family to determine whether the data is required by the business. If the business does not need the data, it can be classified as Legacy CTD and removed from the file share to a secure storage location to which users do not have access without special permissions.
If the CTD you’ve identified does NOT meet the Product or Service Family test, you can look at the frequency of access that was part of the initial File Share inventory discussed above. We’d recommend choosing a point in time, for example, five years, and then moving all data that has not been accessed between the chosen point in time and today to a secure storage location as discussed above.