Identifying and controlling where sensitive data is stored or transmitted in your environment allows you to better scope the implementation of security controls, and reduce both the administrative and financial costs of security.
Jeremy Molnar, vice president of professional services for CynergisTek in Austin, Texas: For example, 1,000 workstations that may or may not contain electronic protected health information should be encrypted to minimize risks associated with possible theft. On the other hand, 1,000 thin clients that do not store data and only provide a view of data do not need encryption.
The other security controls needed to manage either situation are pretty much the same, but removing the need for implementing and managing the encryption solution alone creates huge savings for the organization. The Payment Card Industry Data Security Standard recognizes this by allowing an organization to define "in scope" assets, but this practice can and should be applied to any and all systems containing sensitive or confidential data. Consider using data discovery and/or data loss prevention tools instead of manual identification to help automate and improve accuracy when identifying stores with sensitive data. That way, the data can either be removed or appropriate security controls can be put into place. Better data management is the key to reducing risk and the cost of security.