Welcome » IT Booklets » Information Security » Security Controls Implementation » Data Security » Theory and Tools
Data security theory seeks to establish uniform risk-based requirements for the protection of data elements. To ensure that the protection is uniform within and outside of the institution, tools such as data classifications and protection profiles can be used. Data classification is the identification and organization of information according to its criticality and sensitivity. The classification is linked to a protection profile. A protection profile is a description of the protections that should be afforded to data in each classification. The profile is used both to develop and assess controls within the institution and to develop contractual controls and requirements for those outside the institution who may process, store, or otherwise use that data.
Protection profiles are also useful when data is transported. That may occur, for example, when back-up tapes are moved offsite, when a laptop is removed from the institution, or whenever removable media is used to store the data. The profile should indicate when logical controls such as encryption are necessary; describe the required controls; and address the contractual, physical, and logical controls around transportation arrangements.
Protection profiles should also address the protection of the media that contains the information.
Over time, protection profiles should be reviewed and updated. The review and updating should address new data storage technologies, new protective controls, new methods of attack as they appear, and changes in data sensitivity.