Welcome » IT Booklets » Information Security » Security Controls Implementation » Data Security » Practical Application
Data classification and protection profiles are complex to implement when the network or storage is viewed as a utility. Because of that complexity, some institutions treat all information at that level as if it were of the highest sensitivity and implement encryption as a protective measure. The complexity in implementing data classification in other layers or in other aspects of an institution's operation may result in other risk mitigation procedures being used. Adequacy is a function of the extent of risk mitigation, and not the procedure or tool used to mitigate risk.
Policies regarding media handling, disposal, and transit should be implemented to enable the use of protection profiles and otherwise mitigate risks to data. If protection profiles are not used, the policies should accomplish the same goal as protection profiles, which is to deliver the same degree of residual risk without regard to whether the information is in transit or storage, who is directly controlling the data, or where the storage may be.
IT management should ensure secure storage of media. Controls could include physical and environmental controls such as fire and flood protection, limited access (e.g., physical locks, keypad, passwords, and biometrics), labeling, and logged access. Management should establish access controls to limit access to media, while ensuring that all employees have authorization to access the minimum data required to perform their responsibilities. More sensitive information such as system documentation, application source code, and production transaction data should have more extensive controls to guard against alteration (e.g., integrity checkers, cryptographic hashes). Furthermore, policies should minimize the distribution of sensitive information, including printouts that contain the information. Periodically, the security staff, audit staff, and data owners should review authorization levels and distribution lists to ensure they remain appropriate and current.
The storage of data in portable devices, such as laptops and PDAs, poses unique problems. Those devices may be removed from the institution and not protected by any physical security arrangements. Additionally, the devices may be lost or stolen. Mitigation of those risks typically involves encryption of sensitive data, host-provided access controls, homing beacons, and remote deletion capabilities. The latter two controls can be Internet-based. Homing beacons send a message to the institution whenever they are connected to a network and enable recovery of the device. Remote deletion uses a similar communication to the institution, and also enables a communication from the institution to the device that commands certain data to be deleted.
Financial institutions need appropriate disposal procedures for both electronic and paper-based media. Designating a single individual, department, or function to be responsible for disposal facilitates accountability and promotes compliance with disposal policies. Policies should prohibit employees from discarding media containing sensitive information along with regular garbage to avoid accidental disclosure. Many institutions shred paper-based media on site and others use collection and disposal services to ensure the media is rendered unreadable and unlikely to be reconstructed. Institutions that contract with third parties should use care in selecting vendors to ensure adequate employee background checks, controls, and experience. Contracts with third-party disposal firms should address acceptable disposal procedures. The disposal of customer and consumer information should meet the requirements of the 501(b) guidelines.
Computer-based media presents unique disposal problems, and policies and procedures should comprehensively address all of the various types of electronic media in use. Residual data frequently remains on media after erasure. Since that data can be recovered, additional disposal techniques should be applied to sensitive data. Physical destruction of the media, for instance by subjecting a compact disk to microwaves, can make the data unrecoverable. Additionally, data can sometimes be destroyed after overwriting.Overwriting destroys data by replacing that data with new, random data. The replacement is accomplished by writing the new data to the disk sectors that hold the data being destroyed. To be effective, overwriting may have to be performed many times.Overwriting may be preferred when the media will be re-used. Institutions should base their disposal policies on the sensitivity of the information contained on the media and, through policies, procedures, and training, ensure that the actions taken to securely dispose of computer-based media adequately protect the data from the risks of reconstruction. Where practical, management should log the disposal of sensitive media, especially computer-based media. Logs should record the party responsible for and performing disposal, as well as the date, medial type, hardware serial number, and method of disposal.
Financial institutions should maintain the security of media while in transit or when shared with third parties. Policies should include
Financial institutions should address the security of their back-up tapes at all times, including when the tapes are in transit from the data center to off-site storage.