Classification
As sensitive information is produced, the author must assign
a data classification to it. Basic commercial classifications
include: Public, Personal, Internal Use Only and Confidential.
Classification is needed so that everyone knows how an information
asset should be protected. Without classifications, data
is not safeguarded appropriately and disclosure occurs.
For example, an e-mail is sent warning that an attached
file is for internal use only. The recipient saves the document
to a personal drive. Over time, the recipient forgets that
the document is sensitive and sends it to an external party.
This type of disclosure can be prevented with the use of
Internal Use Only classification in the document header
and footer. Classification makes it possible to reduce the
cost of safeguards by deploying them based on sensitivity
of information rather than a “shotgun” approach.
Systems and their respective backup tapes should also be
classified based on the sensitivity of data stored within.
Storage
When not in use, sensitive documents must be stored under
lock and key. At no time should sensitive documentation
be left unattended. When sensitive information is stored
in digital form, use strong encryption on network drives
and in databases. Sensitive files must also be encrypted
when stored in non-secure locations such as a hotel room.
Here are a few ways to protect digital assets using encryption: Use WinZip’s AES encryption to protect one or many files. The WinZip archive can then be sent by e-mail or saved to portable media such as a floppy or writable CD-ROM. If you want to encrypt the hard drive of a laptop, consider PGP, F-Secure or Authenex. Authenex provides additional security by requiring the use of a USB token in conjunction with a password. This is referred to as two-factor authentication (something you know and something you have). eWallet password management software offers both workstation and PDA versions.
Extremely sensitive information calls for layered protection. Consider controlling access with Two Person Integrity (TPI). TPI requires two people to access a given asset. For example, a TPI bank vault requires two separate combinations to open.
Transportation
Hard copy documents must be controlled at all times. Once
a document is removed from storage, it must be kept in the
physical possession of an authorized employee. When transporting
sensitive documentation, ensure that it is protected from
view by unauthorized personnel. When transporting documents
off-site, seal them in an envelope marked with street address
and phone number.
Encryption is an absolute requirement when transporting sensitive documentation in digital format. This includes portable media and laptop computers. Encrypt sensitive communications over insecure networks such as the Internet with Virtual Private Network (VPN) software. Encrypt web sites to protect sensitive communications such as login credentials and remote e-mail access.
Distribution
Restrict access to sensitive information to employees with
a need-to-know. In other words, distribution should be limited
to those who need access in performance of their duties.
Remind employees that all sensitive documentation is subject
to the non disclosure agreement signed upon date of hire.
Where possible, facilitate creation, viewing and modification of sensitive information with a content management system (e.g. Livelink). In the example above, the file lost its data classification once separated from the e-mail used to distribute it. Separate copies of the file were also created. In addition to access control, content management systems provide versioning functionality. This helps maintain data integrity by saving backups of previous file versions. “Check out” functionality prevents more than one person from editing a document at a time. Content management systems also provide auditing functions which can be useful during an investigation.
If your budget does not allow for content management software, share files on network drives or in a Microsoft Exchange public folder. Ensure that the appropriate permissions are set to control read and write access.
Destruction
Sensitive
documents must be thoroughly destroyed. Hard copy documents
should be shredded. Place shredder machines in common areas.
Delete sensitive files from temporary directories and the
Recycle Bin (Microsoft operating systems). Physically destroy
any electronic media used to store sensitive information
before discarding it.
Become familiar with the rules and regulations governing retention of information at each site. Investigate retention laws for accounting paperwork, e-mail, audit files and logs.
Incidents
Disclosure of sensitive information is a security incident
and should be treated as such. Upon notification of a disclosure,
the information security team should conduct a formal investigation,
resulting in an incident report. Consider how the event
occurred, potential damages and how it can be prevented
in the future.
Maintenance
The data security program must be maintained in order to
be effective. Keep up with changes in organizational structure,
procedures and technology. Reinforce policy with a security
awareness program. Educate employees about the dangers of
information leaks (e.g. social engineers and sensitive information
at the bottom of an e-mail). Finally advise them that unauthorized
disclosure may be subject to disciplinary action, up to
and including termination of employment.
It
will take time for employees to adjust to a structured method
of safeguarding sensitive information. Explain the rationale
for increased security measures in common sense terms. As
the saying goes “an ounce of prevention is worth a
pound of cure".
Copyright © 2005 CyberGuard Corporation All Rights Reserved.
Reprinted with Permission