Policies form the foundation of any information security program and having strong data security policies is a critical component of your efforts to protect information. In this video, you’ll learn about the role that data security policies play in an organization and how to create appropriate security policies, particularly around data storage, transmission, retention, wiping, and disposal.
- [Instructor] Policies form the foundation of any information security program, and having strong data security policies is a critical component of your efforts to protect information. Data security policies and procedures place several important roles in an organization. No matter what specific issue a policy or procedure covers, it should meet sever key criteria. Policies provide the foundational authority for data security efforts. Adding legitimacy to your work and providing a hammer, if needed, to insure compliance.
They also offer clear expectations for everyone involved in data security, by explaining what data must be protected, and the controls that should be used to protect that data. They provide guidance on the appropriate paths to follow when requesting access to data for business purposes, and they offer an exception process for formally requesting policy exceptions when necessary to meet business requirements. Let's take a look at a few of the key issues that your data security policies should cover. Following these principles that I just described.
Data classification policies describe the security levels of information used in an organization, and the process for assigning information to a particular classification level. These classifications are assigned based on both the sensitivity of the information and the criticality of that information to the enterprise. For example, the military uses the familiar top secret, secret, confidential, unclassified classification scheme. A business on the other hand, might use friendlier terms to accomplish the same goal.
Such as highly sensitive, sensitive, internal, and public. Data classification is extremely important because it is used as the basis for other data security decisions. For example, a company might require the use of strong encryption to protect sensitive and highly sensitive information. Both at rest and in motion. Data storage is a key component of security policy. Data storage policies should explain to users appropriate storage locations for data of varying classification levels.
For example, policy might restrict the use of cloud storage solutions for highly sensitive information. Data storage policies should also address access control requirements for stored information. Including the process use to gain access to data, and the mechanisms used to enforce access controls. The policy should also explain encryption requirements for information at different classification levels and in different storage environments. For example, and organization might allow the unencrypted storage of information on hard drives located inside a secured data center, but require encryption for all other storage locations.
Such as cloud services or employee laptops. Data transmission policies protect data in motion. Data is especially vulnerable when it is being transmitted over a network because it becomes susceptible to eavesdropping attacks. Therefore, data transmission policies should cover what data may be transmitted over different kinds of networks and under what authority. This should also describe the use of encryption to protect information and transit over public or private networks, and appropriate transmission locations for sensitive information.
Such as the types of information that may leave cooperate networks without special permission. Finally, data lifecycle policies provide important guidance concerning the end-of-life process for information. This is important because information may retain sensitivity even after the organization no longer requires it. Data lifecycle policies should address at least two important issues. First, data retention policies should describe how long an organization will keep different data elements. This may include a minimum retention period such as retaining all tax related records for seven years.
It also may include a maximum retention period. Stating for example that customer credit card information should only be retained for the length of time necessary to complete a transaction. Data retention policies limit an organizations risk exposure by ensuring the data is kept for as long as it is needed but no longer. These policies effect both hardware and personnel, and should apply equally to electronic and paper records. Second, data retention policies should cover the proper disposal of data.
Including the wiping techniques used to securely erase hard drives, flash drives, and storage media before they are thrown away, recycled, or otherwise discarded. This is extremely important because of data remnants issues. Simply deleting files or formatting a hard disk, is not sufficient to remove all traces of that data from a device. Security administrators must use specialized tools to securely wipe storage devices and prevent their future retrieval of information believed to have been deleted.
These tools include software applications such as Derek's Boot and Nuke, otherwise known as DBAN, and hardware tools. Such as magnetic degaussers and device shredders. These data security policies provide an important foundation for data security efforts.
Members who take all eight courses in the series will be prepared to take and pass the CISSP exam. Find the companion study books at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
- Understanding data security policies and roles
- Limiting data collection
- Developing security baselines
- Leveraging industry standards
- Restricting access to data with Windows and Linux file permissions
- Encrypting data
- Securing cloud storage