- slide 1 of 5
Locating Your Assets
The first and most important step in protecting business data is to understand what you're protecting and where its located. To use an analogy, you can have the largest army in the world, but if you don't know what to defend, what's the point in having an army? Many companies make the mistake of defining security controls before they've identified their assets. Business data that needs to be protected comes in many forms, from credit card numbers to names and addresses, its all important data that needs protection. Defining a security control is important, but the business needs to understand what data its going to protect first.
So what business data needs to be protected? Depending on the business, the data that needs protection will be different. The basic types of data to look for are personally identifiable information (PII), and sensitive personal information (SPI).
Personally identifiable information (PII) consists of:
- Full names
- Driver's license numbers
- Face, fingerprints, handwriting
- Identification number (e.g. social security number)
- Vehicle Registration Plate Number
Basically any information that can identify an individual.
PII becomes Sensitive personal information (SPI) once any of the above combines with any of the information below:
- Social security numbers or Taxpayer ID numbers
- Credit or debit card numbers
- Financial/salary information
- Health records
- Student data records
There is some overlap here and there of data between PII and SPI, but the idea is the same. Any information that can be used to identify an individual will need to be protected. Even before the internet was born, this type of information was used for criminals to perform identity theft.
There will have to be many interviews with support teams at all levels (operating system, database, application) to understand the types of information that are being stored. The servers, databases, and even Excel workbooks that contain this data must be identified and tagged. This is an excruciating process but its better to get it done and get it done right than to let this data grow without control and without oversight.
Also, the business must not overlook the physical location of where the data will be stored. Hacking isn't always just performed via online methods. Social engineers can devise plans to use attack vectors such as pretexting to find their way into data through the physical world.
- slide 2 of 5
Following Your Data
The second step in protecting business data is to map out where the data travels. Once storage locations have been identified, the business needs to understand how it traverses through the network. One important item is to understand when and where data leaves the company's internal network and leaves to an external network. There are certain data security standards companies must meet when it comes to transmission of data. For instance, the Payment Card Industry Data Security Standards have wording that required external transmission of cardholder data to be encrypted while internal does not. Therefore its important to note when the transmission of data stops being internal and becomes external, and vice versa.
This is another round of interviews with support teams at all levels. Its another time consuming process but it needs to be performed. Hackers may have a hard time access stored data records but if the business doesn't understand the flow of its own data, it may miss out on protecting the transmission of data. Hackers can resort to listening in on transmissions to pick up data that the business needs to protect.
The business needs to broaden the focus for protecting data from just stored data to transmitted data.
Read on to page 2 to define and enforce security controls to protect business data...
- slide 3 of 5
Once the business understands where data that needs to be protected is stored and when its transmitted, it needs to start documenting controls to put in place. There are many ways to approach this, but read on to see the basic controls set that should be used to protect business data. Understand the importance of not only documenting controls but also communicating and finally enforcing the controls. Self assessments and internal audits are a fundamental part of the house of cards known as security. In addition management must support the decision to follow and abide by controls to protect business data.
- slide 4 of 5
Defining Security Controls
Once the business has identified where data is stored and where it travels, it needs to define the security controls that will be put in place to protect the data. There are many methods to define these controls and this step will require management support. One important thing to note is that the business must be able to support the security controls. Defining security controls to protect data that cannot be implemented in the business due to lack of funds or technology is absolutely pointless.
Though every company is different, there are basic security controls that should be in place for any business. The main areas of concern are logical access, physical access, accountability, encryption, and disposal of data.
Logical Access Controls
Logical access controls are controls around the accessing of data from a computer. Examples of controls that would fall in this area would be:
- Unique user ID's
- Strict password requirements (such as length, complexity, rotation, history)
- Role based access
- User access provisioning process that requires manager approvals (Preventative)
- User access reviews performed by management (Detective)
Physical Access Controls
Physical access controls are controls around the physical access to protected data. Examples include:
- Locked server rooms
- Unique badges or keys for employees
- Sign in sheet for visitors along with employee escorts required
- Review of access to badges or keys
- Provisiong process that requires manager approval for badges or keys.
Accountability controls are controls in place to not only identify a user but to also identify what the user did. Examples include:
- Logging of user access
- Logging of administrative use
- Logging of failed attempts to the system
- File integrity monitoring of system critical files and folders
- Resolution process for reviewing security alerts flagged in logs
Encryption controls are controls in place to encrypt protected data and prevent hackers for opening protected data if they manage to steal it. Examples include:
- Encryption of stored databases
- Encryption of entire servers that contain protected data
- Encryption of transmitted data (internal and/or external)
- Rotation of keys for the encrypted data (should be performed annually at the very least)
Disposal of Data Controls
Disposal of data controls are controls in place to ensure that data being disposed is disposed of correctly. Examples include:
- Magnetically wiping any and all hard drives. (This includes hard drives found in printers and copy machines!)
- Shredding all physical papers that are part of protected data
These controls should be well defined and placed in the business' policies and standards. Communication is also a key factor for policies. Policies and standards should be communicated to employees often to remind them of the importance of protecting data.
- slide 5 of 5
Enforcing Controls and Protecting Data
Find the data, understanding the data and defining controls to protect data are only the beginning. The actual enforcement of controls is actually one of the hardest parts in protecting business data. There are some regulatory laws in place to enforce external audits of controls, such as Sarbanes Oxley, but a majority of the time, there is no requirement for external audits. This means the business needs to understand the importance of protecting data and perform a self assessment or internal audit of their controls. Auditing has been seen as a plague by many companies, as it does require lots of time and resources, but it is the best way to validate the continued existence of security controls. Management must understand the importance of controls and the importance of protecting data or else all of the efforts mentioned above will fall.
Security truly needs to be a synergy between the business and IT departments. From identifying the business needs on the information it needs to gather and transmit, to the IT security concerns and controls that the business can support, it needs to be a group decision. Management on both sides of the fence need to come together to help build this house of cards and make it secure.
This exercise in identifying data that needs to be protected as well as the controls need to be revisited, at least annually, to determine if any changes need to be made. In the high paced world of cyber crime, businesses need to be 2, 3, even 4 steps ahead of cyber criminals, or else they may end up in the newspapers as the latest headline. Remember, these are only the basic techniques for protecting data and can always be expanded upon. The important thing to note is to start early. Identifying assets early will help as the business continues to grow and expand, and protecting those valuable assets will be much easier in the long run.