Information sensitivity

Media Security

Any organization has data that is considered sensitive for a variety of reasons.
We want to protect the data from Disclosure, Alteration and Destruction (DAD).
Data has 3 States and we want to protect it as well as we can in each state

This is data on disks, tapes, CDs/DVDs, USB sticks
We use disk encryption (full/partial), USB encryption, tape encryption (avoid CDs/DVDs).
Encryption can be hardware or software encryption.

We encrypt our network traffic, end to end encryption, this is both on internal and external networks.

Use good practices: Clean desk policy, print policy, allow no ‘shoulder surfing’, may be the use of view angle privacy screen for monitors, locking computer screen when leaving workstation.

Only trusted individuals should handle our data; we should also have policies on how, where, when, why the data was handled. Logs should be in place to show these metrics.

Where do we keep our sensitive data? It should be kept in a secure, climate-controlled facility, preferably geographically distant or at least far enough away, that potential incidents will not affect that facility too.
Many older breaches were from bad policies around tape backups.
Tapes were kept at the homes of employees instead of at a proper storage facility or in a storage room with no access logs and no access restrictions (often unencrypted).

Data should not be kept beyond the period of usefulness or beyond the legal requirements (whichever is greater).
Regulation (HIPAA or PCI-DSS) may require a certain retention of the data (1, 3, 7 years or infinity).
Each industry has its own regulations and company policies may differ from the statutory requirements.
Know your retention requirements!

Objects have Labels assigned to them.

The label is used to allow Subjects with the right clearance to access them.
Labels are often more granular than just “Top Secret” they can be “Top Secret – Nuclear.”

Subjects have Clearance assigned to them.

A formal decision on a subject’s current and future trustworthiness.
The higher the clearance, the more in-depth the background checks should be (always in military, not always in business).

Document from the data owner approving access to the data for the subject.
Subject must understand all requirements for accessing the data and the liability involved if compromised, lost or destroyed.
Appropriate Security Clearance is required as well as the Formal Access Approval.

Just because you have access does not mean you are allowed the data.
You need a valid reason for accessing the data. If you do not have one you can be terminated/sued/jailed/fined.
- Leaked information about Octomom Natalie Suleman cost 15 Kaiser employees fines or terminations because they had no valid reason for accessing her file.
- We may never know who actually leaked the information. It may not be one of the 15, but they violated HIPAA by accessing the data.

Report abuse