Data Security

Data Security

The primary objective of information security is to protect the confidentiality, integrity, and availability of the institution’s information assets. All of the controls discussed so far, whether at the perimeters, network or host levels, or embodied in actions taken by people, contribute to the achievement of that objective. However, not all data in an institution require the same protections as other data, and not all data remain within the institution’s physical perimeter.

Theory and Tools

Data security theory seeks to establish uniform risk-based requirements for the protection of data elements. To ensure that the protection is uniform within and outside of the institution, tools such as data classifications and protection profiles can be used. Data classification is the identification and organization of information according to its criticality and sensitivity. The classification is linked to a protection profile. A protection profile is a description of the protections that should be afforded to data in each classification. The profile is used both to develop and assess controls within the institution and to develop contractual controls and requirements for those outside the institution who may process, store, or otherwise use that data.

Protection profiles are also useful when data is transported. That may occur, for example, when back-up tapes are moved off-site, when a laptop is removed from the institution, or whenever removable media is used to store the data. The profile should indicate when logical controls such as encryption are necessary; describe the required controls; and address the contractual, physical, and logical controls around transportation arrangements.

Protection profiles should also address the protection of the media that contains the information.

Over time, protection profiles should be reviewed and updated. The review and updating should address new data storage technologies, new protective controls, new methods of attack as they appear, and changes in data sensitivity.

Practical Application

Data classification and protection profiles are complex to implement when the network or storage is viewed as a utility. Because of that complexity, some institutions treat all information at that level as if it were of the highest sensitivity and implement encryption as a protective measure. The complexity in implementing data classification in other layers or in other aspects of an institution’s operation may result in other risk mitigation procedures being used. Adequacy is a function of the extent of risk mitigation, and not the procedure or tool used to mitigate risk.

Policies regarding media handling, disposal, and transit should be implemented to enable the use of protection profiles and otherwise mitigate risks to data. If protection profiles are not used, the policies should accomplish the same goal as protection profiles, which is to deliver the same degree of residual risk without regard to whether the information is in transit or storage, who is directly controlling the data, or where the storage may be.

Handling and Storage

IT management should ensure secure storage of media. Controls could include physical and environmental controls such as fire and flood protection, limited access (e.g., physical locks, keypad, passwords, and biometrics), labeling, and logged access. Management should establish access controls to limit access to media, while ensuring that all employees have authorization to access the minimum data required to perform their responsibilities. More sensitive information such as system documentation, application source code, and production transaction data should have more extensive controls to guard against alteration (e.g., integrity checkers, cryptographic hashes). Furthermore, policies should minimize the distribution of sensitive information, including printouts that contain the information. Periodically, the security staff, audit staff, and data owners should review authorization levels and distribution lists to ensure they remain appropriate and current.

The storage of data in portable devices, such as laptops and PDAs, poses unique problems. Those devices may be removed from the institution and not protected by any physical security arrangements. Additionally, the devices may be lost or stolen. Mitigation of those risks typically involves encryption of sensitive data, host-provided access controls, homing beacons, and remote deletion capabilities. The latter two controls can be Internet-based. Homing beacons send a message to the institution whenever they are connected to a network and enable recovery of the device. Remote deletion uses a similar communication to the institution, and also enables a communication from the institution to the device that commands certain data to be deleted.

HORSE FACTS: Institutions should control and protect access to paper, film and computer-based media to avoid loss or damage.

Consider the following:

1. Establish and ensure compliance with policies for handling and storing information
2. Ensure safe and secure disposal of sensitive media
3. Secure information in transit or transmission to third parties

Disposal

Financial institutions need appropriate disposal procedures for both electronic and paper-based media. Designating a single individual, department, or function to be responsible for disposal facilitates accountability and promotes compliance with disposal policies. Policies should prohibit employees from discarding media containing sensitive information along with regular garbage to avoid accidental disclosure. Many institutions shred paper-based media on site and others use collection and disposal services to ensure the media is rendered unreadable and unlikely to be reconstructed. Institutions that contract with third parties should use care in selecting vendors to ensure adequate employee background checks, controls, and experience. Contracts with third-party disposal firms should address acceptable disposal procedures. The disposal of customer and consumer information should meet the requirements of the 501(b) guidelines.

Computer-based media presents unique disposal problems, and policies and procedures should comprehensively address all of the various types of electronic media in use. Residual data frequently remains on media after erasure. Since that data can be recovered, additional disposal techniques should be applied to sensitive data. Physical destruction of the media, for instance by subjecting a compact disk to microwaves, can make the data unrecoverable. Additionally, data can sometimes be destroyed after overwriting. Overwriting may be preferred when the media will be re-used. Institutions should base their disposal policies on the sensitivity of the information contained on the media and, through policies, procedures, and training, ensure that the actions taken to securely dispose of computer-based media adequately protect the data from the risks of reconstruction. Where practical, management should log the disposal of sensitive media, especially computer-based media. Logs should record the party responsible for and performing disposal, as well as the date, medial type, hardware serial number, and method of disposal.

HORSE FACTS: Overwriting destroys data by replacing that data with new, random data. The replacement is accomplished by writing the new data to the disk sectors that hold the data being destroyed. To be effective, overwriting may have to be performed many times.

Transit

Financial institutions should maintain the security of media while in transit or when shared with third parties.

Policies should include:

• Contractual requirements that incorporate necessary risk-based controls
• Restrictions on the carriers used and procedures to verify the identity of couriers
• Requirements for appropriate packaging to protect the media from damage
• Use of encryption for transmission or transport of sensitive information,
• Tracking of shipments to provide early indications of loss or damage,
• Security reviews or independent security reports of receiving companies, and
• Use of nondisclosure agreements between couriers and third parties.

Financial institutions should address the security of their back-up tapes at all times, including when the tapes are in transit from the data center to off-site storage.