Safeguarding Sensitive Information: An Ounce of Prevention

["Gideon T. Rasmussen, CISSP, CISA, CISM, CFSO, SCSA" <lists () INFOSTRUCT NET>]

http://www.cyberguard.com/news_room/news_newsletter_041015safeguarding.cfm

Safeguarding Sensitive Information
- An Ounce of Prevention -

By Gideon T. Rasmussen - CISSP, CISA, CISM, CFSO, SCSA

Summary
Disclosure of sensitive information can cause severe damage to an
organization. In the absence of clearly defined policies and procedures,
disclosures will occur. Organizations must create and maintain a program
for effectively protecting sensitive information throughout its
lifecycle. A data security policy should detail how sensitive
information is labeled, stored, distributed and destroyed. The fast
operations tempo of the workplace and the complexity of systems
contribute to disclosures. The data security program must account for
this, with minimal impact on productivity.

Classification
As sensitive information is produced, the author must assign a data
classification to it. Basic commercial classifications include: Public,
Personal, Internal Use Only and Confidential. Classification is needed
so that everyone knows how an information asset should be protected.
Without classifications, data is not safeguarded appropriately and
disclosure occurs. For example, an e-mail is sent warning that an
attached file is for internal use only. The recipient saves the document
to a personal drive. Over time, the recipient forgets that the document
is sensitive and sends it to an external party. This type of disclosure
can be prevented with the use of Internal Use Only classification in the
document header and footer. Classification makes it possible to reduce
the cost of safeguards by deploying them based on sensitivity of
information rather than a “shotgun” approach. Systems and their
respective backup tapes should also be classified based on the
sensitivity of data stored within.

Storage
When not in use, sensitive documents must be stored under lock and key.
At no time should sensitive documentation be left unattended. When
sensitive information is stored in digital form, use strong encryption
on network drives and in databases. Sensitive files must also be
encrypted when stored in non-secure locations such as a hotel room.

Here are a few ways to protect digital assets using encryption: Use
WinZip’s AES encryption to protect one or many files. The WinZip archive
can then be sent by e-mail or saved to portable media such as a floppy
or writable CD-ROM. If you want to encrypt the hard drive of a laptop,
consider PGP, F-Secure or Authenex. Authenex provides additional
security by requiring the use of a USB token in conjunction with a
password. This is referred to as two-factor authentication (something
you know and something you have). eWallet password management software
offers both workstation and PDA versions.

Extremely sensitive information calls for layered protection. Consider
controlling access with Two Person Integrity (TPI). TPI requires two
people to access a given asset. For example, a TPI bank vault requires
two separate combinations to open.

Transportation
Hard copy documents must be controlled at all times. Once a document is
removed from storage, it must be kept in the physical possession of an
authorized employee. When transporting sensitive documentation, ensure
that it is protected from view by unauthorized personnel. When
transporting documents off-site, seal them in an envelope marked with
street address and phone number.

Encryption is an absolute requirement when transporting sensitive
documentation in digital format. This includes portable media and laptop
computers. Encrypt sensitive communications over insecure networks such
as the Internet with Virtual Private Network (VPN) software. Encrypt web
sites to protect sensitive communications such as login credentials and
remote e-mail access.

Distribution
Restrict access to sensitive information to employees with a
need-to-know. In other words, distribution should be limited to those
who need access in performance of their duties. Remind employees that
all sensitive documentation is subject to the non disclosure agreement
signed upon date of hire.

Where possible, facilitate creation, viewing and modification of
sensitive information with a content management system (e.g. Livelink).
In the example above, the file lost its data classification once
separated from the e-mail used to distribute it. Separate copies of the
file were also created. In addition to access control, content
management systems provide versioning functionality. This helps maintain
data integrity by saving backups of previous file versions. “Check out”
functionality prevents more than one person from editing a document at a
time. Content management systems also provide auditing functions which
can be useful during an investigation.

If your budget does not allow for content management software, share
files on network drives or in a Microsoft Exchange public folder. Ensure
that the appropriate permissions are set to control read and write access.

Destruction

Sensitive documents must be thoroughly destroyed. Hard copy documents
should be shredded. Place shredder machines in common areas. Delete
sensitive files from temporary directories and the Recycle Bin
(Microsoft operating systems). Physically destroy any electronic media
used to store sensitive information before discarding it.

Become familiar with the rules and regulations governing retention of
information at each site. Investigate retention laws for accounting
paperwork, e-mail, audit files and logs.

Incidents
Disclosure of sensitive information is a security incident and should be
treated as such. Upon notification of a disclosure, the information
security team should conduct a formal investigation, resulting in an
incident report. Consider how the event occurred, potential damages and
how it can be prevented in the future.

Maintenance
The data security program must be maintained in order to be effective.
Keep up with changes in organizational structure, procedures and
technology. Reinforce policy with a security awareness program. Educate
employees about the dangers of information leaks (e.g. social engineers
and sensitive information at the bottom of an e-mail). Finally advise
them that unauthorized disclosure may be subject to disciplinary action,
up to and including termination of employment.

It will take time for employees to adjust to a structured method of
safeguarding sensitive information. Explain the rationale for increased
security measures in common sense terms. As the saying goes “an ounce of
prevention is worth a pound of cure".

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.