Safeguarding Sensitive Information - An Ounce of Prevention
By Gideon T. Rasmussen - CISSP, CISA, CISM, CFSO, SCSA

Disclosure of sensitive information can cause severe damage to an organization. In the absence of clearly defined policies and procedures, disclosures will occur. Organizations must create and maintain a program for effectively protecting sensitive information throughout its lifecycle. A data security policy should detail how sensitive information is labeled, stored, distributed and destroyed. The fast operations tempo of the workplace and the complexity of systems contribute to disclosures. The data security program must account for this, with minimal impact on productivity.

As sensitive information is produced, the author must assign a data classification to it. Basic commercial classifications include: Public, Personal, Internal Use Only and Confidential. Classification is needed so that everyone knows how an information asset should be protected. Without classifications, data is not safeguarded appropriately and disclosure occurs. For example, an e-mail is sent warning that an attached file is for internal use only. The recipient saves the document to a personal drive. Over time, the recipient forgets that the document is sensitive and sends it to an external party. This type of disclosure can be prevented with the use of Internal Use Only classification in the document header and footer. Classification makes it possible to reduce the cost of safeguards by deploying them based on sensitivity of information rather than a “shotgun” approach. Systems and their respective backup tapes should also be classified based on the sensitivity of data stored within.

When not in use, sensitive documents must be stored under lock and key. At no time should sensitive documentation be left unattended. When sensitive information is stored in digital form, use strong encryption on network drives and in databases. Sensitive files must also be encrypted when stored in non-secure locations such as a hotel room.

Here are a few ways to protect digital assets using encryption: Use WinZip’s AES encryption to protect one or many files. The WinZip archive can then be sent by e-mail or saved to portable media such as a floppy or writable CD-ROM. If you want to encrypt the hard drive of a laptop, consider PGP, F-Secure or Authenex. Authenex provides additional security by requiring the use of a USB token in conjunction with a password. This is referred to as two-factor authentication (something you know and something you have). eWallet password management software offers both workstation and PDA versions.

Extremely sensitive information calls for layered protection. Consider controlling access with Two Person Integrity (TPI). TPI requires two people to access a given asset. For example, a TPI bank vault requires two separate combinations to open.

Hard copy documents must be controlled at all times. Once a document is removed from storage, it must be kept in the physical possession of an authorized employee. When transporting sensitive documentation, ensure that it is protected from view by unauthorized personnel. When transporting documents off-site, seal them in an envelope marked with street address and phone number.

Encryption is an absolute requirement when transporting sensitive documentation in digital format. This includes portable media and laptop computers. Encrypt sensitive communications over insecure networks such as the Internet with Virtual Private Network (VPN) software. Encrypt web sites to protect sensitive communications such as login credentials and remote e-mail access.

Restrict access to sensitive information to employees with a need-to-know. In other words, distribution should be limited to those who need access in performance of their duties. Remind employees that all sensitive documentation is subject to the non disclosure agreement signed upon date of hire.

Where possible, facilitate creation, viewing and modification of sensitive information with a content management system (e.g. Livelink). In the example above, the file lost its data classification once separated from the e-mail used to distribute it. Separate copies of the file were also created. In addition to access control, content management systems provide versioning functionality. This helps maintain data integrity by saving backups of previous file versions. “Check out” functionality prevents more than one person from editing a document at a time. Content management systems also provide auditing functions which can be useful during an investigation.

If your budget does not allow for content management software, share files on network drives or in a Microsoft Exchange public folder. Ensure that the appropriate permissions are set to control read and write access.

Sensitive documents must be thoroughly destroyed. Hard copy documents should be shredded. Place shredder machines in common areas. Delete sensitive files from temporary directories and the Recycle Bin (Microsoft operating systems). Physically destroy any electronic media used to store sensitive information before discarding it.

Become familiar with the rules and regulations governing retention of information at each site. Investigate retention laws for accounting paperwork, e-mail, audit files and logs.

Disclosure of sensitive information is a security incident and should be treated as such. Upon notification of a disclosure, the information security team should conduct a formal investigation, resulting in an incident report. Consider how the event occurred, potential damages and how it can be prevented in the future.

The data security program must be maintained in order to be effective. Keep up with changes in organizational structure, procedures and technology. Reinforce policy with a security awareness program. Educate employees about the dangers of information leaks (e.g. social engineers and sensitive information at the bottom of an e-mail). Finally advise them that unauthorized disclosure may be subject to disciplinary action, up to and including termination of employment.

It will take time for employees to adjust to a structured method of safeguarding sensitive information. Explain the rationale for increased security measures in common sense terms. As the saying goes “an ounce of prevention is worth a pound of cure".

Copyright © 2005 CyberGuard Corporation All Rights Reserved.
Reprinted with Permission