Safeguarding Sensitive Information - An Ounce of Prevention
T. Rasmussen - CISSP, CISA, CISM, CFSO, SCSA
Disclosure of sensitive information can cause severe damage
to an organization. In the absence of clearly defined policies
and procedures, disclosures will occur. Organizations must
create and maintain a program for effectively protecting sensitive
information throughout its lifecycle. A data security policy
should detail how sensitive information is labeled, stored,
distributed and destroyed. The fast operations tempo of the
workplace and the complexity of systems contribute to disclosures.
The data security program must account for this, with minimal
impact on productivity.
As sensitive information is produced, the author must assign
a data classification to it. Basic commercial classifications
include: Public, Personal, Internal Use Only and Confidential.
Classification is needed so that everyone knows how an information
asset should be protected. Without classifications, data
is not safeguarded appropriately and disclosure occurs.
For example, an e-mail is sent warning that an attached
file is for internal use only. The recipient saves the document
to a personal drive. Over time, the recipient forgets that
the document is sensitive and sends it to an external party.
This type of disclosure can be prevented with the use of
Internal Use Only classification in the document header
and footer. Classification makes it possible to reduce the
cost of safeguards by deploying them based on sensitivity
of information rather than a shotgun approach.
Systems and their respective backup tapes should also be
classified based on the sensitivity of data stored within.
When not in use, sensitive documents must be stored under
lock and key. At no time should sensitive documentation
be left unattended. When sensitive information is stored
in digital form, use strong encryption on network drives
and in databases. Sensitive files must also be encrypted
when stored in non-secure locations such as a hotel room.
are a few ways to protect digital assets using encryption:
Use WinZips AES encryption to protect one or many
files. The WinZip archive can then be sent by e-mail or
saved to portable media such as a floppy or writable CD-ROM.
If you want to encrypt the hard drive of a laptop, consider
PGP, F-Secure or Authenex. Authenex provides additional
security by requiring the use of a USB token in conjunction
with a password. This is referred to as two-factor authentication
(something you know and something you have). eWallet password
management software offers both workstation and PDA versions.
sensitive information calls for layered protection. Consider
controlling access with Two Person Integrity (TPI). TPI
requires two people to access a given asset. For example,
a TPI bank vault requires two separate combinations to open.
Hard copy documents must be controlled at all times. Once
a document is removed from storage, it must be kept in the
physical possession of an authorized employee. When transporting
sensitive documentation, ensure that it is protected from
view by unauthorized personnel. When transporting documents
off-site, seal them in an envelope marked with street address
and phone number.
is an absolute requirement when transporting sensitive documentation
in digital format. This includes portable media and laptop
computers. Encrypt sensitive communications over insecure
networks such as the Internet with Virtual Private Network
(VPN) software. Encrypt web sites to protect sensitive communications
such as login credentials and remote e-mail access.
Restrict access to sensitive information to employees with
a need-to-know. In other words, distribution should be limited
to those who need access in performance of their duties.
Remind employees that all sensitive documentation is subject
to the non disclosure agreement signed upon date of hire.
possible, facilitate creation, viewing and modification
of sensitive information with a content management system
(e.g. Livelink). In the example above, the file lost its
data classification once separated from the e-mail used
to distribute it. Separate copies of the file were also
created. In addition to access control, content management
systems provide versioning functionality. This helps maintain
data integrity by saving backups of previous file versions.
Check out functionality prevents more than one
person from editing a document at a time. Content management
systems also provide auditing functions which can be useful
during an investigation.
your budget does not allow for content management software,
share files on network drives or in a Microsoft Exchange
public folder. Ensure that the appropriate permissions are
set to control read and write access.
documents must be thoroughly destroyed. Hard copy documents
should be shredded. Place shredder machines in common areas.
Delete sensitive files from temporary directories and the
Recycle Bin (Microsoft operating systems). Physically destroy
any electronic media used to store sensitive information
before discarding it.
familiar with the rules and regulations governing retention
of information at each site. Investigate retention laws
for accounting paperwork, e-mail, audit files and logs.
Disclosure of sensitive information is a security incident
and should be treated as such. Upon notification of a disclosure,
the information security team should conduct a formal investigation,
resulting in an incident report. Consider how the event
occurred, potential damages and how it can be prevented
in the future.
The data security program must be maintained in order to
be effective. Keep up with changes in organizational structure,
procedures and technology. Reinforce policy with a security
awareness program. Educate employees about the dangers of
information leaks (e.g. social engineers and sensitive information
at the bottom of an e-mail). Finally advise them that unauthorized
disclosure may be subject to disciplinary action, up to
and including termination of employment.
will take time for employees to adjust to a structured method
of safeguarding sensitive information. Explain the rationale
for increased security measures in common sense terms. As
the saying goes an ounce of prevention is worth a
pound of cure".
Copyright © 2005 CyberGuard Corporation All Rights Reserved.
Reprinted with Permission