One of the common mistakes organizations make is to focus on the technologies rather than protecting the organization’s sensitive data. Certainly, protecting devices is a necessary task but it’s the data that counts. There are no device breach notification laws. There are a lot of data breach notification laws so it’s only logical that organizations focus on data security first. General steps for handling sensitive data management include:
“A continuous monitoring defense strategy that tracks outbound traffic from your network is a very effective way to respond to data exfiltration”
• Identifying data types that are protected by criminal, civil, regulatory laws
• Locating where these data files are stored
• Identifying the data owner who controls access to that data
•Protecting the data using business process and technology
Monitoring all traffic involving sensitive data especially outbound traffic
Let’s examine each of these steps. We start with identifying the data types that are protected by laws and/or regulations. A good place to start is with your state’s data breach notification law(s). For example, the Commonwealth of Virginia’s data breach notification law (COVA Title 18.2-186.6) identifies the following as personal information that requires notification if exposed inappropriately:
"Personal information" means the first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of the Commonwealth, when the data elements are neither encrypted nor redacted:
1. Social security number;
2. Driver's license number or state identification card number issued in lieu of a driver's license number; or
3. Financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to a resident's financial accounts.
The term does not include information that is lawfully obtained from publicly available information, or from federal, state, or local government records lawfully made available to the general public.
Our organization has a standard that basically says any file including databases that contains social security number, credit card number, passport number, driver’s license number, bank or credit account numbers that must be encrypted at rest or in transit. Regulatory laws describe specific security practices for data types such as credit cards (PCI), student records (FERPA), and classified research (ITAR). If any of your data falls under these or other regulatory umbrellas, you have additional requirements governing the storage and transmission of these data types.
The next step is to find where these data types are located in your organization. There are commercial and freeware tools that can help you in this search. Commercial products such as Spirion formerly IdentityFinder, Varonis, Digital Island and freeware products such as Find_SSNs can be used to find files on computers that contain sensitive information. This is a very complex task and can surprise you with where such data is located. Individuals tend to be “digital packrats” because they tend to never delete files on the belief that “I might need it later”. Pretty soon, files that are over 10 years old may be found on company desktops.
Once found, you should ask “do you still need to use this (these) file(s) for your job?” If so, protect the file using encryption tools. If not, delete the file(s). The next step is to consolidate all of the sensitive data files you find. There are all sorts of options such as private or public cloud services, offline storage, and column encryption of database records.
Data owners (trustees) or their designees determine who has permission to access data types. Data owners (trustees) should be C-level, VP or director level employees and be familiar with the protection requirements applied to their data. Some examples of Data Owners and the data they manage are:
• Chief Financial Officer (CFO) – all company financial data
• VP of Human Resources (HR) – all company HR data
• A sample approval process might look something like this.
• A business unit purchases a software payroll application that needs to access the company’s financial and HR data.
The IT Security Office evaluates the security of the application using vendor security questionnaires, application vulnerability scanning, and interviews. The office prepares a recommendation for the data owner
The data owner uses the ITSO recommendations along with other information in order to approve or deny access to the HR and financial data.
Encryption technologies are an example of protecting the sensitive data elements. There are a wide variety of commercial and freeware encryption tools ranging from Veracrypt, built-in Microsoft Office Encryption, Acrobat PDF encryption, Microsoft Rights Management System (RMS), Varonis, etc. Encryption solutions can become complicated if your sensitive data needs to be sent outside of your organization. In this case, you need to find a solution that will work in two very distinct environments.
A continuous monitoring defense strategy that tracks outbound traffic from your network is a very effective way to respond to data exfiltration. Determine which business processes handle sensitive data and find out where and how they send this data within and outside of your network. Profiling this traffic and its destinations is a good first step in the continuous monitoring process. IT threat intelligence services are an example of helping you identify potentially hazardous (to your company’s health) data traffic. Remember any traffic (encrypted or not) bound for known suspicious domains is bad and should be interrupted as soon as possible.
I’ve described a few examples of a general sensitive data protection process. A more rigorous and auditable approach is to use the Center for Internet Security (CIS)’s 20 Critical Controls as an operational plan for implementing your sensitive data protection strategy. These controls map to well-known security frameworks and standards. Some of the controls that would apply to the steps mentioned in this article include:
Control 1 – inventory of authorized and unauthorized devices
Control 2 – inventory of authorized and unauthorized software
Control 5 – controlled use of administrative privileges
Control 13 – data protection
Control 16 – account monitoring and control
Control 18 – application software security
Remember, you can’t protect what you can’t find. Data owners determine the access to data under their control with the IT Security office providing technical recommendations. The security office should not be the final arbiter of who has access to data.