January 27, 2014

2.2.6 Implement policies and procedures to prevent data loss or theft

Implement policies and procedures to prevent data loss or theft

There is no “one size fits all” solution to information security. The security controls should be designed to fit the risk and should be backed up by a robust set of policies and procedures and a well-trained user and staff base.

The threat of data loss or theft is a risk to the organization. The organization typically will respond by conducting a risk analysis and then employ appropriate risk management strategies.

A risk analysis is the identification of the risk and planning of a mitigation technique to manage the risk. Risk identification involves a systematic identification of all assets and a cataloging of vulnerabilities and threats against each asset. For example, the company’s Internet facing web site is vulnerable if it is not secured effectively in a DMZ and if the backend database is not stored on a redundant storage array. The associated threats include hackers modifying the web pages and data loss from disk failure.

Vulnerabilities can range from a lack of physical security to inadequate deployment of system and security updates. Threats can include hackers and malicious insiders, system failures, fraud, improper configuration and settings, improper exposure of private information, etc.

After the threat has been identified and analyzed, the next step is to analyze the impact of the threat to the organization. The impact to the organization could include: company reputation, financial, compliance, productivity, revenue, safety, employee morale.

Once the threats have been identified and analyzed for their impact to the organization, the next step is to prioritize the threats based on their impact and probability of occurrence. The loss of specific types of data is more impactful than others, for example client financial information and other personally identifiable information (PII) should have more stringent protections than posts in a public distribution list.

The next step involves choosing and deploying an appropriate risk mitigation technique to combat the threat, in this case, of data loss or theft. The risk mitigation technique will be based on the impact of the threat and focused on data loss and theft. For example, the ISO/IEC 27001 certification standard provides controls to manage and protect the organization’s valuable information assets.

“ISO/IEC 27001 is a management framework for protection of business-critical information.”

There are protections, screenings and defenses on ingress. I.e. a user entering your organization is challenged with firewalls, anti-virus programs and passwords. Similar measures should be taken on egress. When a user leaves, security controls should be in place to ensure that data is not compromised including:
  • encryption and passcode  – protect the data so that even if it stolen it cannot be (easily) accessed
  • physical security – employ security guards, security monitors, badges and coded keypad entry
  • secure removable media – laptops, flash drives and other removable media should be secured so they are not used to transport data from the organization inappropriately
  • backup solution – in case of data loss and/or corruption, it is important to have a known good source for restoration
  • training and education – incent users and staff to be part of the solution to data theft and loss prevention

1 comment: