Once data has been classified and we know what types of sensitive data a system stores or processes, we have to locate the data we want to protect. Data exists in one of two states – it is either at rest or in transit. We have to ask two questions:
1) Where does the data live?
2) Where does the data go?
In this installment, we will focus on the first question. In part 5, we will focus on the second one.
Any data that is stored, even data stored in RAM during processing, is at rest. Data at rest can be found:
1) On hard drives, in the working file structure
2) On backup tapes or other backup media
3) On removable media, such as CDs, DVDs, floppy disks (remember those?), and USB storage devices
4) On “hard copy” – printed copies in file cabinets, in brief cases, in desk drawers, or in trash cans
5) On LAPTOPS, which are mobile devices with hard drives. This is a MAJOR concern – for obvious reasons. There will be an installment in this series devoted to laptop security.
6) On other portable devices, such as phones and PDAs. This is a growing concern. Gone are the days when the only concern was the contact list. Smarphones are computers that can make phone calls and the data they carry with them must be included in the Information Management Plan.
These are the areas of concern in most business environments. We should be aware, though, that data at rest can also be found in some other places. In highly secure environments, we also have to concern ourselves with data:
1) On hard drives, in “non-working” file structures, such as temp files or time-save files
2) On hard drives, outside the file structure – in files that have been “deleted” from the file system, data in hard drive sectors that not been completely overwritten (the “slack space”), and in hibernation files.
3) In memory while it is being processed.
4) In fax memory.
When the system includes servers, workstations, multiple faxes and printers, and many users, documenting all these locations can be a substantial task.
In order to more effectively manage and protect sensitive data, we want to consolidate it into as few locations as possible. The more we can reduce the number of folders or directories that contain sensitive data, the more easily we can control access and apply encryption where appropriate. This is one of the BEST reasons for installing a server and maintaining all user data on server shares.
If sensitive data cannot be consolidated onto shares on a single computer, this should at least be done on each individual computer. All sensitive data should be consolidated into one or more folders to which access is controlled. Files requiring encryption should be consolidated into encrypted folders or volumes. Access controls and encryption will be discussed in later installments of this series.
All of this requires careful planning, documentation, and review.
Individuals will still require access to unencrypted data to do their jobs, and this always presents a risk that they will intentionally or unintentionally copy this data to locations other than those designated. There are four controls that we can use to mitigate this risk:
1) Education, training, and awareness – everyone has to be aware of data classifications, the importance of protecting sensitive data, and the methods used.
2) Policies – written policies MUST be in place to ensure that EVERYONE knows what is and is not acceptable use of systems and what procedures must be followed. Effective policies include signed acknowledgments and consequences for failure to comply.
3) Endpoint security – software can be employed to limit or prohibit the use of USB devices, mobile devices, and removable media
4) Information audits – period scans of hard drives and other devices should be done to check for certain types of sensitive information outside of the designated locations.
As we can see, the answer to “Where does the data live?” can be fairly complex. In the next installment, we will look at the second question – “Where does the data go?”
Dennis H in West Virginia, US
December 16, 2009