Data Protection Guide PDF

Summary

This document discusses data protection, categorizing data by sensitivity and outlining roles and responsibilities. It also covers data storage and access methods.

Full Transcript

Section 7 – Data Protection

Data Protection

- Safeguarding information from corruption, compromise, or loss

Types of Data Classifications

Based on the value to the organization and the sensitivity of the information, determined by the
data owner
Importance of Data Classification
o Helps allocate appropriate protection resources
o Prevents over-classification to avoid excessive costs
o Requires proper policies to identify and classify data accurately
Commercial Business Classification Levels
o Public
▪ No impact if released; often publicly accessible data
o Sensitive
▪ Minimal impact if released, e.g., financial data
o Private
▪ Contains internal personnel or salary information
o Confidential
▪ Holds trade secrets, intellectual property, source code, etc.
o Critical
▪ Extremely valuable and restricted information
Government Classification Levels
o Unclassified
▪ Generally releasable to the public
o Sensitive but Unclassified
▪ Includes medical records, personnel files, etc.
o Confidential
▪ Contains information that could affect government
o Secret
▪ Holds data like military deployment plans, defensive postures
o Top Secret
▪ Highest level, includes highly sensitive national security information
Legal Requirements
o Depending on the organization’s type, there may be legal obligations to maintain specific
data for defined periods
Documentation
o Organizational policies should clearly outline data classification, retention, and disposal
requirements
Note: Understanding data classifications and their proper handling is vital for protecting sensitive
information and complying with relevant regulations
Data Ownership Roles

1. Data Ownership
a. Process of identifying the individual responsible for maintaining the confidentiality,
integrity, availability, and privacy of information assets
2. Data Owners
a. A senior executive responsible for labeling information assets and ensuring they are
protected with appropriate controls
3. Data Controllers
a. Entity responsible for determining data storage, collection, and usage purposes and
methods, as well as ensuring the legality of these processes
4. Data Processors
a. A group or individual hired by the data controller to assist with tasks like data collection
and processing
5. Data Custodians
a. Responsible for managing the systems on which data assets are stored, including enforcing
access controls, encryption, and backup measures
6. Data Stewards
a. Focuses on data quality and metadata, ensuring data is appropriately labeled and
classified, often working under the data owner
7. Privacy Officer
a. Oversees privacy-related data, such as Personally Identifiable Information (PII), Sensitive
Personal Information (SPI), or Protected Health Information (PHI), ensuring compliance
with legal regulatory frameworks
8. Data Ownership Responsibility
a. The IT department (CIO or IT personnel) should not be the data owner; data owners
should be individuals from the business side who understand the data’s content and can
make informed decisions about the classification
9. Selection of Data Owners
a. Data owners should be designated within their respective departments based on their
knowledge of the data and its significance within the organization
10. Note: Proper data ownership is essential for maintaining data security, compliance, and effective
data management within an organization. Different roles contribute to safeguarding and managing
data appropriately

Data States

a. States
1. Data at rest
i. Data stored in databases, files systems, or storage systems, not actively moving
ii. Encryption Methods
Full Disk Encryption (FDE)
o Encrypts the entire hard drive
Partition Encryption
o Encrypts specific partitions, leaving others unencrypted
File Encryption
 o Encrypts individual files
Volume Encryption
o Encrypts selected files or directories
Database Encryption
o Encrypts data stored in a database at column, row, or table levels
Record Encryption
o Encrypts specific fields within a database record
2. Data in transit (Data in Motion)
i. Data actively moving from one location to another, vulnerable to interception
ii. Transport Encryption Methods
SSL (Secure Sockets Layer) and TLS (Transport Layer Security)
o Secure communication over networks, widely used in web
browsing and email
VPN (Virtual Private Network)
o Creates secure connections over less secure networks like the
internet
IPSec (Internet Protocol Security)
o Secures IP communications by authenticating and encrypting IP
packets
3. Data in use
i. Data actively being created, retrieved, updated, or deleted
ii. Protection Measures
Encrypting at the Application Level
o Encrypts data during processing
Access Controls
o Restricts access to data during processing
Secure Enclaves
o Isolated environments for processing sensitive data
Mechanisms like INTEL Software Guard
o Encrypts data in memory to prevent unauthorized access
b. Note: Understanding the three data states (Data at rest, data in transit, and data in use) and
implementing appropriate security measure for each is essential for comprehensive data
protection
c. Data at rest can be protected by encryptions, data in transit can be protected by communicati on
tunneling protocols, and Data in use can be protected by encryption at the application level
d. Protection Methods
1. Disk encryption
2. Communication tunneling
3. Encryption at the Application Level

Data Types

a. Examples
1. Regulated Data
i. Information controlled by laws, regulations, or industry standards
 ii. Personal Identification Information (PII)
Any information that can be used to identify an individual
iii. Protected Health Information (PHI)
Any information about health status, provision of healthcare, or payment
for healthcare that can be linked to a specific individual
Under the Health Insurance Portability and Accountability Act
2. Trade Secrets
i. Type of confidential business information that provides a company with a
competitive edge
3. Intellectual Property
i. Creations of the mind such as inventions, literary and artistic works, designs, and
symbols
ii. Unauthorized use of intellectual property can lead to legal action
4. Legal Information
i. Includes any data related to legal proceedings, contracts, or regulatory
compliance
5. Financial Information
i. Includes data related to an organization’s financial transactions, such as sales
records, invoices, tax documents, and bank statement
6. Human vs. Non-Human Readable Data
i. Human Readable Data
Information that can be understood by humans without the need for a
machine or software
ii. Non-Human Readable Data
Information that requires a machine or software to interpret

Data Sovereignty

Information subject to laws and governance structures within the nation it is collected
Refers to the concept that digital information is subject to the laws of the country in which it is
located
Geographical Considerations
o Location of data storage and processing can significantly impact businesses
Geographical Restrictions (Geofencing)
o Involves setting up virtual boundaries to restrict data access based on geographic location

Secured Data Methods

1. Geographical Considerations
o Location of data storage and processing can significantly impact businesses
2. Geographic Restrictions (Geofencing)
o Involves setting up virtual boundaries to restrict data access based on geographic location
3. Encryption
o Fundamental data security method that transforms readable data (Plain Text) into
unreadable data (Cipher Text) using an algorithm and an encryption key
4. Hashing
 o Technique that converts data into a fixed size of numeric or alphanumeric characters
known as a hash value
o Often used to store sensitive data like passwords
5. Masking
o Involves replacing some or all of the data in a field with a placeholder such as “X” to
conceal the original content
6. Tokenization
o Replaces sensitive data with non-sensitive substitutes known as tokens
7. Obfuscation
o Involves making data unclear or unintelligible, making it difficult for unauthorized users to
understand
8. Segmentation
o Involves dividing a network into separate segments, each with its own security controls
9. Permission Restriction
o Involve defining who has access to specific data and what they can do with it

Data Loss Prevention (DLP)

Strategy to prevent sensitive information from leaving an organization
Set up to monitor data of a system while it’s in use, in transit, or at rest in order to detect any
attempts to steal the data
Endpoint DLP System
o A piece of software that’s installed on a workstation or a laptop and it’s going to monitor
the data that’s in use on that computer
Network DLP System
o A piece of software or hardware that’s a solution placed at the perimeter of the network
to detect data in transit
Storage DLP System
o A software that is installed on a server in the data center and inspects the data while it ’s
at rest on the server
Cloud-Based DLP System
o Usually offered as a software-as-a-service and it’s part of the cloud service and storage
needs