Data security risk management can be broken down into the following seven steps:
• Protect Data-at-Rest. A combination of tools is required to protect stored data, ranging from the proper management of removable media and BYOD devices, to encryption, firewalls, and endpoint solutions. For backups and archived data, organizations should consider secure, offline storage. For online data that is irreplaceable, consider using media that cannot be overwritten.
• Protect Data-in-Transit. During transmission, data is at risk of man- in-the-middle interception and modification attempts. This includes VoIP communications. Encrypting traffic (using SSL/TLS protocols) can help guard against digital snooping.
• Manage Assets During Removal, Transfer, and Disposition. Data backups actually have fallen off a moving truck, companies routinely donate computers containing sensitive data, thieves have stolen unencrypted thumb drives from automobile glove compartments, and healthcare records have been discarded (and discovered) in dumpsters. The simple lesson from these data breaches? Data security is a lifecycle management issue.
• Separate Your Testing and Production Environments. Even if not separated physically, controls should be in place to prevent development and test activities from bleeding over and altering the company’s operational configurations. Processes should be in place, and actions documented, before transferring tested hardware and software into production. In addition, consider whether developers and testers are appropriately restricted from accessing sensitive data and from altering any technical controls within the operational system.
• Protect Against Data Leaks. Data Loss Prevention solutions, commonly referred to as DLP, can help your organization determine where within your network your most sensitive information is stored and whether it is trying to escape, and cut off data leaks before they happen. These solutions are particularly helpful in stopping inadvertent disclosures, and can educate users about proper data handling policies.
• Check the Integrity of Software, Firmware and Information. Ensuring accuracy and reliability boils down to three things: math, anomalies and audits. Cryptographic hashing is a powerful tool to test for data integrity across all file types. Meanwhile, it’s essential to ensure that configuration settings are monitored for change, and that security logs are turned on and reviewed.
• Ensure Availability through Adequate Capacity. Increasing your bandwidth may be helpful when legitimate users are clogging the system. However, you may need to line up a managed cloud-based DDoS protection solution if data and services must remain available against a sustained, hostile attack.
Even though Data Security is only one of 22 NIST categories, there is no doubt that getting these steps right will also check off a lot of other boxes in the Framework. In addition, your efforts in this particular area are worth reassessing no less than annually, not simply because your company’s risk profile could change over the course of time, but because technology solutions most certainly will.