Part 3: Guidelines for Protecting Data
Since staff members, and, in some cases, external stakeholders, interact with each classification of data in different ways, it is necessary to put in place different levels of control. As a result, it is useful to establish data protection guidelines for each category established within an organization’s data classification scheme. The exact guidelines for each organization will be different, yet some considerations for each category are outlined below.
Protecting Public Data
Since public data is by definition accessible to the public, no access restrictions should be put in place. However, such data should be properly secured against unauthorized modification or destruction. Servers running a public-facing website, for example, should be configured with strong protections against unauthorized system access and denial of service attacks which could lead to the alteration, destruction, or unavailability of published public data. While in most cases, loss of the data itself would not be a catastrophic event, the resulting representational harm could be highly problematic, long-lasting, and costly — if not impossible — to repair.
Protecting Sensitive Data
Sensitive data includes most organizationally-produced documents, files, emails, and other materials essential for day-to-day operations — the types of materials that should be restricted outside of an organization. Even so, unauthorized access to such materials would not cause irreparable harm to that organization.
Sensitive data should follow all of the same guidelines protecting public data as the starting point. In addition, robust access controls should exist to ensure that only authorized users, identified by their name, role, or group membership — have access to sensitive data. Access control systems should adopt a “default deny” posture, and then access rights, such as read, write, modify, or delete should be applied according to clearly-defined business needs.
Sensitive data should not be stored on hardware or cloud services not owned, operated, or contracted by the organization. It is important to note the distinction here between organizationally-licensed services vs. individuals using the same cloud-based services. For example, the use of personal Dropbox accounts to store sensitive data puts organizations at significant risk, as organizations then have no audit trail or controls whatsoever regarding the confidentiality and integrity of such services. From a practical perspective, in the case of an emergency, files and other data stored in personal accounts can not be restored or accessed by management or the IT department.
On the other hand, if an organization chooses to license a service such as Dropbox, Google Drive, or OneDrive for enterprise-wide cloud-based document storage, such licenses should include provisions indicating organizational ownership and control over materials stored on these systems, as well as the technical and organization controls employed by the service provider.
Protecting Confidential Data
Confidential data should follow all of the same guidelines protecting sensitive data as the starting point. In addition, strong controls against unauthorized access and modification are needed to ensure the security of these files. Confidential data must be encrypted at all times, whether at rest or in motion. Data at rest, such as data stored on an organization’s laptop or smartphone, should be protected using full-disk encryption (FDE) to prevent the exposure of data in the event that the device is lost or stolen. Remote access to confidential data must be encrypted by strong network-level protocols, such as Transport Layer Security (TLS) or by the use of an a Virtual Private Network (VPN).