Published: 17 Jul 2008
| Information flows through business processes in an orderly fashion; security must flow right along with it.
These time-tested resources don't necessarily help the CISO gain a grasp of the integrated flow of data and how to secure it. Enterprise executives don't think in silos; they look at business processes and flows. And this is how CISOs should examine data--as a lifecycle from birth to death, and as it resides within business processes. It is a business cycle to be reviewed, analyzed and contended with.
Similar to an economic value-add analysis methodology, the data lifecycle security model (PDF below) shows how data is collected, classified, stored, used, retained and ultimately destroyed. It shows process, transition and a business flow.
Consider prohibiting the collection of Social Security numbers, protected health information (as explained in HIPAA), complete credit card numbers and other sensitive data unless absolutely necessary for the performance of business. And, if you absolutely need this information, then be sure to encrypt, or at least look at truncation practices.
Ultimately you need to think about the consequences to you as CISO and the business if this data were ever lost or breached. Will you be able to explain why this data was collected in the first place?
The data classification process and development of this area is well researched and discussed in many security forums. However, the consideration to put into play is simplicity and ease of implementation. Key players should include the data owner, data custodian, legal department and the CISO. It's important to consider a simpler process where there are only a limited number of classifications, including:
The CISO should also work with legal to prepare a marking standard, which states how a document should be marked and how classifications can be changed if necessary.
With each classification you should establish detailed handling, storage and disposal requirements that weave security into the data lifecycle.
Handling and Storage
This element of the lifecycle includes electronic transmission of data as well as physical.
For instance, considerations for data protection might include SSL or Transport Layer Security (TLS) tunneling, encryption of email and attachments, and email content filtering or blocking.
Physical transportation failures can be minimized by encrypting all media in transit (i.e., backup tape encryption), tracking the media as it moves from point to point, and receipt management so the enterprise is assured the data is received when and where expected. Most state data breach notification laws also relieve the enterprise of the notification mandate if the lost or misplaced information is encrypted.
A key consideration here is to also ensure that contractual controls with the physical transportation company are in play, including indemnification of the enterprise should the courier lose the data in transit. Although indemnification is not necessarily a compliance issue, it certainly reflects an organization's due care and attitude toward its fiduciary duties to protect the company.
Manipulation, Conversion or Alteration
For instance "data personalization," aka "personal data collection projects," substantially increases the risk profile for the organization. As an example, an employee may be accumulating information from various company databases and screenshots for personal use, such as his or her own phone list or roster, or for future projects. Here the data lifecycle is seriously disrupted and sensitive data can wind up on users' workstations, USB drives, and even at their homes, regardless if the intent is positive and for the good of the corporation.
Controls to consider in this space are technical controls to prevent data flowing external to the enterprise unless it is encrypted, such as data leak prevention technology; email content review and management; and a draconian thought of prohibition of personally owned portable media.
Administrative controls could also include policies and procedures on how data should and should not be used or collected by individual employees. Rules forbidding use of company computers for employee off-hours activities may be necessary. Of course, focus on the first step--data collection--would help minimize this risk, too.
The data lifecycle needs to ensure that data is effectively and appropriately retained so that data can be readily located and held for these discovery requirements. However, you also want to ensure that data is destroyed at the appropriate time to ensure that surprises are minimized during the discovery process when data thought to be "dead" or gone surfaces.
This is actually another area that can be fraught with problems for the CISO if not done completely and with the appropriate controls. If data is to be eliminated, then it must be fully destroyed and not left in any post-destruction residual. You don't want to hear about your surplus equipment being full of sensitive data now in the open market. Some key practices to consider:
One thought experiment is to map the "risk value" of each lifecycle stage. No empirical evidence necessarily supports this mapping, but it can be used to show the relative risks encountered when you look at data lifecycle security in the enterprise.
The biggest risk is the data manipulation, conversion or alteration stage. Since it is so easy for an individual to copy and collect data for other uses, data gets distributed throughout the enterprise and cannot be easily controlled. And the risk can be significant if the data is moved offsite, to a home computer, placed on an unencrypted USB drive, etc.
The flow of data is a new way to guide security professionals' focus, time and energy. They can look at new ways to not only protect the data, but also use this as a way to communicate risks and issues to executive management.
Also, this data lifecycle security approach can be a new way to build a security program, procedures and strategy. And it may be a new way to justify expense in critical areas of the organization, including security, legal and operations.