SP-013: Data Security Pattern
All modern organisations handle and manage information, including personal data, as part of their business. Demand from citizens and regulators has placed a greater emphasis on data security caused by widespread automation and outsourcing trends in the last 10-20 years. Maintaining appropriate levels of data security requires a holistic approach to security across the organisation and through the supply chain. Key controls that must be considered include;
- Awareness and Training
- Risk Assessment including Classification (RA-02 Security Categorisation)
- Identification and Authentication to faciliate data access by appropriate individuals or roles
- System and Communication protection to ensure that the data is stored, processed, and transmitted securely.
Data security can be defined as a the maintenance of Confidentiality and Integrity for data processed by the organisation (for this pattern we do not focus on the third element Availability from the CIA triad). Scenarios where the owner of the data does not have detailed control over the architecture and controls management, for example outsourcing can increase risks to data. Solid data handling and processing practices can help mitigate risks:
- A organisation culture that properly values, protects and uses data, both in the planning and delivery of services (tone from the top is key)
- Strong and clear accountability mechanisms, recognising that the data owner (ofter organisational unit) is best placed to understand and address risks to their information, including personal data
- Performance measures for the level of data security acheived, to build confidence and ensure that lessons are learned and shared.
- Define clear policies that are simple to understand and use (involve the owners as needed)
- Control the extended enterprise, understand what your suppliers are doing and control as necessary
- Provide a consistent, universal training framework
- Take a lifecycle perspective for data and employees
A Data Classification scheme is often used to help understand which controls are needed for the data types processed by the organisation. This scheme will be defined based on the legal, regulatory and business requirements that the organisation must adhere. Common schemes used have 3 or 4 levels, including Public/Unclassified (e.g. Marketing materials), Internal Use (Information shared within the organisation or with suppliers e.g. Intranet), Confidential/Private (Sensitive information e.g. Credit card details or Medical history), Secret (Market Sensitive Information e.g Year-end results or Secret recipe for Coca-Cola)
Principles for data security (adapted from Poynter 2008):
While standards exist for controls around processes (NIST 800-53, ISO27002) and there are principles around data protection in the regulations such as the Data Protection Act – there are no general principles to govern how an organisation should approach data security. Poynter sets out ten principles that we believe have broader applicability.
- Data about an entity (be it an individual or a business) belongs to that entity. It can be entrusted to other parties but always remains the property of the entity to which it refers.
- It follows that it is the responsibility of the entity to maintain its own data.
- Data becomes information when it has value. This typically happens through context and through aggregation. The ambition should be never to lose or allow undesired access to information. Key to this is segregation – i.e. separating out data when it is stored and designing jobs and the systems that support them to require a minimum of information
- An organisation should hold the minimum data required to perform its functions, including the retention period it holds data for. It should not, for instance hold data that it can get elsewhere but it should routinely make use of other sources of data that improves its ability to tailor its services to its customers
- An organisation should hold data about entities once – it should move to a single customer record for individuals and a single customer record for businesses
- Effective information security requires both service provider and customer to play their part. Organisations should have the powers to be able to specify secure methods of exchanging data with its customers, starting with businesses and over time including individuals
- Organisations should have regard to external sources of guidance on information security such as the Data Protection legislation and the guidance given to the financial services sector by the FSA.
Data security measures should be focused on the area of biggest risk, data transfer. It follows that:
- Transfers of digital data involving physical media should be minimised
- Paper-based communications should be rationalised as to content and frequency with a long term plan of substantially eliminating them
- Computers (and in the short term, any removable media) should be encrypted so that if they are lost or stolen any data or information on them cannot be accessed.
Technical Design approaches
It makes a lot of sense to keep data in secure areas of your organisation such as the data centre rather than on laptops or other devices which will be carried in public areas. Thin client technologies such as browser based, or terminal sessions allow for access to applications but keep the data within the data centre and can be configured to prevent local printing and storage.
If data does need to stored on portable devices or machines that are accessible from public areas it should be encrypted (it often makes sense to do this for desktops as well as it simplifies disposal requirements). Many regulations such as PCI also require encryption for credit card information that is stored on servers, and it is sensible to use encryption for sensitive data that is stored server side unless there are serious cost of performance considerations that require the use of alternative compensating controls.
Identification, authentication and authorisation controls are key to managing access to information on a need to know basis. Carefully consider how you will manage entitlements, common models such as Role Based Access Control (RBAC) give a structured way to link business roles to underlying rights in information systems.
Enterprise Content Management (ECM) tools can help to manage and classify data to ensure that the correct controls are applied depending on sensitivity of the materials. For unstructured data types such as email, spreadsheets and word processor documents, Data Loss Prevention (DLP) tools will probably be of greater value. DLP tools can discover what data types are being transmitted and stored by the organisations information systems, and then apply business rules to this data to determine where it can be stored, printed, or transmitted.
Typical challenges: Management appetite. Selling in the organisation. Keeping it simple, and cutting through the complexity of environment. Building the right awareness and training campaign. Looking forward, the challenges to maintain data security are likely to get harder. The pace of technological change is quickening. The level and sophistication of external threats, such as e-crime, is increasing. Improving services will mean greater use of data within organisations and more data sharing.
Indications: Organizations who process Personally Identifiable Information (PII), are in regulated sectors (Health, Finance, Government etc) or process commercially sensitive information.
Contra-indications: Publically available information, freely available from many sources.
Resistance against threats: To be determined.
Poynter report (covering HMRC data losses and recommendations):
Hannigan report (covering Data Handling Procedures in Government):
Relevant technologies that underpin data security:
- DLP (Data Loss Prevention)
- Identity management Overview of ID management
- RBAC (Role Based Access Control)
- Encryption Overview of encryption approaches
Related patterns: Identity management.
Classification: Data Security.
Control detailsAC-02 Account Management
AC-03 Access Enforcement
AC-04 Information Flow Enforcement
AC-05 Separation Of Duties
AC-06 Least Privilege
AC-15 Automated Marking
AC-16 Automated Labeling
AC-20 Use Of External Information Systems
AT-02 Security Awareness
AT-03 Security Training
CA-07 Continuous Monitoring
CP-09 Information System Backup
IA-02 User Identification And Authentication
MP-02 Media Access
MP-03 Media Labeling
MP-04 Media Storage
MP-05 Media Transport
MP-06 Media Sanitization And Disposal
PE-03 Physical Access Control
PE-19 Information Leakage
PL-05 Privacy Impact Assessment
RA-01 Risk Assessment Policy And Procedures
RA-02 Security Categorization
RA-03 Risk Assessment
RA-04 Risk Assessment Update
SC-04 Information Remnance
SC-07 Boundary Protection
SC-08 Transmission Integrity
SC-09 Transmission Confidentiality
SC-13 Use Of Cryptography
SI-09 Information Input Restrictions
SI-10 Information Accuracy, Completeness, Validity, And Authenticity
SI-12 Information Output Handling And Retention