Establish Information and Asset Handling Requirements
There are combinations of physical, administrative, and technical controls that assist security professionals in establishing the asset handling requirements for sensitive information and valued assets. Procedures such as marking, handling, declassification, and storage are used to securely inventory and manage sensitive data, physical media, and computing resources.
Marking and Labeling
Marking is a procedure to place descriptions in plain view directly on the asset that a person can read, indicating distribution limits, handling caveats, and applicable security levels (if any) of the information contained on the asset. Another term for this process is a labeling, because the information used to mark the asset handling is most effective when grouped together and easily accessed on a label or a physical tag affixed to the asset.
Tip An effective label should contain the title of the protected asset, the data owner, the sensitivity level of the information, the date of encryption, and the retention period.
With a label in plain view, it is much easier to identify the importance of data itself and manage the assets to assure availability, confidentiality, and integrity based on classification levels.
Note Marking and labeling of public data or unclassified information for handling purposes helps to keep security efficient and cost-effective. For example, if an unmarked data asset is found, a handling decision must be made. The best practice is to apply the highest marking
Or label until the data can be determined as not sensitive or proprietary. Until the situation is resolved, the elevated handling requirements cause more costs for the organization.
Handling
The policies and procedures of an organization provide rules for the handling of each category of information at the appropriate level of sensitivity throughout the lifetime of the asset. Handling rules for information should cover the access, transfer, and storage of sensitive data.
It is important to maintain a consistent process for handling throughout the entire data lifecycle. The use of manual logs to track access to media is useful when automated access tracking is infeasible. Employee awareness and training regarding responsibilities for proper handling of sensitive information is imperative. Training should include warnings about becoming complacent about handling instructions. It is likely that, over time, employees handling even the most restricted information will become complacent, and data loss may be the result. The insider threat of an employee leaving the organization with a thumb drive or accessing sensitive information in a public coffee shop happens when employees become indifferent about policy and procedure.
In cases of assets that are not physical entities, such as data stored on magnetic tape, digital marking is a process to use. Take, for instance, a database or proprietary blueprint for an information system. To mark this type of asset, when the asset is transferred or printed, a digital mark can be used to identify classification that maps to handling procedures. Sometimes the digital marking takes the form of a watermark or a notation in the header or footer of the printout. The mark can also be coded into the metadata of a file for transfer.
Tip Data loss prevention (DLP) systems are aided by using digital markings, as sensitive information can be more easily identified before it leaks out of an organization.
Declassifying Data
Before an asset is moved toward destruction in the asset management lifecycle, the asset may still have value but is no longer classified at the original level. An organization must have a process to declassify data. When data sensitivity changes from confidential to public, for example, marking, handling, and storage requirements have to be adjusted accordingly. If declassifying does not happen, excessive and costly controls remain in place.
The declassification of assets is a process that requires documentation, the delineation of levels of approval, and integration with asset retention and destruction policies for a comprehensive approach to asset protection. The data owner plays a central role in this process, as they determine the classification level of the data and when it can change. There should be a data governance process within the organization to determine whether there will be a manual review adjustment of data classifications. The organization could opt to automate the process using rules and applications to find and reclassify the data.
The rules may be based on the occurrence of a specific date or event as determined by the data owner or the expiration of a maximum time frame. Methods to declassify assets include altering the data to remove or obfuscate identifying or sensitive elements of the data. A few of these methods are described in the follow- ing sections: de-identification, obfuscation, anonymization, and tokenization.
Related Product : Certified Information System Security Professional | CISSP
De-identification/Obfuscation/Anonymization
To protect data, particularly when used for testing applications and storing databases, a general control for maintaining confidentiality is to de-identify or anonymize the data. This process involves taking any personally identifying data fields and converting them to masked, obfuscated, encrypted, or tokenized data fields. For instance, the Name data field may change from the actual name to “XXXXX” under a masked process or “53326” under anonymization. Some data fields in a database may remain clear text or the actual values. Fields like address, race, or date of birth may still be useful for analytics even if the personally identifiable information is de-identified. If encryption is used, a re- identification key is required to decrypt the database. No matter what process is used to
De-identify the data, guidelines must be followed to keep the data from being easily re- identified by combining data fields or guessing the algorithm used to anonymize the data.
Data Tokenization
Tokenization is a specific form of de-identification that has been around for as long as there have been ciphers. However, it has gained popularity as security threats have Changed and technical controls like encryption have become vulnerable because of attacks such as credential thefts. Tokenization is the process of substituting a sensitive data element with a non sensitive set of characters or numbers. Usually, the token, or the value of the replaced data set, has the same field length as the data that was replaced.
The token is not meaningful in relationship to the original data. In other words, unlike encryption, the token cannot be reengineered back to the value in clear text. A lookup table is used as a re-identification key. The original data and re-identification keys are stored securely, separately from the production system and the original data system.
Destruction
If the asset is media or computing equipment, the declassification process will include secure erase or destruction by one of the methods mentioned earlier in this chapter. Corporate policy must address roles and responsibilities for declassifying media. Only after proper secure erasure procedures are followed and validated can the asset be reused. Too often, incomplete asset erasure has led to reuse of assets where sensitive data was remnant or recoverable. In many organizations, the risk of improper secure erase and reuse is too high. In those organizations, destruction of media and computing reuse is the only acceptable declassification final step.
Once an asset is destroyed, documentation of the disposal must be collected and maintained according to organizational information asset security management policy that aligns with regulatory and legal mandates.
Storage
When sensitive information was all paper-based, information storage security was as simple as keeping assets locked up and behind adequate physical barriers. With digital information stored in data centers, on removable hard drives, on mobile phones, and in the cloud, asset storage is complicated. In the digital age, there are too many easy ways for stored data to be stolen, leaked inadvertently because of mismanagement, or accessed by unauthorized individuals through identification credential theft.
A primary consideration for secure asset storage of digital information is encryption. Sensitive data at rest should most likely be encrypted. Depending on the storage solution used, such as NAS or sans, the additional concern for storage will be the location and safeguarding of encryption keys. The access and authorizations for storage has to be man- aged by security controls too.
An additional consideration for secure storage is limiting the volume of data retained. Along with data deduplication, making sure to only store data that is needed reduces risk to the organization as well as cost. In terms of risk, limitations on data storage also improve disaster recovery and business continuity because access to data on short notice is more feasible if excess data does not impinge on the overall recovery process.
Summary
In any organization, the most important assets are most likely found in the IT and data inventory. Protection of these assets is incredibly important to security professionals as well as executive leadership, governing boards, and customers of these organizations. Because of the sensitivity and value of these assets, governments and industries across the globe have put legislation and regulation in place to protect them. Along with the loss of revenue or recovery costs if assets are lost or stolen, significant privacy concerns exist when sensitive assets are mismanaged. This chapter covers a great many of the important concepts and guiding principles a security practitioner is expected to know and implement in their daily work. Beginning with constructing asset management policy, the organizational policy must be informed by prevailing law, directives, and best practices but be customized to each organization’s mission and unique risk profile. The process for asset management will include multiple stakeholders within the organization, so roles and responsibilities must be clearly documented and people should be trained adequately. In terms of asset recovery and business resiliency, periodic testing of the processes is required.
At the core of asset management are the standards and frameworks that have been developed by industry experts and cohorts of practitioners that should be used to build the asset management program in an organization. The choice of standards or frameworks and the individual security controls put in place to protect confidentiality, integrity, and avail- ability of assets will also differ from one organization to the next. How a security practitioner will scope and tailor asset management controls depends on measuring and evaluating risk based on variables such as legal jurisdiction, industry, and considerations like compensating and alternative controls. Keep in mind, security controls work best when working together, not managed independently. The proper acquisition, inventorying, monitoring, and security management of assets in organizations around the world is a significant undertaking.
Information systems are highly interconnected and dependent on each other, information is valuable and requires protection, and the impact of doing it wrong can be disastrous to an organization. Not to mention that unauthorized access to personal information may have
A life-changing impact on the affected individuals who suffer from credit problems or the harm of identity theft. Security professionals have to master the proper security management of information through proper marking, storing, handling, and destruction of assets within their organizations to minimize risk and protect the assets.
Follow Us
https://www.facebook.com/INF0SAVVY
https://www.linkedin.com/company/14639279/admin/
